Hello,
I installed Nextcloud on my FreeBSD box to run it on top of nginx. I have little to no experience with web servers so I did the configuration based on this, but I am getting security warnings on Nextcloud about things already on the config file:
Security & setup warnings
- The “Strict-Transport-Security” HTTP header is not configured to at least “15768000” seconds. For enhanced security we recommend enabling HSTS as described in our security tips.
- No memory cache has been configured. To enhance your performance please configure a memcache if available. Further information can be found in our documentation.
Please double check the installation guides , and check for any errors or warnings in the log.
I think it is related with the way it were organized inside the configuration file, but I do not know how it should be organized:
server {
listen 443 ssl;
server_name example.com;
keepalive_timeout 70;
ssl_certificate /usr/local/etc/nginx/ssl/cert.crt; ssl_certificate_key /usr/local/etc/nginx/ssl/cert.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!MD5;
root /usr/local/www/nextcloud; client_max_body_size 10G; fastcgi_buffers 64 4K;
gzip off;
# Uncomment if your server is build with the ngx_pagespeed module # This module is currently not supported. #pagespeed off;
rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect; rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect; rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect;
index index.php; error_page 403 /core/templates/403.php; error_page 404 /core/templates/404.php;
location = /robots.txt { allow all; log_not_found off; access_log off; }
location ~ ^/(?:\.htaccess|data|config|db_structure\.xml|README){ deny all; }
location / { # The following 2 rules are only needed with webfinger rewrite ^/.well-known/host-meta /public.php?service=host-meta last; rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; rewrite ^/.well-known/carddav /remote.php/carddav/ redirect; rewrite ^/.well-known/caldav /remote.php/caldav/ redirect; rewrite ^(/core/doc/[^\/]+/)$ $1/index.html; try_files $uri $uri/ =404; }
location ~ \.php(?:$|/) { fastcgi_split_path_info ^(.+\.php)(/.+)$; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param HTTPS on; fastcgi_pass php-handler; fastcgi_intercept_errors on; }
location ~* \.(?:css|js)$ { add_header Cache-Control "public, max-age=7200"; add_header Strict-Transport-Security "max-age=15768000; #includeSubDomains; preload;"; add_header X-Content-Type-Options nosniff; add_header X-Frame-Options "SAMEORIGIN"; add_header X-XSS-Protection "1; mode=block"; add_header X-Robots-Tag none; access_log off; }
# Optional: Don't log access to other assets location ~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$ { access_log off; }
}
Thanks!