upstream backend {
  server ${BACKEND_HOST}:9000;
}

server {
  set_real_ip_from  10.0.0.0/8;
  set_real_ip_from  172.16.0.0/12;
  set_real_ip_from  192.168.0.0/16;
  real_ip_header  X-Forwarded-For;
  listen 80;

  # Add headers to serve security related headers
  # Before enabling Strict-Transport-Security headers please read into this
  # topic first.
  #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
  #
  # WARNING: Only add the preload option once you read about
  # the consequences in https://hstspreload.org/. This option
  # will add the domain to a hardcoded list that is shipped
  # in all major browsers and getting removed from this list
  # could take several months.
  add_header Referrer-Policy "no-referrer" always;
  add_header X-Content-Type-Options "nosniff" always;
  add_header X-Download-Options "noopen" always;
  add_header X-Frame-Options "SAMEORIGIN" always;
  add_header X-Permitted-Cross-Domain-Policies "none" always;
  add_header X-Robots-Tag "none" always;
  add_header X-XSS-Protection "1; mode=block" always;

  root /usr/src/nextcloud;

  location = /robots.txt {
    allow all;
    log_not_found off;
    access_log off;
  }

  location = /.well-known/carddav {
    return 301 https://$host/remote.php/dav;
  }
  location = /.well-known/caldav {
    return 301 https://$host/remote.php/dav;
  }

  client_max_body_size 100G;
  fastcgi_buffers 64 4K;

  gzip off; # handled at haproxy level

  location / {
      rewrite ^ /index.php;
  }

  location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
      deny all;
  }

  location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
      deny all;
  }

  location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
      fastcgi_split_path_info ^(.+\.php)(/.*)$;
      try_files $fastcgi_script_name =404;
      set $path_info $fastcgi_path_info;
      include fastcgi_params;
      fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
      fastcgi_param PATH_INFO $path_info;
      fastcgi_param HTTPS on;
      #Avoid sending the security headers twice
      fastcgi_param modHeadersAvailable true;
      fastcgi_param front_controller_active true;
      fastcgi_pass backend;
      fastcgi_intercept_errors on;
      fastcgi_request_buffering off;
  }

  location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
      try_files $uri/ =404;
      index index.php;
  }

  # Adding the cache control header for js and css files
  # Make sure it is BELOW the PHP block
  location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
      try_files $uri /index.php$request_uri;
      add_header Cache-Control "public, max-age=15778463";
      # Add headers to serve security related headers (It is intended to
      # have those duplicated to the ones above)
      # Before enabling Strict-Transport-Security headers please read into
      # this topic first.
      # add_header Strict-Transport-Security "max-age=15768000;
      #  includeSubDomains; preload;";
      add_header X-Content-Type-Options nosniff;
      add_header X-Frame-Options "SAMEORIGIN";
      add_header X-XSS-Protection "1; mode=block";
      add_header X-Robots-Tag none;
      add_header X-Download-Options noopen;
      add_header X-Permitted-Cross-Domain-Policies none;
      add_header Referrer-Policy no-referrer;
      # Optional: Don't log access to assets
      access_log off;
  }

  location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
      try_files $uri /index.php$request_uri;
      # Optional: Don't log access to other assets
      access_log off;
  }
}