[SOLVED]Nextcloud + nginx: warnings


I installed Nextcloud on my FreeBSD box to run it on top of nginx. I have little to no experience with web servers so I did the configuration based on this, but I am getting security warnings on Nextcloud about things already on the config file:

Security & setup warnings

  • The “Strict-Transport-Security” HTTP header is not configured to at least “15768000” seconds. For enhanced security we recommend enabling HSTS as described in our security tips.
  • No memory cache has been configured. To enhance your performance please configure a memcache if available. Further information can be found in our documentation.
    Please double check the installation guides :arrow_upper_right:, and check for any errors or warnings in the log.

I think it is related with the way it were organized inside the configuration file, but I do not know how it should be organized:

server {
listen 443 ssl;
server_name example.com;
keepalive_timeout 70;

    ssl_certificate         /usr/local/etc/nginx/ssl/cert.crt;
    ssl_certificate_key     /usr/local/etc/nginx/ssl/cert.key;
    ssl_protocols           TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers             HIGH:!aNULL:!MD5;
    root                    /usr/local/www/nextcloud;
    client_max_body_size    10G;
    fastcgi_buffers         64 4K;
    gzip                    off;
    # Uncomment if your server is build with the ngx_pagespeed module
    # This module is currently not supported.
    #pagespeed              off;
    rewrite                 ^/caldav(.*)$ /remote.php/caldav$1 redirect;
    rewrite                 ^/carddav(.*)$ /remote.php/carddav$1 redirect;
    rewrite                 ^/webdav(.*)$ /remote.php/webdav$1 redirect;
    index                   index.php;
    error_page              403 /core/templates/403.php;
    error_page              404 /core/templates/404.php;
            location = /robots.txt {
                    allow all;
                    log_not_found off;
                    access_log off;
            location ~ ^/(?:\.htaccess|data|config|db_structure\.xml|README){
                    deny all;
            location / {
                    # The following 2 rules are only needed with webfinger
                    rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
                    rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
                    rewrite ^/.well-known/carddav /remote.php/carddav/ redirect;
                    rewrite ^/.well-known/caldav /remote.php/caldav/ redirect;
                    rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
                    try_files $uri $uri/ =404;
            location ~ \.php(?:$|/) {
                    fastcgi_split_path_info ^(.+\.php)(/.+)$;
                    include fastcgi_params;
                    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                    fastcgi_param PATH_INFO $fastcgi_path_info;
                    fastcgi_param HTTPS on;
                    fastcgi_pass php-handler;
                    fastcgi_intercept_errors on;
            location ~* \.(?:css|js)$ {
                    add_header Cache-Control "public, max-age=7200";
                    add_header Strict-Transport-Security "max-age=15768000; #includeSubDomains; preload;";
                    add_header X-Content-Type-Options nosniff;
                    add_header X-Frame-Options "SAMEORIGIN";
                    add_header X-XSS-Protection "1; mode=block";
                    add_header X-Robots-Tag none;
                    access_log off;
            # Optional: Don't log access to other assets
            location ~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$ {
                    access_log off;



The missing memory cache is just a recommendation, you need to install and configure it:

The add_header for HSTS needs to be directly in the server-directive:

or compare to the example configuration from NC config:


I wasn’t found that configuration page.