Von Lars, 1 Woche vorher, geschrieben in Bash.
[paste_expire] 2 Wochen.
Einbetten
  1. upstream php-handler {
  2.     #server 127.0.0.1:9000;
  3.     server unix:/var/run/php/php7.3-fpm.sock;
  4. }
  5.  
  6. server {
  7.     listen 80;
  8.     listen [::]:80;
  9.     server_name cloud.domain.tld;
  10.     # enforce https
  11.     return 301 https://$server_name$request_uri;
  12. }
  13.  
  14. server {
  15.     listen 443 ssl http2;
  16.     listen [::]:443 ssl http2;
  17.     server_name cloud.domain.tld;
  18.  
  19.     # Use Mozilla's guidelines for SSL/TLS settings
  20.     # https://mozilla.github.io/server-side-tls/ssl-config-generator/
  21.     # NOTE: some settings below might be redundant
  22.     ssl_certificate /etc/letsencrypt/live/cloud.domain.tld/fullchain.pem;
  23.     ssl_certificate_key /etc/letsencrypt/live/cloud.domain.tld/privkey.pem;
  24.     ssl_trusted_certificate /etc/letsencrypt/live/cloud.domain.tld/chain.pem;
  25.  
  26.     # Add headers to serve security related headers
  27.     # Before enabling Strict-Transport-Security headers please read into this
  28.     # topic first.
  29.     add_header Strict-Transport-Security "max-age=15552000; includeSubDomains; preload;" always;
  30.     #
  31.     # WARNING: Only add the preload option once you read about
  32.     # the consequences in https://hstspreload.org/. This option
  33.     # will add the domain to a hardcoded list that is shipped
  34.     # in all major browsers and getting removed from this list
  35.     # could take several months.
  36.     add_header Referrer-Policy "no-referrer" always;
  37.     add_header X-Content-Type-Options "nosniff" always;
  38.     add_header X-Download-Options "noopen" always;
  39.     add_header X-Frame-Options "SAMEORIGIN" always;
  40.     add_header X-Permitted-Cross-Domain-Policies "none" always;
  41.     add_header X-Robots-Tag "none" always;
  42.     add_header X-XSS-Protection "1; mode=block" always;
  43.  
  44.     # Remove X-Powered-By, which is an information leak
  45.     fastcgi_hide_header X-Powered-By;
  46.  
  47.     # Path to the root of your installation
  48.     root /var/www/nextcloud;
  49.  
  50.     location = /robots.txt {
  51.         allow all;
  52.         log_not_found off;
  53.         access_log off;
  54.     }
  55.  
  56.     # The following 2 rules are only needed for the user_webfinger app.
  57.     # Uncomment it if you're planning to use this app.
  58.     rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
  59.     rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
  60.  
  61.     # The following rule is only needed for the Social app.
  62.     # Uncomment it if you're planning to use this app.
  63.     rewrite ^/.well-known/webfinger /public.php?service=webfinger last;
  64.  
  65.     location = /.well-known/carddav {
  66.       return 301 $scheme://$host:$server_port/remote.php/dav;
  67.     }
  68.     location = /.well-known/caldav {
  69.       return 301 $scheme://$host:$server_port/remote.php/dav;
  70.     }
  71.  
  72.     # set max upload size
  73.     client_max_body_size 10G;
  74.     fastcgi_buffers 64 4K;
  75.     proxy_max_temp_file_size 10000m;
  76.    
  77.     # Enable gzip but do not remove ETag headers
  78.     gzip on;
  79.     gzip_vary on;
  80.     gzip_comp_level 4;
  81.     gzip_min_length 256;
  82.     gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
  83.     gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
  84.  
  85.     # Uncomment if your server is build with the ngx_pagespeed module
  86.     # This module is currently not supported.
  87.     #pagespeed off;
  88.  
  89.     location / {
  90.         rewrite ^ /index.php;
  91.     }
  92.  
  93.     location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
  94.         deny all;
  95.     }
  96.     location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
  97.         deny all;
  98.     }
  99.  
  100.     location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
  101.         fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
  102.         set $path_info $fastcgi_path_info;
  103.         try_files $fastcgi_script_name =404;
  104.         include fastcgi_params;
  105.         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
  106.         fastcgi_param PATH_INFO $path_info;
  107.         fastcgi_param HTTPS on;
  108.         # Avoid sending the security headers twice
  109.         fastcgi_param modHeadersAvailable true;
  110.         # Enable pretty urls
  111.         fastcgi_param front_controller_active true;
  112.         fastcgi_pass php-handler;
  113.         fastcgi_intercept_errors on;
  114.         fastcgi_request_buffering off;
  115.         #fastcgi_param PHP_ADMIN_VALUE   "open_basedir=/var/www/:/usr/lib/php/:/tmp/:/var/www/:/home/nextcloud-pro/:/home/video/:/home/musik:/proc/meminfo:/usr/bin/clamscan:/home/ftpdrucker/:/usr/share/phpmyadmin/:/etc/phpmyadmin/:/var/log/paste.log:/var/uploadtmp/";
  116.     }
  117.  
  118.     location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
  119.         try_files $uri/ =404;
  120.         index index.php;
  121.     }
  122.  
  123.     # Adding the cache control header for js, css and map files
  124.     # Make sure it is BELOW the PHP block
  125.     location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
  126.         try_files $uri /index.php$request_uri;
  127.         add_header Cache-Control "public, max-age=15778463";
  128.         # Add headers to serve security related headers (It is intended to
  129.         # have those duplicated to the ones above)
  130.         # Before enabling Strict-Transport-Security headers please read into
  131.         # this topic first.
  132.         #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
  133.         #
  134.         # WARNING: Only add the preload option once you read about
  135.         # the consequences in https://hstspreload.org/. This option
  136.         # will add the domain to a hardcoded list that is shipped
  137.         # in all major browsers and getting removed from this list
  138.         # could take several months.
  139.         add_header Referrer-Policy "no-referrer" always;
  140.         add_header X-Content-Type-Options "nosniff" always;
  141.         add_header X-Download-Options "noopen" always;
  142.         add_header X-Frame-Options "SAMEORIGIN" always;
  143.         add_header X-Permitted-Cross-Domain-Policies "none" always;
  144.         add_header X-Robots-Tag "none" always;
  145.         add_header X-XSS-Protection "1; mode=block" always;
  146.  
  147.         # Optional: Don't log access to assets
  148.         access_log off;
  149.     }
  150.  
  151.     location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
  152.         try_files $uri /index.php$request_uri;
  153.         # Optional: Don't log access to other assets
  154.         access_log off;
  155.     }
  156. }
captcha