From 00cb0fe1433934b3525c02f24c8abca0a15f28f1 Mon Sep 17 00:00:00 2001 From: rnsrk Date: Sun, 11 May 2025 22:09:46 +0200 Subject: [PATCH] better ngnix config for resolving files etc. --- README.md | 7 ++ nextcloud/reverse-proxy/nginx.conf | 146 ++++++++++++++++++----------- override/set-configs.sh | 12 ++- 3 files changed, 108 insertions(+), 57 deletions(-) diff --git a/README.md b/README.md index 15cce3b..f57b87a 100644 --- a/README.md +++ b/README.md @@ -30,6 +30,8 @@ At least 6 cores with 16GB RAM 100GB SSD would be sufficent. ## Install ### Prerequisites 1) Copy the env and docker-compose.override.yml to the service directories via the script. + +Add your specific settings in `set-config.sh`, then: ``` ./copy_overrides.bash ``` @@ -146,6 +148,11 @@ docker compose -f hedgedoc/docker-compose.yml up -d - Better reuse of gits for updating and maintainment. ## Changelog + +0.0.3 +- Fix the postgres-loose-it-all-volume mistake... + + Volume have to be `/var/lib/postgresql/data` not `/var/lib/postgresql/` or everthing will be deleted, if the container is rebuild. +- More robust Nextcloud config. 0.0.2 - Make things more agnostic by + use original gits diff --git a/nextcloud/reverse-proxy/nginx.conf b/nextcloud/reverse-proxy/nginx.conf index dc7e044..2f41670 100644 --- a/nextcloud/reverse-proxy/nginx.conf +++ b/nextcloud/reverse-proxy/nginx.conf @@ -1,5 +1,5 @@ user www-data; -worker_processes 1; +worker_processes auto; error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid; @@ -10,17 +10,17 @@ events { http { - upstream backend { + upstream php-handler { server nextcloud:9000; } - include /etc/nginx/mime.types; default_type application/octet-stream; - - # Add custom MIME type for .mjs files + + # Add custom MIME types types { - text/javascript mjs; + text/javascript mjs; + application/wasm wasm; } log_format main '$remote_addr - $remote_user [$time_local] "$request" ' @@ -30,10 +30,17 @@ http { access_log /var/log/nginx/access.log main; sendfile on; - #tcp_nopush on; + tcp_nopush on; + tcp_nodelay on; keepalive_timeout 65; + # Set the `immutable` cache control options only for assets with a cache busting `v` argument + map $arg_v $asset_immutable { + "" ""; + default ", immutable"; + } + map $http_host $this_host { "" $host; default $http_host; @@ -51,24 +58,33 @@ http { server { listen 80; - # The below allows for being behind a reverse proxy and allowing the Nextcloud app to connect + # The below allows for being behind a reverse proxy and allowing the Nextcloud app to connect server_tokens off; # Add headers to serve security related headers - add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Robots-Tag "noindex, nofollow"; - add_header X-Download-Options noopen; - add_header X-Permitted-Cross-Domain-Policies none; - add_header X-Frame-Options "SAMEORIGIN"; - add_header Referrer-Policy "no-referrer"; + add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header X-Robots-Tag "noindex, nofollow" always; + add_header X-Download-Options "noopen" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header Referrer-Policy "no-referrer" always; root /var/www/html; client_max_body_size 10G; # 0=unlimited - set max upload size fastcgi_buffers 64 4K; - gzip off; + # Enable gzip but do not remove ETag headers + gzip on; + gzip_vary on; + gzip_comp_level 4; + gzip_min_length 256; + gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; + gzip_types application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; + + # The settings allows you to optimize the HTTP2 bandwidth + client_body_buffer_size 512k; index index.php; error_page 403 /core/templates/403.php; @@ -84,7 +100,7 @@ http { location = /.well-known/carddav { return 301 /remote.php/dav; } location = /.well-known/caldav { return 301 /remote.php/dav; } - + location /.well-known/acme-challenge { try_files $uri $uri/ =404; } location /.well-known/pki-validation { try_files $uri $uri/ =404; } @@ -99,6 +115,7 @@ http { access_log off; } + # Rules borrowed from `.htaccess` to hide certain paths from clients location ~ ^/(build|tests|config|lib|3rdparty|templates|data)/ { deny all; } @@ -110,69 +127,86 @@ http { location / { rewrite ^/remote/(.*) /remote.php last; rewrite ^(/core/doc/[^\/]+/)$ $1/index.html; - try_files $uri $uri/ =404; + try_files $uri $uri/ /index.php$request_uri; } - location ~* ^/ds-vpath/ { - rewrite /ds-vpath/(.*) /$1 break; - proxy_pass http://onlyoffice-documentserver; - proxy_redirect off; + location ~* ^/ds-vpath/ { + rewrite /ds-vpath/(.*) /$1 break; + proxy_pass http://onlyoffice-documentserver; + proxy_redirect off; - client_max_body_size 100m; + client_max_body_size 100m; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $the_host/ds-vpath; - proxy_set_header X-Forwarded-Proto https; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $the_host/ds-vpath; + proxy_set_header X-Forwarded-Proto $the_scheme; } + # Ensure this block, which passes PHP files to the PHP process, is above the blocks + # which handle static assets (as seen below). If this block is not declared first, + # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php` + # to the URI, resulting in a HTTP 500 error response. location ~ \.php(?:$|/) { + # Required for legacy support + rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy) /index.php$request_uri; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + set $path_info $fastcgi_path_info; + + try_files $fastcgi_script_name =404; + include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_param PATH_INFO $path_info; + # Set HTTPS parameter for Nextcloud - should be on when behind Traefik with SSL fastcgi_param HTTPS on; - fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice - fastcgi_pass backend; + # Forward the scheme from Traefik + fastcgi_param HTTP_X_FORWARDED_PROTO $the_scheme; + + fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice + fastcgi_param front_controller_active true; # Enable pretty urls + fastcgi_pass php-handler; fastcgi_intercept_errors on; + fastcgi_request_buffering off; + fastcgi_max_temp_file_size 0; } - # Adding the cache control header for js and css files - # Make sure it is BELOW the location ~ \.php(?:$|/) { block - location ~* \.(?:css|js)$ { - add_header Cache-Control "public, max-age=7200"; - # Add headers to serve security related headers - add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; - add_header X-Content-Type-Options nosniff; - add_header X-Frame-Options "SAMEORIGIN"; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Robots-Tag "noindex, nofollow"; - add_header X-Download-Options noopen; - add_header X-Permitted-Cross-Domain-Policies none; - add_header Referrer-Policy "no-referrer"; - # Optional: Don't log access to assets + # Serve static files + location ~* \.(?:css|js|mjs|svg|gif|ico|jpg|png|webp|wasm|tflite|map|ogg|flac)$ { + try_files $uri /index.php$request_uri; + add_header Cache-Control "public, max-age=15778463$asset_immutable"; + # Include security headers + add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header X-Robots-Tag "noindex, nofollow" always; + add_header X-Download-Options "noopen" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header Referrer-Policy "no-referrer" always; access_log off; } - # Optional: Don't log access to other assets - location ~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$ { + location ~* \.(?:otf|woff2?)$ { + try_files $uri /index.php$request_uri; + expires 7d; access_log off; } - location ~ ^/(?:updater|ocs-provider)(?:$|/) { - try_files $uri/ =404; - index index.php; - } - # Add support for ocm-provider path handling location /ocm-provider { return 301 $scheme://$host/index.php/ocm-provider; } + # Rule borrowed from `.htaccess` + location /remote { + return 301 /remote.php$request_uri; + } } } diff --git a/override/set-configs.sh b/override/set-configs.sh index 7cb6f68..c97180e 100755 --- a/override/set-configs.sh +++ b/override/set-configs.sh @@ -15,8 +15,18 @@ php /var/www/html/occ --no-warnings config:system:set trusted_proxies 0 --value= php /var/www/html/occ --no-warnings config:system:set trusted_proxies 1 --value="192.168.0.0/16" php /var/www/html/occ --no-warnings config:system:set trusted_proxies 2 --value="10.0.0.0/8" -# Set trusted domains +# Set trusted domains. Add more domains as needed, i.e. for reverse proxy, etc. php /var/www/html/occ --no-warnings config:system:set trusted_domains 0 --value="localhost" +php /var/www/html/occ --no-warnings config:system:set trusted_domains 1 --value="my.domain.tld" +php /var/www/html/occ --no-warnings config:system:set trusted_domains 3 --value="nextcloud-reverse-proxy" +php /var/www/html/occ --no-warnings config:system:set trusted_domains 4 --value="onlyoffice-documentserver" +php /var/www/html/occ --no-warnings config:system:set trusted_domains 5 --value="nextcloud" # Set the default phone region php /var/www/html/occ --no-warnings config:system:set default_phone_region --value="DE" + +# Set maintenance time +php /var/www/html/occ --no-warnings config:system:set maintenance_window_start --type=integer --value=1 + +# Set the CLI URL +php /var/www/html/occ --no-warnings config:system:set overwrite.cli.url --value="https://my.domain.tld"