http://${nextcloud_domain}:80 { redir https://${nextcloud_domain}{uri} permanent } ${nextcloud_domain}:443 { root * /var/www/html encode gzip zstd rewrite /ocm-provider/ /index.php rewrite /ocs-provider/ /ocs-provider/index.php rewrite /remote /remote.php rewrite /remote/* /remote.php?{query} redir /.well-known/caldav /remote.php/dav 301 redir /.well-known/carddav /remote.php/dav 301 redir /.well-known/webfinger /index.php/.well-known/webfinger 301 redir /.well-known/nodeinfo /index.php/.well-known/nodeinfo 301 # .htaccess / data / config / ... shouldn't be accessible from outside @forbidden { path /.htaccess path /.xml path /console.php path /cron.php path /3rdparty/* path /README path /autotest/* path /build/* path /config/* path /console/* path /data/* path /db_*/* path /db_structure path /indie/* path /issue/* path /lib/* path /occ path /occ/* path /templates/* path /tests/* } respond @forbidden 404 @static { method GET HEAD not path /index.php* not path /apps/theming/composer/* not path /apps/theming/lib/* not path /apps/theming/templates/* not path /apps/theming/theme/* not path /js/core/merged-template-prepend.js path *.css path *.css.map path *.gif path *.ico path *.jpg path *.js path *.js.map path *.json path *.mjs path *.otf path *.png path *.svg path *.tflite path *.wasm path *.webp path *.woff2 } handle @static { header Cache-Control "max-age=604800" file_server } handle * { @index_files file { try_files {path} {path}/index.php /index.php{path} split_path .php } rewrite @index_files {file_match.relative} php_fastcgi nextcloud:9000 { env PATH /bin env modHeadersAvailable true env front_controller_active true dial_timeout 60s read_timeout 3600s write_timeout 300s } } header Strict-Transport-Security "max-age=15768000;" header X-Content-Type-Options "nosniff" header X-XSS-Protection "1; mode=block" header X-Robots-Tag "noindex, nofollow" header X-Download-Options "noopen" header X-Permitted-Cross-Domain-Policies "none" header Referrer-Policy "no-referrer" header X-Frame-Options "SAMEORIGIN" log tls internal }