Nginx nextcloud.config for non-ssl environment

ℹ️ Support
1

Heyho,

I am working on an automated Nextcloud installation script, that depends on webserver and other environment parts. I am not too deep in Nginx, used the given example config from admin manual: https://docs.nextcloud.com/server/12/admin_manual/installation/nginx.html#nextcloud-in-a-subdir-of-nginx

I just put the Nextcloud related part into a separate file, as python-certbot-nginx creates a good ssl vhost automatically, where I just want to plug in the Nextcloud related parts. But the given config is just for SSL and I am not sure which parts are just valid for SSL connections and which could remain for pure non-SSL environments. Currently my config looks like this. Would be nice if someone could tell me which directives would need to be removed to work with non-SSL (HTTPS on, HSTS of course, but what about the X- security headers e.g.?):

location ^~ /nextcloud {
	# set max upload size
	client_max_body_size $(( $(php -r 'print(PHP_INT_MAX);') / 1024 / 1024))M;
	fastcgi_buffers 64 4K;
	# Enable gzip but do not remove ETag headers
	gzip on;
	gzip_vary on;
	gzip_comp_level 4;
	gzip_min_length 256;
	gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
	gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
	# Uncomment if your server is build with the ngx_pagespeed module
	# This module is currently not supported.
	#pagespeed off;
	location /nextcloud {
		rewrite ^ /nextcloud/index.php\$request_uri;
	}
	location ~ ^/nextcloud/(?:build|tests|config|lib|3rdparty|templates|data)/ {
		deny all;
	}
	location ~ ^/nextcloud/(?:\.|autotest|occ|issue|indie|db_|console) {
		deny all;
	}
	location ~ ^/nextcloud/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
	include fastcgi_params;
	fastcgi_split_path_info ^(.+\.php)(/.+)$;
	fastcgi_param SCRIPT_FILENAME \$request_filename;
	fastcgi_param PATH_INFO \$fastcgi_path_info;
	fastcgi_param HTTPS on;
	# Avoid sending the security headers twice
	fastcgi_param modHeadersAvailable true;
	fastcgi_param REMOTE_USER \$remote_user;
	fastcgi_pass unix:/var/run/php5-fpm.sock;
	fastcgi_intercept_errors on;
	# Disable because Jessie Nginx does not support that parameter
	#fastcgi_request_buffering off;
	}
	location ~ ^/nextcloud/(?:updater|ocs-provider)(?:$|/) {
	try_files \$uri/ =404;
		index index.php;
	}
	# Adding the cache control header for js and css files
	# Make sure it is BELOW the PHP block
	location ~ \.(?:css|js|woff|svg|gif)$ {
		try_files \$uri /nextcloud/index.php\$uri\$is_args\$args;
        add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
		add_header Cache-Control "public, max-age=15778463";
	    add_header X-Content-Type-Options nosniff;
		add_header X-XSS-Protection "1; mode=block";
		add_header X-Robots-Tag none;
		add_header X-Download-Options noopen;
		add_header X-Permitted-Cross-Domain-Policies none;
		# Optional: Don't log access to assets
		access_log off;
	}
	location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
		try_files \$uri /nextcloud/index.php\$uri$is_args\$args;
		# Optional: Don't log access to other assets
		access_log off;
	}
	# Hard coding 128M OPCache size, only for /nextcloud, to suppress warning on nextcloud admin panel.
	fastcgi_param PHP_ADMIN_VALUE "opcache.memory_consumption=128";
}
2

Other the ones you mentioned:

So you run SSL through the reverse proxy? I wouldn’t consider offering any data up-/download solution without SSL.

3

Hehe no, I would always run everything only via SSL. But I am working on a better integration of Nextcloud installation within the DietPi SBC images. And there the installation should work correctly automated with every webserver, database and with+without SSL.

Establishing SSL is offered there via automated noIP + certbot, which creates it’s own SSL config, at least for apache and nginx. So the nextcloud.conf should just provide it’s own directory specific settings, plug&unplugable.

€: Solved long time ago :wink:, just for reference, if someone is interested: https://github.com/Fourdee/DietPi/blob/testing/dietpi/conf/nginx.sites-dietpi.nextcloud.config

4

Link is broken can you help me about this conf file

5

Vastly matches the one from Nextcloud docs.

6

Thank you but i find it maybe it works for someone. It worked on my server.
(Without SSL Nginx conf file)
(/etc/nginx/sites-available/default)

upstream php-handler {
server unix:/run/php/php7.2-fpm.sock; #Change your php version
}

server {
listen 80;
server_name nextcloud.HOSTNAME;

# Add headers to serve security related headers
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;

# Path to the root of your installation
root /var/www/html/nextcloud/; #Your nextcloud directory

location = /robots.txt {
    allow all;
    log_not_found off;
    access_log off;
}

# The following 2 rules are only needed for the user_webfinger app.
# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
#rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
# last;

location = /.well-known/carddav {
    return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
   return 301 $scheme://$host/remote.php/dav;
}

location ~ /.well-known/acme-challenge {
  allow all;
}

# set max upload size
client_max_body_size 512M;
fastcgi_buffers 64 4K;

# Disable gzip to avoid the removal of the ETag header
gzip off;

# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.
#pagespeed off;

error_page 403 /core/templates/403.php;
error_page 404 /core/templates/404.php;

location / {
   rewrite ^ /index.php$uri;
}

location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
   deny all;
}
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
   deny all;
 }

location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
   include fastcgi_params;
   fastcgi_split_path_info ^(.+\.php)(/.*)$;
   fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
   fastcgi_param PATH_INFO $fastcgi_path_info;
   #Avoid sending the security headers twice
   fastcgi_param modHeadersAvailable true;
   fastcgi_param front_controller_active true;
   fastcgi_pass unix:/run/php/php7.2-fpm.sock;         #Change your php version
   fastcgi_intercept_errors on;
   fastcgi_request_buffering off;
}

location ~ ^/(?:updater|ocs-provider)(?:$|/) {
   try_files $uri/ =404;
   index index.php;
}

# Adding the cache control header for js and css files
# Make sure it is BELOW the PHP block
location ~* \.(?:css|js)$ {
    try_files $uri /index.php$uri$is_args$args;
    add_header Cache-Control "public, max-age=7200";
    # Add headers to serve security related headers (It is intended to
    # have those duplicated to the ones above)
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;
    # Optional: Don't log access to assets
    access_log off;

}

location ~* .(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
try_files $uri /index.php$uri$is_args$args;
# Optional: Don’t log access to other assets
access_log off;
}
}