Nextcloud on FreeBSD 10.3

Help me install Nextcloud, please. All install correct, but first start say what no right on BD. If Nextcloud create admin user - not work WebDAV, and not load some content. This host - backend becouse HTTPS is off.

VirtualBox (5.1.2 r108956): https://yadi.sk/d/DCfuAcI6xRzau

SSH (192.168.1.12 - DHCP): root | 12345678

My algorithm:

pkg install nano

-------

pkg install nginx
echo 'nginx_enable="YES"' >> /etc/rc.conf
service nginx start

mkdir -p /var/nginx/{client_body_temp,proxy_temp} && chown -R www:www /var/nginx/
mkdir /usr/local/etc/nginx/conf.d

nano /usr/local/etc/nginx/nginx.conf
load_module /usr/local/libexec/nginx/ngx_mail_module.so;
load_module /usr/local/libexec/nginx/ngx_stream_module.so;

user www;
worker_processes auto;

pid /var/run/nginx.pid;

events {
  use kqueue;
  worker_connections 1024;
  multi_accept on;
}
http {

  # Basic settings
  # ----------

  sendfile on;
  tcp_nopush on;
  tcp_nodelay on;
  reset_timedout_connection on;
  keepalive_timeout 65;
  keepalive_requests 1000;
  types_hash_max_size 2048;
  server_tokens off;
  send_timeout 30;
  server_names_hash_max_size 4096;

  # Common limits
  # ----------

  client_max_body_size 100m; # upload size
  client_body_buffer_size 1m;
  client_header_timeout 3m;
  client_body_timeout 3m;

  client_body_temp_path /var/nginx/client_body_temp;

  proxy_connect_timeout 5;
  proxy_send_timeout 10;
  proxy_read_timeout 10;

  proxy_buffer_size 4k;
  proxy_buffers 8 16k;
  proxy_busy_buffers_size 64k;
  proxy_temp_file_write_size 64k;

  proxy_temp_path /var/nginx/proxy_temp;

  include mime.types;
  default_type application/octet-stream;

  # Logs format
  # ----------

  log_format main '$remote_addr - $host [$time_local] "$request" '
                  '$status $body_bytes_sent "$http_referer" '
                  '"$http_user_agent" "$http_x_forwarded_for"'
                  'rt=$request_time ut=$upstream_response_time '
                  'cs=$upstream_cache_status';

  log_format cache '$remote_addr - $host [$time_local] "$request" $status '
                   '$body_bytes_sent "$http_referer" '
                   'rt=$request_time ut=$upstream_response_time '
                   'cs=$upstream_cache_status';

  access_log /var/log/nginx/access.log main;
  error_log /var/log/nginx/error.log warn;

  # GZip config
  # ----------

  gzip on;
  gzip_static on;
  gzip_types text/plain text/css text/javascript text/xml application/x-javascript application/javascript application/xml application/json image/x-icon;
  gzip_comp_level 9;
  gzip_buffers 16 8k;
  gzip_proxied expired no-cache no-store private auth;
  gzip_min_length 1000;
  gzip_disable "msie6"
  gzip_vary on;

  # Cache config
  # ----------

  proxy_cache_valid 1m;

  # Virtual host config
  # ----------

  include /usr/local/etc/nginx/conf.d/*.conf;
}

-------

nano /usr/local/etc/nginx/conf.d/nextcloud.conf
server {
  listen 80;
  charset utf-8;

  server_name _;

  access_log /var/log/nginx/nextcloud.access.log;
  error_log /var/log/nginx/nextcloud.error.log;

#  add_header Strict-Transport-Security 'max-age=631138519; includeSubDomains; preload' always;
#  add_header X-Content-Type-Options nosniff;
#  add_header X-Frame-Options SAMEORIGIN;
#  add_header X-XSS-Protection '1; mode=block';
#  add_header X-Robots-Tag none;
#  add_header X-Download-Options noopen;
#  add_header X-Permitted-Cross-Domain-Policies none;
#  add_header X-Content-Security-Policy "allow 'self';";
#  add_header X-WebKit-CSP "allow 'self';";

  root /usr/local/www/;

  location = /robots.txt {
    deny all;
  }

  location / {
    deny all;
    return 404;
  }

  location ^~ /cloud {

    client_max_body_size 10G;
    fastcgi_buffers 64 4K;

    gzip off;

    error_page 403 /cloud/core/templates/403.php;
    error_page 404 /cloud/core/templates/404.php;

    location ~ ^/cloud/(data|config|\.ht|db_structure\.xml|README) {
      deny all;
    }

    location ~* \/cloud\/remote\/(?:.*)$ {
      rewrite ^ /cloud/remote.php last;
    }

    # logo
    location ~* \/cloud\/core\/(?:js\/oc\.js|preview\.png).*$ {
      rewrite ^ /cloud/index.php last;
    }

    # WEB download files
    location ~* \/cloud\/apps\/(?:files\/ajax\/upload\.php).*$ {
      rewrite ^ /cloud/index.php last;
    }

    # Theme Nextcloud
    location ~* \/cloud\/apps\/(?:theming\/styles\.css).*$ {
      rewrite ^ /cloud/index.php last;
    }

    location /cloud {
      rewrite ^/cloud/caldav(.*)$ /cloud/remote.php/caldav$1 redirect;
      rewrite ^/cloud/carddav(.*)$ /cloud/remote.php/carddav$1 redirect;
      rewrite ^/cloud/webdav(.*)$ /cloud/remote.php/webdav$1 redirect;

      rewrite ^(/cloud/core/doc/[^\/]+/)$ $1/index.html;

      if ($uri !~* (?:\.(?:css|js|svg|gif|png|html|ttf|woff)$|^\/cloud\/(?:remote|public|cron|status|ocs\/v1|ocs\/v2)\.php)){
        rewrite ^ /cloud/index.php last;
      }
    }

    location ~* ^(?!\/cloud\/remote\.php)(?:.*)\.(?:jpg|jpeg|gif|bmp|ico|png|css|js|swf|html|svg|ttf|woff)$ {
      expires 30d;
      access_log off;
    }

    location ~ \.php(?:$|/) {
      include fastcgi_params;
      fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
      fastcgi_param PATH_INFO $fastcgi_path_info;
      fastcgi_pass unix:/var/run/php-fpm.sock;
      fastcgi_param HTTPS off;
      fastcgi_param modHeadersAvailable true;
      fastcgi_param front_controller_active true;
      fastcgi_intercept_errors on;
      fastcgi_request_buffering off;
    }
  }
}

-------

pkg install mariadb101-{server,client}
echo 'mysql_enable="YES"' >> /etc/rc.conf

ls -l /usr/local/share/mysql/my*.cnf
cp /usr/local/share/mysql/my-small.cnf /usr/local/etc/my.cnf

sed -i "" "s/max_allowed_packet = .*/max_allowed_packet = 32M/" /usr/local/etc/my.cnf

service mysql-server start && /usr/local/bin/mysql_secure_installation   // all yes

mysql -u root -p   // 12345678
CREATE DATABASE nextcloud CHARACTER SET utf8;
CREATE USER cloud@localhost IDENTIFIED BY '12345678';
GRANT ALL PRIVILEGES ON nextcloud.* TO cloud@localhost;
FLUSH PRIVILEGES;
QUIT;

service mysql-server restart

-------

cd /usr/local/www
pkg install ca_root_nss && fetch https://download.nextcloud.com/server/releases/nextcloud-10.0.1.zip
unzip nextcloud-10.0.1.zip
mv /usr/local/www/nextcloud/ /usr/local/www/cloud/
rm -f nextcloud-10.0.1.zip

mkdir /usr/local/www/cloud/data && chown -R www:www /usr/local/www/

-------

pkg install redis
echo 'redis_enable="YES"' >> /etc/rc.conf

sed -i "" "s/port 6379/port 0/" /usr/local/etc/redis.conf
sed -i "" "s/# unixsocket \/tmp\/redis.sock/unixsocket \/tmp\/redis.sock/" /usr/local/etc/redis.conf
sed -i "" "s/# unixsocketperm 700/unixsocketperm 777/" /usr/local/etc/redis.conf

service redis start
redis-cli -s /tmp/redis.sock   // проверка работы сокета

-------

pkg search php70
pkg install php70 mod_php70 php70-pdo_mysql php70-mysqli php70-redis php70-gd php70-curl php70-json php70-zip php70-dom php70-xmlwriter php70-xmlreader php70-xml php70-mbstring php70-ctype php70-zlib php70-simplexml php70-hash php70-fileinfo php70-posix php70-iconv php70-filter php70-openssl
echo 'php_fpm_enable="YES"' >> /etc/rc.conf

cp /usr/local/etc/php.ini-production /usr/local/etc/php.ini && rehash

sed -i "" "s/memory_limit = .*/memory_limit = 512M/" /usr/local/etc/php.ini
sed -i "" "s/;date.timezone.*/date.timezone = UTC/" /usr/local/etc/php.ini
sed -i "" "s/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/" /usr/local/etc/php.ini
sed -i "" "s/upload_max_filesize = .*/upload_max_filesize = 10240M/" /usr/local/etc/php.ini
sed -i "" "s/post_max_size = .*/post_max_size = 10240M/" /usr/local/etc/php.ini

sed -i "" "s/listen = .*/listen = \/var\/run\/php-fpm.sock/" /usr/local/etc/php-fpm.d/www.conf
sed -i "" "s/;listen.owner = www/listen.owner = www/" /usr/local/etc/php-fpm.d/www.conf
sed -i "" "s/;listen.group = www/listen.group = www/" /usr/local/etc/php-fpm.d/www.conf
sed -i "" "s/;listen.mode = 0660/listen.mode = 0660/" /usr/local/etc/php-fpm.d/www.conf

nano /usr/local/etc/php-fpm.d/www.conf   // uncomment
env[HOSTNAME] = $HOSTNAME
env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp

php-fpm -t
service php-fpm start

-------

nano /usr/local/www/cloud/config/config.php
<?php
$CONFIG = array(
  'trusted_domains' => array (
    0 => '192.168.1.*',
  ),
  'datadirectory' => '/usr/local/www/cloud/data',
  'dbtype' => 'mysql',
  'defaultapp' => 'files',
  'knowledgebaseenabled' => false,
  'enable_avatars' => false,
  'allow_user_to_change_display_name' => true,
  'remember_login_cookie_lifetime' => 60*60*24*15,
  'session_lifetime' => 60 * 60 * 24,
  'session_keepalive' => true,
  'token_auth_enforced' => false,
  'auth.bruteforce.protection.enabled' => true,
  'trashbin_retention_obligation' => 'auto, 30',
  'versions_retention_obligation' => 'auto',
  'updatechecker' => false,
  'check_for_working_webdav' => true,
  'check_for_working_htaccess' => false,
  'config_is_read_only' => false,
  'memcache.local' => '\OC\Memcache\Redis',
  'memcache.locking' => '\OC\Memcache\Redis',
  'memcache.distributed' => '\OC\Memcache\Redis',
  'redis' => array(
    'host' => '/tmp/redis.sock',
    'port' => 0,
    'timeout' => 0.0,
  ),
);

nano /usr/local/etc/php/ext-30-pdo_mysql.ini
[mysql]
mysql.allow_local_infile=On
mysql.allow_persistent=On
mysql.cache_size=2000
mysql.max_persistent=-1
mysql.max_links=-1
mysql.default_port=
mysql.default_socket=/tmp/mysql.sock
mysql.default_host=
mysql.default_user=
mysql.default_password=
mysql.connect_timeout=60
mysql.trace_mode=Off

-------

service nginx restart && service php-fpm restart

http://192.168.1.*/cloud

Aside from the paths, your config file should be similar to this example:
https://docs.nextcloud.com/server/10/admin_manual/installation/nginx_nextcloud_9x.html

(e.g. gzip is off!)

gzip is off in a file /usr/local/etc/nginx/conf.d/nextcloud.conf

Hi,

As a fellow FreeBSD admin, here are my suggestions for your nginx.conf, and nextcloud.conf files. Some of this is drawn directly from the configuration I use.

File: nginx.conf
1: You don’t need the mail_module, or stream module enabled.
2: Don’t use multi_accept with kqueue. See http://nginx.org/en/docs/ngx_core_module.html#multi_accept
3: Unless you’re running a large amount of sites, you don’t need to edit server_names_hash_max_size.
4: The Nginx configuration is for Nextcloud hosting. None of the proxy_* settings are necessary. You can safely delete them all.
5: You should have a default server entry here that catches any inbound traffic not designated to a separately defined server entry. Something like this should work,

# Default Server
server {
# General configuration
        listen 80 default_server accept_filter=httpready;
        server_name -;
        root /usr/local/www/nginx/;
        return 444;
        }

You can include that in your nginx.conf, or add it to a separate include file.

File: nextcloud.conf
1: The server_name for individual servers should be set to the domain name being hosted.
2: The location / does not need to be here. Nginx will default to 403, if there is nothing in the folder.
3: It’s better to run Nextcloud at the root of the hosted domain instead of a subfolder. The entire configuration should be adjusted to reflect this.

Here is a simple server example for your nextcloud.conf file.

server {
# General configuration
        server_name www.example.com;
        root /usr/local/www/example.com/public_html;      
           
# Logging
    access_log  /usr/local/www/example.com/logs/nginx-access.log  main;
    error_log  /usr/local/www/example.com/logs/nginx-error.log;

# Literal locations #

# Default location
location / {
        rewrite ^/remote/(.*) /remote.php last;
        rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
        }

# Regex locations #

# Caldav and Carddav rewrites
location ~ /.well-known/(cal|card)dav {
        return 301 $scheme://$host/remote.php/dav;
        }

# Deny access to the following folders
location ~ ^/(build|tests|config|lib|3rdparty|templates|data)/ {
        deny all;
        }

# Deny access to the following files
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
        deny all;
        }

# PHP location block #
location ~ [^/]\.php(/|$) {
        try_files $fastcgi_script_name =404;
        include /path/to/your/fastcgi_params;
        fastcgi_pass unix:/path/to/your/socket.socket; # This needs to match your PHP-FPM setting.
        }

# Cache css and javascript
location ~* \.(?:css|js)$ {
        add_header Cache-Control "public, max-age=7200";
        access_log off;
        }

# Do not log media files
location ~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$ {
        access_log off;
        }

# End Configuration
}

Since you are using FreeBSD, you might find this repository useful. https://devops.knthost.com/diffusion/NWH/repository/master/

1 Like

Make this nginx config, but browser load 404, and loging only in /var/log/nginx/nextcloud.access.log this line:

192.168.1.22 - - [25/Oct/2016:09:19:09 +0000] “GET / HTTP/1.1” 404 564 “-” “Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36”

/usr/local/etc/nginx/nginx.conf

user www;
worker_processes auto;

pid /var/run/nginx.pid;

events {
  use kqueue;
  worker_connections 1024;
}
http {

  # Basic settings
  # ----------

  sendfile on;
  tcp_nopush on;
  tcp_nodelay on;
  reset_timedout_connection on;
  keepalive_timeout 65;
  keepalive_requests 1000;
  types_hash_max_size 2048;
  server_tokens off;
  send_timeout 30;
  server_names_hash_max_size 4096;

  # Common limits
  # ----------

  client_body_buffer_size 1m;
  client_header_timeout 3m;
  client_body_timeout 3m;
  client_body_temp_path /var/nginx/client_body_temp;

  include mime.types;
  default_type application/octet-stream;

  # Logs format
  # ----------

  log_format main '$remote_addr - $host [$time_local] "$request" '
                  '$status $body_bytes_sent "$http_referer" '
                  '"$http_user_agent" "$http_x_forwarded_for"'
                  'rt=$request_time ut=$upstream_response_time '
                  'cs=$upstream_cache_status';
    
  log_format cache '$remote_addr - $host [$time_local] "$request" $status '
                   '$body_bytes_sent "$http_referer" '
                   'rt=$request_time ut=$upstream_response_time '
                   'cs=$upstream_cache_status';

  access_log /var/log/nginx/access.log main;
  error_log /var/log/nginx/error.log warn;

  # Virtual host config
  # ----------

  include /usr/local/etc/nginx/conf.d/*.conf;
}

/usr/local/etc/nginx/conf.d/nextcloud.conf

server {
  listen 80 default_server;

  server_name _;

  access_log /var/log/nginx/nextcloud.access.log;
  error_log /var/log/nginx/nextcloud.error.log;

#  add_header Strict-Transport-Security 'max-age=631138519; includeSubDomains; preload' always;
#  add_header X-Content-Type-Options nosniff;
#  add_header X-Frame-Options SAMEORIGIN;
#  add_header X-XSS-Protection '1; mode=block';
#  add_header X-Robots-Tag none;
#  add_header X-Download-Options noopen;
#  add_header X-Permitted-Cross-Domain-Policies none;
#  add_header X-Content-Security-Policy "allow 'self';";
#  add_header X-WebKit-CSP "allow 'self';";

  index index.php

  root /usr/local/www/cloud/;

  client_max_body_size 10G;
  fastcgi_buffers 64 4K;

  gzip off;

  error_page 403 /core/templates/403.php;
  error_page 404 /core/templates/404.php;

  location = /robots.txt {
    deny all;
  }
 
  location ~ ^/(data|config|\.ht|db_structure\.xml|README) {
    deny all;
  }
 
  location ~* \/remote\/(?:.*)$ {
    rewrite ^ /remote.php last;
  }

  location ~* \/core\/(?:js\/oc\.js|preview\.png).*$ {
    rewrite ^ /index.php last;
  }

  location ~* \/apps\/(?:files\/ajax\/upload\.php).*$ {
    rewrite ^ /index.php last;
  }

  location ~* \/apps\/(?:theming\/styles\.css).*$ {
    rewrite ^ /index.php last;
  }

  location / {
    rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect;
    rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect;
    rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect;

    rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
    rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
    rewrite ^/.well-known/carddav /remote.php/carddav/ redirect;
    rewrite ^/.well-known/caldav /remote.php/caldav/ redirect;

    rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;

    if ($uri !~* (?:\.(?:css|js|svg|gif|png|html|ttf|woff)$|^\/(?:remote|public|cron|status|ocs\/v1|ocs\/v2)\.php|^\/\.well-known\/acme-challenge\/.*$)){
      rewrite ^ /index.php last;
    }
  }

  location ~* ^(?!\/remote\.php)(?:.*)\.(?:jpg|jpeg|gif|bmp|ico|png|css|js|swf|html|svg|ttf|woff)$ {
    expires 30d;
    access_log off;
  }

  location ~ \.php(?:$|/) {
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    try_files $fastcgi_script_name =404;
    set $path_info $fastcgi_path_info;
    fastcgi_param PATH_INFO $path_info;
    fastcgi_index index.php;

    include fastcgi_params;

#    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;    
    fastcgi_pass unix:/var/run/php-fpm.sock;
    fastcgi_param HTTPS off;
    fastcgi_param modHeadersAvailable true;
    fastcgi_param front_controller_active true;
    fastcgi_intercept_errors on;
    fastcgi_request_buffering off;
  }
}

If remove line try_files $fastcgi_script_name =404; from location ~ .php(?:$|/)
Log changed:

192.168.1.22 - - [25/Oct/2016:09:57:15 +0000] “GET / HTTP/1.1” 200 5 “-” “Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36”

Theme closed: answer ;

This is what I am using here, also FreeBSD:

upstream php-handler {
        server 127.0.0.1:9000;
        #server unix:/var/run/php-fpm.pid;
}

        fastcgi_cache_path /usr/local/tmp/cache levels=1:2 keys_zone=NEXTCLOUD:100m inactive=60m;
        fastcgi_cache_key $scheme$request_method$host$request_uri;
        map $request_uri $skip_cache {
                default 1;
                ~*/thumbnail.php 0;
                ~*/apps/galleryplus/ 0;
                ~*/apps/gallery/ 0;
        }

server {
        listen          80;
        listen          127.0.0.254:80 accept_filter=httpready;
        server_name     example.com;
        return 301      https://$server_name$request_uri;
}

server {
        listen                          443 ssl http2;
        listen                          127.0.0.254:443 ssl accept_filter=dataready;
        server_name                     example.com;

        ssl_certificate                 /usr/local/etc/ssl/nextcloud/cert.crt;
        ssl_certificate_key             /usr/local/etc/ssl/nextcloud/cert.key;

        ssl_dhparam                     /usr/local/etc/ssl/certs/dhparam.pem;
        ssl_ecdh_curve                  x25519:secp521r1:secp384r1;
        ssl_protocols                   TLSv1.2;
        ssl_session_cache               shared:SSL:10m;
        ssl_stapling                    on;
        ssl_stapling_verify             on;
        ssl_session_tickets             off;
        ssl_prefer_server_ciphers       on;
        ssl_ciphers                     EECDH+CHACHA20:EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;

        add_header                      Strict-Transport-Security "max-age=15768000; includeSubdomains; preload";
        add_header                      X-Content-Type-Options nosniff;
        add_header                      X-Frame-Options "SAMEORIGIN";
        add_header                      X-XSS-Protection "1; mode=block";
        add_header                      X-Robots-Tag none;
        add_header                      X-Download-Options noopen;
        add_header                      X-Permitted-Cross-Domain-Policies none;

        root                            /usr/local/www/nextcloud;

                location ^~ /.well-known/acme-challenge/ {
                        proxy_redirect off;
                        default_type "text/plain";
                        root /usr/local/www/.well-known/acme-challenge;
                        allow all;
                }

                location = /robots.txt {
                        allow all;
                        log_not_found off;
                        access_log off;
                }

                location = /.well-known/carddav {
                        return 301 $scheme://$host/remote.php/dav;
                }

        client_max_body_size            512M;
        fastcgi_buffers                 64 4K;

        gzip                            off;
        #pagespeed                      off;

        error_page                      403 /core/templates/403.php;
        error_page                      404 /core/templates/404.php;

                location / {
                        rewrite ^ /index.php$uri;
                }

                location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
                        deny all;
                }

                location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
                        deny all;
                }

                location ~ \.php(?:$|/) {
                        include fastcgi_params;
                        fastcgi_split_path_info ^(.+\.php)(/.+)$;
                        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                        fastcgi_param PATH_INFO $fastcgi_path_info;
                        fastcgi_param HTTPS on;
                        fastcgi_param modHeadersAvailable true;
                        fastcgi_param front_controller_active true;
                        fastcgi_pass php-handler;
                        fastcgi_intercept_errors on;
                        fastcgi_request_buffering off;
                        fastcgi_read_timeout 300;
                        fastcgi_send_timeout 300;
                        fastcgi_connect_timeout 300;
                        fastcgi_cache_bypass $skip_cache;
                        fastcgi_no_cache $skip_cache;
                        fastcgi_cache NEXTCLOUD;
                        fastcgi_cache_valid  60m;
                        fastcgi_cache_methods GET HEAD;

                }

                location ~ ^/(?:updater|ocs-provider)(?:$|/) {
                        try_files $uri/ =404;
                        index index.php;
                }

                location ~* \.(?:css|js)$ {
                        try_files $uri /index.php$uri$is_args$args;
                        add_header Cache-Control "public, max-age=7200";
                        add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
                        add_header X-Content-Type-Options nosniff;
                        add_header X-Frame-Options "SAMEORIGIN";
                        add_header X-XSS-Protection "1; mode=block";
                        add_header X-Robots-Tag none;
                        add_header X-Download-Options noopen;
                        add_header X-Permitted-Cross-Domain-Policies none;
                        access_log off;
                }

                location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
                        try_files $uri /index.php$uri$is_args$args;
                        access_log off;
                }

}

You may also want to take a look here, here, here, and here.

Cheers! :wine_glass:

EDIT:

1 - This configuration is for Nginx-1.11.x, for Nginx-1.10.x there is the need to make some changes;
2 - LibreSSL still does not support x25519;
2a - neither cipher list (x25519:secp521r1:secp384r1). You may want to use prime256v1 for maximum compatibility, or simple comment out ssl_ecdh_curve.