digitaldemocratic/dd-apps/docker/nextcloud/nginx.conf

worker_processes auto;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    keepalive_timeout  65;

    set_real_ip_from  10.0.0.0/8;
    set_real_ip_from  172.16.0.0/12;
    set_real_ip_from  192.168.0.0/16;
    real_ip_header    X-Forwarded-For;
    upstream php-handler {
        server dd-apps-nextcloud-app:9000;
    }

    server {
        listen 80;
        add_header Referrer-Policy "no-referrer" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header X-Download-Options "noopen" always;
        add_header X-Frame-Options "SAMEORIGIN" always;
        add_header X-Permitted-Cross-Domain-Policies "none" always;
        add_header X-Robots-Tag "none" always;
        add_header X-XSS-Protection "1; mode=block" always;
        fastcgi_hide_header X-Powered-By;
        root /var/www/html;

        location = /robots.txt {
            allow all;
            log_not_found off;
            access_log off;
        }

        location = /.well-known/carddav {
            return 301 $scheme://$host/remote.php/dav;
        }

        location = /.well-known/caldav {
            return 301 $scheme://$host/remote.php/dav;
        }

        client_max_body_size 10G;
        fastcgi_buffers 64 4K;

        gzip on;
        gzip_vary on;
        gzip_comp_level 4;
        gzip_min_length 256;
        gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
        gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

        location / {
            rewrite ^ /index.php;
        }

        location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
            deny all;
        }
        location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
            deny all;
        }

        location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
            fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
            set $path_info $fastcgi_path_info;
            try_files $fastcgi_script_name =404;
            include fastcgi_params;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            fastcgi_param PATH_INFO $path_info;
            fastcgi_param modHeadersAvailable true;
            fastcgi_param front_controller_active true;
            fastcgi_pass php-handler;
            fastcgi_intercept_errors on;
            fastcgi_request_buffering off;
            fastcgi_param SERVER_NAME $host;
        }

        location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
            try_files $uri/ =404;
            index index.php;
        }

        location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
            try_files $uri /index.php$request_uri;
            add_header Cache-Control "public, max-age=15778463";
            add_header Referrer-Policy "no-referrer" always;
            add_header X-Content-Type-Options "nosniff" always;
            add_header X-Download-Options "noopen" always;
            add_header X-Frame-Options "SAMEORIGIN" always;
            add_header X-Permitted-Cross-Domain-Policies "none" always;
            add_header X-Robots-Tag "none" always;
            add_header X-XSS-Protection "1; mode=block" always;
            access_log off;
        }

        location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap|mp4|webm)$ {
            try_files $uri /index.php$request_uri;
            access_log off;
        }
    }
}
DD education workspace DD is the education workspace generated within the framework of Xnet's Democratic Digitalisation Plan. It has been created and powered by Xnet, families and promoting centres, IsardVDI, 3iPunt, MaadiX, eXO.cat, Evilham and funded by the Directorate for Democratic Innovation, the Barcelona City Council's Digital Innovation Commissioner, Social Economy Commissioner, in collaboration with the Barcelona Education Consortium, aFFaC and AirVPN. DD can be used freely as long as this footer is included and the AGPLv3 license (https://www.gnu.org/licenses/agpl-3.0.en.html) is respected. Trobareu meś informació en català a la documentació: [https://dd.digitalitzacio-democratica.xnet-x.net/docs/index.ca/](https://dd.digitalitzacio-democratica.xnet-x.net/docs/index.ca/). Más información en castellano en la documentación: [https://dd.digitalitzacio-democratica.xnet-x.net/docs/index.es/](https://dd.digitalitzacio-democratica.xnet-x.net/docs/index.es/). More info in English in the documentation: [https://dd.digitalitzacio-democratica.xnet-x.net/docs/](https://dd.digitalitzacio-democratica.xnet-x.net/docs/). We thank the help of Miriam Carles, Cristian Ruiz, Anna Francàs, Christopher Millard. 2022-07-10 12:15:47 +02:00			`worker_processes auto;`

			`error_log /var/log/nginx/error.log warn;`
			`pid /var/run/nginx.pid;`


			`events {`
			`worker_connections 1024;`
			`}`


			`http {`
			`include /etc/nginx/mime.types;`
			`default_type application/octet-stream;`

			`log_format main '$remote_addr - $remote_user [$time_local] "$request" '`
			`'$status $body_bytes_sent "$http_referer" '`
			`'"$http_user_agent" "$http_x_forwarded_for"';`

			`access_log /var/log/nginx/access.log main;`

			`sendfile on;`
			`keepalive_timeout 65;`

			`set_real_ip_from 10.0.0.0/8;`
			`set_real_ip_from 172.16.0.0/12;`
			`set_real_ip_from 192.168.0.0/16;`
[network] Fix handling of forwarded headers This fixes several issues where services would see the internal IP of the proxy and not that of the client. It works by first unsetting any proxy-related headers that arrive from the internet, then setting those as seen by HAProxy's entrypoint frontend. And finally making sure that neither WAF when enabled nor other HAProxy backends touch these headers, while they are actually used by the final services. Services affected: Netcloud, Keycloak, Moodle 2022-12-02 06:49:56 +01:00			`real_ip_header X-Forwarded-For;`
DD education workspace DD is the education workspace generated within the framework of Xnet's Democratic Digitalisation Plan. It has been created and powered by Xnet, families and promoting centres, IsardVDI, 3iPunt, MaadiX, eXO.cat, Evilham and funded by the Directorate for Democratic Innovation, the Barcelona City Council's Digital Innovation Commissioner, Social Economy Commissioner, in collaboration with the Barcelona Education Consortium, aFFaC and AirVPN. DD can be used freely as long as this footer is included and the AGPLv3 license (https://www.gnu.org/licenses/agpl-3.0.en.html) is respected. Trobareu meś informació en català a la documentació: [https://dd.digitalitzacio-democratica.xnet-x.net/docs/index.ca/](https://dd.digitalitzacio-democratica.xnet-x.net/docs/index.ca/). Más información en castellano en la documentación: [https://dd.digitalitzacio-democratica.xnet-x.net/docs/index.es/](https://dd.digitalitzacio-democratica.xnet-x.net/docs/index.es/). More info in English in the documentation: [https://dd.digitalitzacio-democratica.xnet-x.net/docs/](https://dd.digitalitzacio-democratica.xnet-x.net/docs/). We thank the help of Miriam Carles, Cristian Ruiz, Anna Francàs, Christopher Millard. 2022-07-10 12:15:47 +02:00			`upstream php-handler {`
			`server dd-apps-nextcloud-app:9000;`
			`}`

			`server {`
			`listen 80;`
			`add_header Referrer-Policy "no-referrer" always;`
			`add_header X-Content-Type-Options "nosniff" always;`
			`add_header X-Download-Options "noopen" always;`
			`add_header X-Frame-Options "SAMEORIGIN" always;`
			`add_header X-Permitted-Cross-Domain-Policies "none" always;`
			`add_header X-Robots-Tag "none" always;`
			`add_header X-XSS-Protection "1; mode=block" always;`
			`fastcgi_hide_header X-Powered-By;`
			`root /var/www/html;`

			`location = /robots.txt {`
			`allow all;`
			`log_not_found off;`
			`access_log off;`
			`}`

			`location = /.well-known/carddav {`
			`return 301 $scheme://$host/remote.php/dav;`
			`}`

			`location = /.well-known/caldav {`
			`return 301 $scheme://$host/remote.php/dav;`
			`}`

			`client_max_body_size 10G;`
			`fastcgi_buffers 64 4K;`

			`gzip on;`
			`gzip_vary on;`
			`gzip_comp_level 4;`
			`gzip_min_length 256;`
			`gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;`
			`gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;`

			`location / {`
			`rewrite ^ /index.php;`
			`}`

			`location ~ ^\/(?:build\|tests\|config\|lib\|3rdparty\|templates\|data)\/ {`
			`deny all;`
			`}`
			`location ~ ^\/(?:\.\|autotest\|occ\|issue\|indie\|db_\|console) {`
			`deny all;`
			`}`

			`location ~ ^\/(?:index\|remote\|public\|cron\|core\/ajax\/update\|status\|ocs\/v[12]\|updater\/.+\|oc[ms]-provider\/.+)\.php(?:$\|\/) {`
			`fastcgi_split_path_info ^(.+?\.php)(\/.*\|)$;`
			`set $path_info $fastcgi_path_info;`
			`try_files $fastcgi_script_name =404;`
			`include fastcgi_params;`
			`fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;`
			`fastcgi_param PATH_INFO $path_info;`
			`fastcgi_param modHeadersAvailable true;`
			`fastcgi_param front_controller_active true;`
			`fastcgi_pass php-handler;`
			`fastcgi_intercept_errors on;`
			`fastcgi_request_buffering off;`
			`fastcgi_param SERVER_NAME $host;`
			`}`

			`location ~ ^\/(?:updater\|oc[ms]-provider)(?:$\|\/) {`
			`try_files $uri/ =404;`
			`index index.php;`
			`}`

			`location ~ \.(?:css\|js\|woff2?\|svg\|gif\|map)$ {`
			`try_files $uri /index.php$request_uri;`
			`add_header Cache-Control "public, max-age=15778463";`
			`add_header Referrer-Policy "no-referrer" always;`
			`add_header X-Content-Type-Options "nosniff" always;`
			`add_header X-Download-Options "noopen" always;`
			`add_header X-Frame-Options "SAMEORIGIN" always;`
			`add_header X-Permitted-Cross-Domain-Policies "none" always;`
			`add_header X-Robots-Tag "none" always;`
			`add_header X-XSS-Protection "1; mode=block" always;`
			`access_log off;`
			`}`

			`location ~ \.(?:png\|html\|ttf\|ico\|jpg\|jpeg\|bcmap\|mp4\|webm)$ {`
			`try_files $uri /index.php$request_uri;`
			`access_log off;`
			`}`
			`}`
			`}`