fixed onlyoffice connection problem

2025-05-10 15:07:35 +02:00 · 2025-05-10 15:07:35 +02:00 · 6917c6324c
commit 6917c6324c
parent 15174fabcd
6 changed files with 45 additions and 30 deletions
--- a/nextcloud/reverse-proxy/nginx.conf
+++ b/nextcloud/reverse-proxy/nginx.conf
@ -58,9 +58,11 @@ http {
        add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
-        add_header X-Robots-Tag none;
+        add_header X-Robots-Tag "noindex, nofollow";
        add_header X-Download-Options noopen;
        add_header X-Permitted-Cross-Domain-Policies none;
+        add_header X-Frame-Options "SAMEORIGIN";
+        add_header Referrer-Policy "no-referrer";

        root /var/www/html;
        client_max_body_size 10G; # 0=unlimited - set max upload size
@ -72,8 +74,24 @@ http {
        error_page 403 /core/templates/403.php;
        error_page 404 /core/templates/404.php;

-        rewrite ^/.well-known/carddav /remote.php/dav/ permanent;
-        rewrite ^/.well-known/caldav /remote.php/dav/ permanent;
+        # Make a regex exception for `/.well-known` so that clients can still
+        # access it despite the existence of the regex rule
+        # `location ~ /(\.|autotest|...)` which would otherwise handle requests
+        # for `/.well-known`.
+        location ^~ /.well-known {
+            # The rules in this block are an adaptation of the rules
+            # in `.htaccess` that concern `/.well-known`.
+
+            location = /.well-known/carddav { return 301 /remote.php/dav; }
+            location = /.well-known/caldav { return 301 /remote.php/dav; }
+        
+            location /.well-known/acme-challenge { try_files $uri $uri/ =404; }
+            location /.well-known/pki-validation { try_files $uri $uri/ =404; }
+
+            # Let Nextcloud's API for `/.well-known` URIs handle all other
+            # requests by passing them to the front-end controller.
+            return 301 /index.php$request_uri;
+        }

        location = /robots.txt {
            allow all;
@ -133,9 +151,10 @@ http {
            add_header X-Content-Type-Options nosniff;
            add_header X-Frame-Options "SAMEORIGIN";
            add_header X-XSS-Protection "1; mode=block";
-            add_header X-Robots-Tag none;
+            add_header X-Robots-Tag "noindex, nofollow";
            add_header X-Download-Options noopen;
            add_header X-Permitted-Cross-Domain-Policies none;
+            add_header Referrer-Policy "no-referrer";
            # Optional: Don't log access to assets
            access_log off;
        }
@ -145,5 +164,15 @@ http {
            access_log off;
        }

+        location ~ ^/(?:updater|ocs-provider)(?:$|/) {
+            try_files $uri/ =404;
+            index index.php;
+        }
+
+        # Add support for ocm-provider path handling
+        location /ocm-provider {
+            return 301 $scheme://$host/index.php/ocm-provider;
+        }
+
    }
 }