├── CHANGELOG.md ├── Dockerfile ├── LICENSE ├── README.md ├── docker-entrypoint.sh ├── mariadb-backup.yaml ├── nextcloud.yaml └── nginx.conf /CHANGELOG.md: -------------------------------------------------------------------------------- 1 | # Changelog 2 | All notable changes to this project will be documented in this file. 3 | 4 | The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) 5 | and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html). 6 | 7 | ## [Unreleased] 8 | ### Changed 9 | - Use only one PVC, leveraging the subPath feature 10 | 11 | ## [1.0.0] - 2017-08-29 12 | ### Added 13 | - Initial release 14 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM nginx:alpine 2 | 3 | VOLUME /var/www/html 4 | COPY nginx.conf /etc/nginx/nginx.conf 5 | RUN chown -R 1001:0 /var/cache/nginx && \ 6 | chmod -R a+rwx /var/cache/nginx && \ 7 | chmod -R ug+rwx /var/cache/nginx 8 | 9 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2017 Tobias Brunner 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Nextcloud for OpenShift 3 2 | 3 | This repository contains an OpenShift 3 template to easily deploy Nextcloud on OpenShift. 4 | With this template it's possible to run your own Nextcloud instance f.e. on [APPUiO](https://appuio.ch/). 5 | 6 | ## Installation 7 | 8 | ### 0 Create OpenShift project 9 | 10 | Create an OpenShift project if not already provided by the service 11 | 12 | ``` 13 | PROJECT=nextcloud 14 | oc new-project $PROJECT 15 | ``` 16 | 17 | ### 1 Deploy Database 18 | 19 | ``` 20 | oc -n openshift process mariadb-persistent -p MYSQL_DATABASE=nextcloud | oc -n $PROJECT create -f - 21 | ``` 22 | 23 | ### 2 Deploy Nextcloud 24 | 25 | ``` 26 | oc process -f https://raw.githubusercontent.com/tobru/nextcloud-openshift/master/nextcloud.yaml -p NEXTCLOUD_HOST=nextcloud.example.com | oc -n $PROJECT create -f - 27 | ``` 28 | 29 | #### Template parameters 30 | 31 | Execute the following command to get the available parameters: 32 | 33 | ``` 34 | oc process -f https://raw.githubusercontent.com/tobru/nextcloud-openshift/master/nextcloud.yaml --parameters 35 | ``` 36 | 37 | ### 3 Configure Nextcloud 38 | 39 | * Navigate to http://nextcloud.example.com 40 | * Fill in the form and finish the installation. The DB credentials can be 41 | found in the secret `mariadb`. In the Webconsole it can be found under 42 | `Resources -> Secrets -> mariadb -> Reveal Secret` 43 | 44 | **Hints** 45 | 46 | * You might want to enable TLS for your instance 47 | 48 | ## Backup 49 | 50 | ### Database 51 | 52 | You can use the provided DB dump `CronJob` template: 53 | 54 | ``` 55 | oc process -f https://raw.githubusercontent.com/tobru/nextcloud-openshift/master/mariadb-backup.yaml | oc -n MYNAMESPACE create -f - 56 | ``` 57 | 58 | This script dumps the DB to the same PV as the database stores it's data. 59 | You must make sure that you copy these files away to a real backup location. 60 | 61 | ### Files 62 | 63 | To backup files, a simple solution would be to run f.e. [restic](http://restic.readthedocs.io/) in a Pod 64 | as a `CronJob` and mount the PVCs as volumes. Then use an S3 endpoint for restic 65 | to backup data to. 66 | 67 | ## Notes 68 | 69 | * Nextcloud Cronjob is called from a `CronJob` object every 15 minutes 70 | * The Dockerfile just add the `nginx.conf` to the Alpine Nginx container 71 | 72 | To use the `occ` CLI, you can use `oc exec`: 73 | 74 | ``` 75 | oc get pods 76 | oc exec NEXTCLOUDPOD -c nextcloud -ti php occ 77 | ``` 78 | 79 | ## Ideas 80 | 81 | * Use sclorg Nginx instead of Alpine Nginx for better OpenShift compatibility 82 | * Autoconfigure Nextcloud using `autoconfig.php` 83 | * Provide restic Backup example 84 | 85 | ## Contributions 86 | 87 | Very welcome! 88 | 89 | 1. Fork it (https://github.com/tobru/nextcloud-openshift/fork) 90 | 2. Create your feature branch (`git checkout -b my-new-feature`) 91 | 3. Commit your changes (`git commit -am 'Add some feature'`) 92 | 4. Push to the branch (`git push origin my-new-feature`) 93 | 5. Create a new Pull Request 94 | -------------------------------------------------------------------------------- /docker-entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | #set -e 3 | set -x 4 | 5 | # version_greater A B returns whether A > B 6 | function version_greater() { 7 | [[ "$(printf '%s\n' "$@" | sort -V | head -n 1)" != "$1" ]]; 8 | } 9 | 10 | # return true if specified directory is empty 11 | function directory_empty() { 12 | [ -n "$(find "$1"/ -prune -empty)" ] 13 | } 14 | 15 | function run_as() { 16 | if [[ $EUID -eq 0 ]]; then 17 | su - www-data -s /bin/bash -c "$1" 18 | else 19 | bash -c "$1" 20 | fi 21 | } 22 | 23 | installed_version="0.0.0~unknown" 24 | if [ -f /var/www/html/version.php ]; then 25 | installed_version=$(php -r 'require "/var/www/html/version.php"; echo "$OC_VersionString";') 26 | fi 27 | image_version=$(php -r 'require "/usr/src/nextcloud/version.php"; echo "$OC_VersionString";') 28 | 29 | if version_greater "$installed_version" "$image_version"; then 30 | echo "Can't start Nextcloud because the version of the data ($installed_version) is higher than the docker image version ($image_version) and downgrading is not supported. Are you sure you have pulled the newest image version?" 31 | exit 1 32 | fi 33 | 34 | if version_greater "$image_version" "$installed_version"; then 35 | if [ "$installed_version" != "0.0.0~unknown" ]; then 36 | run_as 'php /var/www/html/occ app:list' > /tmp/list_before 37 | fi 38 | if [[ $EUID -eq 0 ]]; then 39 | rsync_options=-a 40 | else 41 | rsync_options=-rlD 42 | fi 43 | rsync $rsync_options --delete --exclude /config/ --exclude /data/ --exclude /custom_apps/ --exclude /themes/ /usr/src/nextcloud/ /var/www/html/ 44 | 45 | for dir in config data themes; do 46 | if [ ! -d /var/www/html/"$dir" ] || directory_empty /var/www/html/"$dir"; then 47 | cp -arT /usr/src/nextcloud/"$dir" /var/www/html/"$dir" 48 | fi 49 | done 50 | 51 | if [ ! -d /var/www/html/custom_apps ] && [ ! -f /var/www/html/config/apps.config.php ]; then 52 | cp -a /usr/src/nextcloud/config/apps.config.php /var/www/html/config/apps.config.php 53 | fi 54 | 55 | if [ ! -d /var/www/html/custom_apps ] || directory_empty /var/www/html/custom_apps; then 56 | cp -arT /usr/src/nextcloud/custom_apps /var/www/html/custom_apps 57 | fi 58 | 59 | if [ "$installed_version" != "0.0.0~unknown" ]; then 60 | run_as 'php /var/www/html/occ upgrade --no-app-disable' 61 | 62 | run_as 'php /var/www/html/occ app:list' > /tmp/list_after 63 | echo "The following apps have beed disabled:" 64 | diff <(sed -n "/Enabled:/,/Disabled:/p" /tmp/list_before) <(sed -n "/Enabled:/,/Disabled:/p" /tmp/list_after) | grep '<' | cut -d- -f2 | cut -d: -f1 65 | rm -f /tmp/list_before /tmp/list_after 66 | fi 67 | fi 68 | 69 | exec "$@" 70 | -------------------------------------------------------------------------------- /mariadb-backup.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Template 3 | metadata: 4 | name: mariadb-backup 5 | annotations: 6 | description: "Template for MongoDB container backup job" 7 | tags: "database,mariadb,backup" 8 | parameters: 9 | - name: BACKUP_SCHEDULE 10 | description: "Cron-like schedule expression. Default: Every hour at :39'" 11 | value: "39 * * * *" 12 | - name: BACKUP_KEEP 13 | description: "Number of backups to keep" 14 | value: "5" 15 | objects: 16 | - apiVersion: batch/v2alpha1 17 | kind: CronJob 18 | metadata: 19 | name: mariadb-backup 20 | spec: 21 | schedule: ${BACKUP_SCHEDULE} 22 | concurrencyPolicy: Forbid 23 | jobTemplate: 24 | spec: 25 | template: 26 | spec: 27 | volumes: 28 | - name: mariadb-data 29 | persistentVolumeClaim: 30 | claimName: mariadb 31 | containers: 32 | - name: mariadb-backup 33 | image: centos/mariadb-101-centos7 34 | command: 35 | - bash 36 | - -c 37 | - DATE=$(date +%Y%m%d-%H-%M-%S); ls -rdt1 /var/lib/mysql/data/dump-* | 38 | head -n -$BACKUP_KEEP | xargs rm; mysqldump --single-transaction -u$MYSQL_USER 39 | -p$MYSQL_PASSWORD -hmariadb nextcloud > /var/lib/mysql/data/dump-$DATE.sql; 40 | echo "Backup complete"; echo; echo "To restore, use:"; echo "~# mysql 41 | -u\$MYSQL_USER -p\$MYSQL_PASSWORD -hmariadb nextcloud < $DATE.sql"; 42 | sleep 60 43 | env: 44 | - name: BACKUP_KEEP 45 | value: ${BACKUP_KEEP} 46 | - name: MYSQL_USER 47 | valueFrom: 48 | secretKeyRef: 49 | key: database-user 50 | name: mariadb 51 | - name: MYSQL_PASSWORD 52 | valueFrom: 53 | secretKeyRef: 54 | key: database-password 55 | name: mariadb 56 | - name: MYSQL_DATABASE 57 | value: nextcloud 58 | volumeMounts: 59 | - name: mariadb-data 60 | mountPath: /var/lib/mysql/data 61 | restartPolicy: Never 62 | -------------------------------------------------------------------------------- /nextcloud.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Template 3 | metadata: 4 | name: nextcloud 5 | annotations: 6 | description: "Nextcloud - A safe home for all your data" 7 | tags: "fileshare,nextcloud" 8 | iconClass: fa-cloud-upload 9 | template.openshift.io/provider-display-name: "tobrunet" 10 | template.openshift.io/documentation-url: "https://github.com/tobru/nextcloud-openshift/blob/master/README.md" 11 | template.openshift.io/support-url: "https://github.com/tobru/nextcloud-openshift/issues" 12 | parameters: 13 | - name: NEXTCLOUD_HOST 14 | description: Application URL of Nextcloud (Route/host) 15 | required: true 16 | - name: NEXTCLOUD_IMAGE 17 | description: Image to deploy 18 | value: docker.io/nextcloud 19 | - name: NEXTCLOUD_IMAGE_TAG 20 | description: Tag of the Nextcloud Docker Image to deploy 21 | value: 12-fpm 22 | - name: NGINX_DOCKERFILE_REPO 23 | description: Nginx Dockerfile source repository 24 | value: https://github.com/tobru/nextcloud-openshift.git 25 | - name: PVC_SIZE 26 | description: PVC size for Apps, Config and Data 27 | value: 5Gi 28 | objects: 29 | - apiVersion: v1 30 | kind: PersistentVolumeClaim 31 | metadata: 32 | name: nextcloud-data 33 | spec: 34 | accessModes: 35 | - ReadWriteMany 36 | resources: 37 | requests: 38 | storage: ${PVC_SIZE} 39 | - apiVersion: v1 40 | kind: ImageStream 41 | metadata: 42 | labels: 43 | app: nextcloud 44 | name: nextcloud 45 | spec: 46 | tags: 47 | - annotations: 48 | openshift.io/imported-from: ${NEXTCLOUD_IMAGE}:${NEXTCLOUD_IMAGE_TAG} 49 | from: 50 | kind: DockerImage 51 | name: ${NEXTCLOUD_IMAGE}:${NEXTCLOUD_IMAGE_TAG} 52 | importPolicy: 53 | scheduled: true 54 | name: ${NEXTCLOUD_IMAGE_TAG} 55 | referencePolicy: 56 | type: Source 57 | - apiVersion: v1 58 | kind: ImageStream 59 | metadata: 60 | labels: 61 | build: nginx 62 | app: nextcloud 63 | name: nginx 64 | spec: 65 | tags: 66 | - annotations: null 67 | from: 68 | kind: DockerImage 69 | name: nginx:latest 70 | generation: null 71 | importPolicy: {} 72 | name: latest 73 | referencePolicy: 74 | type: "" 75 | - apiVersion: v1 76 | kind: BuildConfig 77 | metadata: 78 | creationTimestamp: null 79 | labels: 80 | build: nginx 81 | app: nextcloud 82 | name: nginx 83 | spec: 84 | nodeSelector: null 85 | output: 86 | to: 87 | kind: ImageStreamTag 88 | name: nginx:latest 89 | postCommit: {} 90 | resources: {} 91 | runPolicy: Serial 92 | source: 93 | git: 94 | uri: ${NGINX_DOCKERFILE_REPO} 95 | type: Git 96 | strategy: 97 | dockerStrategy: 98 | from: 99 | kind: DockerImage 100 | name: nginx:alpine 101 | type: Docker 102 | triggers: 103 | - type: ConfigChange 104 | - apiVersion: v1 105 | kind: DeploymentConfig 106 | metadata: 107 | labels: 108 | app: nextcloud 109 | name: nextcloud 110 | spec: 111 | replicas: 1 112 | selector: 113 | app: nextcloud 114 | deploymentconfig: nextcloud 115 | strategy: 116 | activeDeadlineSeconds: 21600 117 | resources: {} 118 | rollingParams: 119 | intervalSeconds: 1 120 | maxSurge: 25% 121 | maxUnavailable: 25% 122 | timeoutSeconds: 600 123 | updatePeriodSeconds: 1 124 | type: Rolling 125 | template: 126 | metadata: 127 | labels: 128 | app: nextcloud 129 | deploymentconfig: nextcloud 130 | spec: 131 | containers: 132 | - env: 133 | - name: NC_dbhost 134 | value: mariadb 135 | - name: NC_dbuser 136 | valueFrom: 137 | secretKeyRef: 138 | key: database-user 139 | name: mariadb 140 | - name: NC_dbpassword 141 | valueFrom: 142 | secretKeyRef: 143 | key: database-password 144 | name: mariadb 145 | - name: NC_dbname 146 | value: nextcloud 147 | image: nextcloud 148 | imagePullPolicy: Always 149 | livenessProbe: 150 | failureThreshold: 3 151 | initialDelaySeconds: 1 152 | periodSeconds: 10 153 | successThreshold: 1 154 | tcpSocket: 155 | port: 9000 156 | timeoutSeconds: 5 157 | name: nextcloud 158 | ports: 159 | - containerPort: 9000 160 | protocol: TCP 161 | readinessProbe: 162 | failureThreshold: 3 163 | initialDelaySeconds: 1 164 | periodSeconds: 10 165 | successThreshold: 1 166 | tcpSocket: 167 | port: 9000 168 | timeoutSeconds: 5 169 | resources: {} 170 | terminationMessagePath: /dev/termination-log 171 | volumeMounts: 172 | - mountPath: /var/www/html 173 | name: nextcloud-source 174 | - mountPath: /var/www/html/data 175 | name: nextcloud-data 176 | subPath: data 177 | - mountPath: /var/www/html/config 178 | name: nextcloud-data 179 | subPath: config 180 | - mountPath: /var/www/html/custom_apps 181 | name: nextcloud-data 182 | subPath: apps 183 | - image: nginx 184 | imagePullPolicy: Always 185 | livenessProbe: 186 | failureThreshold: 3 187 | initialDelaySeconds: 1 188 | periodSeconds: 10 189 | successThreshold: 1 190 | tcpSocket: 191 | port: 8080 192 | timeoutSeconds: 1 193 | name: nginx 194 | ports: 195 | - containerPort: 8080 196 | protocol: TCP 197 | readinessProbe: 198 | failureThreshold: 3 199 | initialDelaySeconds: 1 200 | periodSeconds: 10 201 | successThreshold: 1 202 | tcpSocket: 203 | port: 8080 204 | timeoutSeconds: 1 205 | resources: {} 206 | terminationMessagePath: /dev/termination-log 207 | volumeMounts: 208 | - mountPath: /var/www/html 209 | name: nextcloud-source 210 | - mountPath: /var/www/html/data 211 | name: nextcloud-data 212 | subPath: data 213 | - mountPath: /var/www/html/config 214 | name: nextcloud-data 215 | subPath: config 216 | - mountPath: /var/www/html/custom_apps 217 | name: nextcloud-data 218 | subPath: apps 219 | dnsPolicy: ClusterFirst 220 | restartPolicy: Always 221 | securityContext: {} 222 | terminationGracePeriodSeconds: 30 223 | volumes: 224 | - emptyDir: {} 225 | name: nextcloud-source 226 | - name: nextcloud-data 227 | persistentVolumeClaim: 228 | claimName: nextcloud-data 229 | test: false 230 | triggers: 231 | - imageChangeParams: 232 | automatic: true 233 | containerNames: 234 | - nextcloud 235 | from: 236 | kind: ImageStreamTag 237 | name: nextcloud:${NEXTCLOUD_IMAGE_TAG} 238 | type: ImageChange 239 | - imageChangeParams: 240 | automatic: true 241 | containerNames: 242 | - nginx 243 | from: 244 | kind: ImageStreamTag 245 | name: nginx:latest 246 | type: ImageChange 247 | - type: ConfigChange 248 | - apiVersion: v1 249 | kind: Service 250 | metadata: 251 | labels: 252 | app: nextcloud 253 | name: nextcloud 254 | spec: 255 | ports: 256 | - name: 8080-tcp 257 | port: 8080 258 | protocol: TCP 259 | targetPort: 8080 260 | selector: 261 | app: nextcloud 262 | deploymentconfig: nextcloud 263 | sessionAffinity: None 264 | type: ClusterIP 265 | - apiVersion: v1 266 | kind: Route 267 | metadata: 268 | name: nextcloud 269 | spec: 270 | host: ${NEXTCLOUD_HOST} 271 | port: 272 | targetPort: 8080-tcp 273 | to: 274 | kind: Service 275 | name: nextcloud 276 | weight: 100 277 | wildcardPolicy: None 278 | - apiVersion: batch/v1beta1 279 | kind: CronJob 280 | metadata: 281 | name: nextcloud-cron 282 | spec: 283 | concurrencyPolicy: Replace 284 | jobTemplate: 285 | spec: 286 | activeDeadlineSeconds: 3600 287 | template: 288 | spec: 289 | containers: 290 | - args: 291 | - php 292 | - -f 293 | - /var/www/html/cron.php 294 | env: 295 | - name: NEXTCLOUD_UPDATE 296 | value: "1" 297 | - name: NC_dbhost 298 | value: mariadb 299 | - name: NC_dbuser 300 | valueFrom: 301 | secretKeyRef: 302 | key: database-user 303 | name: mariadb 304 | - name: NC_dbpassword 305 | valueFrom: 306 | secretKeyRef: 307 | key: database-password 308 | name: mariadb 309 | - name: NC_dbname 310 | value: nextcloud 311 | image: nextcloud:${NEXTCLOUD_IMAGE_TAG} 312 | imagePullPolicy: Always 313 | name: nextcloud-cron 314 | resources: {} 315 | terminationMessagePath: /dev/termination-log 316 | volumeMounts: 317 | - mountPath: /var/www/html 318 | name: nextcloud-source 319 | - mountPath: /var/www/html/data 320 | name: nextcloud-data 321 | subPath: data 322 | - mountPath: /var/www/html/config 323 | name: nextcloud-data 324 | subPath: config 325 | - mountPath: /var/www/html/custom_apps 326 | name: nextcloud-data 327 | subPath: apps 328 | dnsPolicy: ClusterFirst 329 | restartPolicy: Never 330 | securityContext: {} 331 | terminationGracePeriodSeconds: 30 332 | volumes: 333 | - emptyDir: {} 334 | name: nextcloud-source 335 | - name: nextcloud-data 336 | persistentVolumeClaim: 337 | claimName: nextcloud-data 338 | schedule: '*/15 * * * *' 339 | suspend: false 340 | -------------------------------------------------------------------------------- /nginx.conf: -------------------------------------------------------------------------------- 1 | # user www-data; 2 | worker_processes 1; 3 | error_log /dev/stdout info; 4 | pid /tmp/nginx.pid; 5 | 6 | events { 7 | worker_connections 1024; 8 | } 9 | 10 | http { 11 | include /etc/nginx/mime.types; 12 | default_type application/octet-stream; 13 | 14 | sendfile on; 15 | tcp_nopush on; 16 | tcp_nodelay on; 17 | keepalive_timeout 65; 18 | types_hash_max_size 2048; 19 | server_tokens off; 20 | 21 | upstream php-handler { 22 | server localhost:9000; 23 | } 24 | 25 | server { 26 | listen *:8080 default_server; 27 | listen [::]:8080 default_server; 28 | server_name _; 29 | access_log /dev/stdout; 30 | 31 | # Docker default IP rangs 32 | set_real_ip_from 172.16.0.0/12; 33 | real_ip_header X-Forwarded-For; 34 | 35 | # Add headers to serve security related headers 36 | # Before enabling Strict-Transport-Security headers please read into this 37 | # topic first. 38 | # add_header Strict-Transport-Security "max-age=15768000; 39 | add_header Strict-Transport-Security "max-age=15768000; includeSubDomains" always; 40 | # includeSubDomains; preload;"; 41 | # 42 | # WARNING: Only add the preload option once you read about 43 | # the consequences in https://hstspreload.org/. This option 44 | # will add the domain to a hardcoded list that is shipped 45 | # in all major browsers and getting removed from this list 46 | # could take several months. 47 | add_header X-Content-Type-Options nosniff; 48 | add_header X-XSS-Protection "1; mode=block"; 49 | add_header X-Robots-Tag none; 50 | add_header X-Download-Options noopen; 51 | add_header X-Permitted-Cross-Domain-Policies none; 52 | 53 | # Path to the root of your installation 54 | root /var/www/html/; 55 | 56 | location = /robots.txt { 57 | allow all; 58 | log_not_found off; 59 | access_log off; 60 | } 61 | 62 | # The following 2 rules are only needed for the user_webfinger app. 63 | # Uncomment it if you're planning to use this app. 64 | #rewrite ^/.well-known/host-meta /public.php?service=host-meta last; 65 | #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json 66 | # last; 67 | 68 | location = /.well-known/carddav { 69 | return 301 $scheme://$host/remote.php/dav; 70 | } 71 | location = /.well-known/caldav { 72 | return 301 $scheme://$host/remote.php/dav; 73 | } 74 | 75 | # set max upload size 76 | client_max_body_size 512M; 77 | fastcgi_buffers 64 4K; 78 | 79 | # Enable gzip but do not remove ETag headers 80 | gzip on; 81 | gzip_vary on; 82 | gzip_comp_level 4; 83 | gzip_min_length 256; 84 | gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; 85 | gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; 86 | 87 | # Uncomment if your server is build with the ngx_pagespeed module 88 | # This module is currently not supported. 89 | #pagespeed off; 90 | 91 | location / { 92 | rewrite ^ /index.php$uri; 93 | } 94 | 95 | location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ { 96 | deny all; 97 | } 98 | location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { 99 | deny all; 100 | } 101 | 102 | location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) { 103 | fastcgi_split_path_info ^(.+\.php)(/.*)$; 104 | include fastcgi_params; 105 | fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; 106 | fastcgi_param PATH_INFO $fastcgi_path_info; 107 | fastcgi_param HTTPS on; 108 | fastcgi_param REMOTE_ADDR $http_x_forwarded_for; 109 | #Avoid sending the security headers twice 110 | fastcgi_param modHeadersAvailable true; 111 | fastcgi_param front_controller_active true; 112 | fastcgi_pass php-handler; 113 | fastcgi_intercept_errors on; 114 | fastcgi_request_buffering off; 115 | } 116 | 117 | location ~ ^/(?:updater|ocs-provider)(?:$|/) { 118 | try_files $uri/ =404; 119 | index index.php; 120 | } 121 | 122 | # Adding the cache control header for js and css files 123 | # Make sure it is BELOW the PHP block 124 | location ~ \.(?:css|js|woff|svg|gif)$ { 125 | try_files $uri /index.php$uri$is_args$args; 126 | add_header Cache-Control "public, max-age=15778463"; 127 | # Add headers to serve security related headers (It is intended to 128 | # have those duplicated to the ones above) 129 | # Before enabling Strict-Transport-Security headers please read into 130 | # this topic first. 131 | # add_header Strict-Transport-Security "max-age=15768000; 132 | # includeSubDomains; preload;"; 133 | # 134 | # WARNING: Only add the preload option once you read about 135 | # the consequences in https://hstspreload.org/. This option 136 | # will add the domain to a hardcoded list that is shipped 137 | # in all major browsers and getting removed from this list 138 | # could take several months. 139 | add_header X-Content-Type-Options nosniff; 140 | add_header X-XSS-Protection "1; mode=block"; 141 | add_header X-Robots-Tag none; 142 | add_header X-Download-Options noopen; 143 | add_header X-Permitted-Cross-Domain-Policies none; 144 | # Optional: Don't log access to assets 145 | access_log off; 146 | } 147 | 148 | location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ { 149 | try_files $uri /index.php$uri$is_args$args; 150 | # Optional: Don't log access to other assets 151 | access_log off; 152 | } 153 | } 154 | } 155 | --------------------------------------------------------------------------------