diff options
Diffstat (limited to 'playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.cloud')
-rw-r--r-- | playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.cloud | 137 |
1 files changed, 137 insertions, 0 deletions
diff --git a/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.cloud b/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.cloud new file mode 100644 index 0000000..c4a86cb --- /dev/null +++ b/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.cloud @@ -0,0 +1,137 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name cloud.tyil.nl; + + error_log /var/log/nginx/cloud-error.log; + access_log /var/log/nginx/cloud-access.log; + + ssl_certificate /etc/letsencrypt/live/cloud.tyil.nl/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/cloud.tyil.nl/privkey.pem; + + include /etc/nginx/snippets.d/ssl.conf; + include /etc/nginx/snippets.d/certbot.conf; + + # Set timeouts + fastcgi_read_timeout 300; + proxy_read_timeout 300; + + # Set upload size + client_max_body_size 200M; + fastcgi_buffers 64 4K; + + # Add (security) headers + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + add_header X-Download-Options noopen; + add_header X-Permitted-Cross-Domain-Policies none; + add_header Referrer-Policy "no-referrer"; + add_header X-Frame-Options "SAMEORIGIN"; + add_header Strict-Transport-Security "max-age=63072000" always; + + # Remove headers + fastcgi_hide_header X-Powered-By; + + # Enable gzip + gzip off; + gzip_vary on; + gzip_comp_level 4; + gzip_min_length 256; + gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; + gzip_types + application/atom+xml + application/javascript + application/json + application/ld+json + application/manifest+json + application/rss+xml + application/vnd.geo+json + application/vnd.ms-fontobject + application/x-font-ttf + application/x-web-app-manifest+json + application/xhtml+xml + application/xml + font/opentype + image/bmp + image/svg+xml + image/x-icon + text/cache-manifest + text/css + text/plain + text/vcard + text/vnd.rim.location.xloc + text/vtt + text/x-component + text/x-cross-domain-policy + ; + + root /var/www/nl.tyil.cloud; + + location / { + rewrite ^ /index.php?$request_uri; + } + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + location ^~ /.well-known { + rewrite ^/\.well-known/host-meta.json /public.php?service=host-meta.json last; + rewrite ^/\.well-known/host-meta /public.php?service=host-meta last; + rewrite ^/\.well-known/webfinger /public.php?service=webfinger last; + rewrite ^/\.well-known/nodeinfo /public.php?service=nodeinfo last; + + location = /.well-known/carddav { return 301 /remote.php/dav/; } + location = /.well-known/caldav { return 301 /remote.php/dav/; } + + #location ^~ /.well-known { return 301 /index.php$uri; } + + try_files $uri $uri/ =404; + } + + location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ { + deny all; + } + + location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { + deny all; + } + + location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) { + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + include snippets.d/fcgi.conf; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_param HTTPS on; + fastcgi_param modHeadersAvailable true; + fastcgi_param front_controller_active true; + fastcgi_pass localhost:9000; + fastcgi_intercept_errors on; + fastcgi_request_buffering off; + } + + location ~ ^/(?:updater|ocs-provider)(?:$|/) { + try_files $uri/ =404; + index index.php; + } + + location ~ \.(?:css|js|woff|svg|gif)$ { + try_files $uri /index.php$request_uri; + add_header Cache-Control "public, max-age=15778463"; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + add_header X-Download-Options noopen; + add_header X-Permitted-Cross-Domain-Policies none; + access_log off; + } + + location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ { + try_files $uri /index.php$request_uri; + access_log off; + } +} |