From 0ebfea4317f43bc4d4c4b607c54110801784cb09 Mon Sep 17 00:00:00 2001
From: Eric Nemchik <eric@nemchik.com>
Date: Sun, 21 Aug 2022 16:26:38 -0500
Subject: [PATCH] Update default.conf using nextcloud docs and allow http

---
 .../nginx/site-confs/default.conf.sample      | 81 +++++++++++--------
 1 file changed, 46 insertions(+), 35 deletions(-)

diff --git a/root/defaults/nginx/site-confs/default.conf.sample b/root/defaults/nginx/site-confs/default.conf.sample
index 4422e98..92db084 100644
--- a/root/defaults/nginx/site-confs/default.conf.sample
+++ b/root/defaults/nginx/site-confs/default.conf.sample
@@ -1,17 +1,15 @@
 ## Version 2022/08/20 - Changelog: https://github.com/linuxserver/docker-nextcloud/commits/master/root/defaults/nginx/site-confs/default.conf.sample
 
-# redirect all traffic to https
+# Set the `immutable` cache control options only for assets with a cache busting `v` argument
+map $arg_v $asset_immutable {
+    "" "";
+    default "immutable";
+}
+
 server {
     listen 80 default_server;
     listen [::]:80 default_server;
 
-    location / {
-        return 301 https://$host$request_uri;
-    }
-}
-
-# main server block
-server {
     listen 443 ssl http2;
     listen [::]:443 ssl http2;
 
@@ -19,19 +17,13 @@ server {
 
     root /config/www/nextcloud/;
 
-    # Specify how to handle directories -- specifying `/index.php$request_uri`
-    # here as the fallback means that Nginx always exhibits the desired behaviour
-    # when a client requests a path that corresponds to a directory that exists
-    # on the server. In particular, if that directory contains an index.php file,
-    # that file is correctly served; if it doesn't, then the request is passed to
-    # the front-end controller. This consistent behaviour means that we don't need
-    # to specify custom rules for certain paths (e.g. images and other assets,
-    # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
-    # `try_files $uri $uri/ /index.php$request_uri`
-    # always provides the desired behaviour.
-    index index.php index.html /index.php$request_uri;
+    # display real ip in nginx logs when connected through reverse proxy via docker network
+    set_real_ip_from 172.0.0.0/8;
+    real_ip_header X-Forwarded-For;
 
-    # set max upload size
+    # https://docs.nextcloud.com/server/latest/admin_manual/installation/nginx.html#nextcloud-in-the-webroot-of-nginx
+
+    # set max upload size and increase upload timeout:
     client_max_body_size 512M;
     client_body_timeout 300s;
     fastcgi_buffers 64 4K;
@@ -44,21 +36,38 @@ server {
     gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
     gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
 
+    # Pagespeed is not supported by Nextcloud, so if your server is built
+    # with the `ngx_pagespeed` module, uncomment this line to disable it.
+    #pagespeed off;
+
+    # The settings allows you to optimize the HTTP2 bandwitdth.
+    # See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/
+    # for tunning hints
+    client_body_buffer_size 512k;
+
     # HTTP response headers borrowed from Nextcloud `.htaccess`
-    add_header Referrer-Policy "no-referrer" always;
-    add_header X-Content-Type-Options "nosniff" always;
-    add_header X-Download-Options "noopen" always;
-    add_header X-Frame-Options "SAMEORIGIN" always;
-    add_header X-Permitted-Cross-Domain-Policies "none" always;
-    add_header X-Robots-Tag "none" always;
-    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy                      "no-referrer"   always;
+    add_header X-Content-Type-Options               "nosniff"       always;
+    add_header X-Download-Options                   "noopen"        always;
+    add_header X-Frame-Options                      "SAMEORIGIN"    always;
+    add_header X-Permitted-Cross-Domain-Policies    "none"          always;
+    add_header X-Robots-Tag                         "none"          always;
+    add_header X-XSS-Protection                     "1; mode=block" always;
 
     # Remove X-Powered-By, which is an information leak
     fastcgi_hide_header X-Powered-By;
 
-    # display real ip in nginx logs when connected through reverse proxy via docker network
-    set_real_ip_from 172.0.0.0/8;
-    real_ip_header X-Forwarded-For;
+    # Specify how to handle directories -- specifying `/index.php$request_uri`
+    # here as the fallback means that Nginx always exhibits the desired behaviour
+    # when a client requests a path that corresponds to a directory that exists
+    # on the server. In particular, if that directory contains an index.php file,
+    # that file is correctly served; if it doesn't, then the request is passed to
+    # the front-end controller. This consistent behaviour means that we don't need
+    # to specify custom rules for certain paths (e.g. images and other assets,
+    # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
+    # `try_files $uri $uri/ /index.php$request_uri`
+    # always provides the desired behaviour.
+    index index.php index.html /index.php$request_uri;
 
     # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
     location = / {
@@ -114,8 +123,8 @@ server {
         fastcgi_param PATH_INFO $path_info;
         fastcgi_param HTTPS on;
 
-        fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice
-        fastcgi_param front_controller_active true; # Enable pretty urls
+        fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
+        fastcgi_param front_controller_active true;     # Enable pretty urls
         fastcgi_pass 127.0.0.1:9000;
 
         fastcgi_intercept_errors on;
@@ -126,7 +135,7 @@ server {
 
     location ~ \.(?:css|js|svg|gif|png|jpg|ico|wasm|tflite|map)$ {
         try_files $uri /index.php$request_uri;
-        expires 6M;         # Cache-Control policy borrowed from `.htaccess`
+        add_header Cache-Control "public, max-age=15778463, $asset_immutable";
         access_log off;     # Optional: Don't log access to assets
 
         location ~ \.wasm$ {
@@ -136,8 +145,8 @@ server {
 
     location ~ \.woff2?$ {
         try_files $uri /index.php$request_uri;
-        expires 7d; # Cache-Control policy borrowed from `.htaccess`
-        access_log off; # Optional: Don't log access to assets
+        expires 7d;         # Cache-Control policy borrowed from `.htaccess`
+        access_log off;     # Optional: Don't log access to assets
     }
 
     # Rule borrowed from `.htaccess`
@@ -149,6 +158,8 @@ server {
         # enable for basic auth
         #auth_basic "Restricted";
         #auth_basic_user_file /config/nginx/.htpasswd;
+
+        try_files $uri $uri/ /index.php$request_uri;
     }
 
     # deny access to .htaccess/.htpasswd files