Nextcloud-Docker/conf/nginx/nginx.conf

load_module modules/ngx_http_headers_more_filter_module.so;

user nginx;
worker_processes auto;
pid /var/run/nginx.pid;

events {
    worker_connections 1024;
}

http {

    include       mime.types;
    default_type  application/octet-stream;

    sendfile           on;
    tcp_nopush         on;
    tcp_nodelay        on;
    keepalive_timeout  65;
    server_tokens      off;

    log_format  main_timed  '$remote_addr - $remote_user [$time_local] "$request" '
                            '$status $body_bytes_sent "$http_referer" '
                            '"$http_user_agent" "$http_x_forwarded_for" '
                            '$request_time $upstream_response_time $pipe $upstream_cache_status';

    #access_log        off;
    #error_log         /dev/stderr;
    access_log         /dev/stdout main_timed;
    error_log          /dev/stderr;

    server {
        listen       [::]:80 default_server;
        listen       80 default_server;
        server_name  _;
        index        index.php;
        root         /var/www;

            # Add headers to serve security related headers
	    # Before enabling Strict-Transport-Security headers please read into this
	    # topic first.
	    # add_header Strict-Transport-Security "max-age=15768000;
	    # includeSubDomains; preload;";
	    add_header X-Content-Type-Options nosniff;
	    add_header X-Frame-Options "SAMEORIGIN";
	    add_header X-XSS-Protection "1; mode=block";
	    add_header X-Robots-Tag none;
	    add_header X-Download-Options noopen;
	    add_header X-Permitted-Cross-Domain-Policies none;

	    # Path to the root of your installation
	    root /var/www/nextcloud/;

	    location = /robots.txt {
		allow all;
		log_not_found off;
		access_log off;
	    }

	    # The following 2 rules are only needed for the user_webfinger app.
	    # Uncomment it if you're planning to use this app.
	    #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
	    #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
	    # last;

	    location = /.well-known/carddav {
	      return 301 $scheme://$host/remote.php/dav;
	    }
	    location = /.well-known/caldav {
	      return 301 $scheme://$host/remote.php/dav;
	    }

	    # set max upload size
	    client_max_body_size 10G;
	    fastcgi_buffers 64 4K;

	    # Disable gzip to avoid the removal of the ETag header
	    gzip off;

	    # Uncomment if your server is build with the ngx_pagespeed module
	    # This module is currently not supported.
	    #pagespeed off;

	    location / {
		rewrite ^ /index.php$uri;
	    }

	    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
		deny all;
	    }
	    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
		deny all;
	    }

	    location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
		fastcgi_split_path_info ^(.+\.php)(/.*)$;
		include fastcgi_params;
		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
		fastcgi_param PATH_INFO $fastcgi_path_info;
		fastcgi_param HTTPS on;
		#Avoid sending the security headers twice
		fastcgi_param modHeadersAvailable true;
		fastcgi_param front_controller_active true;
		fastcgi_pass php-handler;
		fastcgi_intercept_errors on;
		fastcgi_request_buffering off;
	    }

	    location ~ ^/(?:updater|ocs-provider)(?:$|/) {
		try_files $uri/ =404;
		index index.php;
	    }

	    # Adding the cache control header for js and css files
	    # Make sure it is BELOW the PHP block
	    location ~* \.(?:css|js|woff|svg|gif)$ {
		try_files $uri /index.php$uri$is_args$args;
		add_header Cache-Control "public, max-age=7200";
		# Add headers to serve security related headers (It is intended to
		# have those duplicated to the ones above)
		# Before enabling Strict-Transport-Security headers please read into
		# this topic first.
		# add_header Strict-Transport-Security "max-age=15768000;
		#  includeSubDomains; preload;";
		add_header X-Content-Type-Options nosniff;
		add_header X-Frame-Options "SAMEORIGIN";
		add_header X-XSS-Protection "1; mode=block";
		add_header X-Robots-Tag none;
		add_header X-Download-Options noopen;
		add_header X-Permitted-Cross-Domain-Policies none;
		# Optional: Don't log access to assets
		access_log off;
	    }

	    location ~* \.(?:png|html|ttf|ico|jpg|jpeg)$ {
		try_files $uri /index.php$uri$is_args$args;
		# Optional: Don't log access to other assets
		access_log off;
	    }
    }

    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";

    more_clear_headers 'X-Powered-By';
    more_clear_headers 'Server';
}