Update Nextcloud internal Caddyfile
Add suggested security improvements and static file caching.
This commit is contained in:
parent
388a1d8cfc
commit
26cceccfd9
GPG key ID:
EDBF2ED917B2EF6A
1 changed files with 52 additions and 6 deletions
|
|
@ -1,16 +1,34 @@
|
||||||
:80 {
|
{
|
||||||
root * /var/www/html
|
servers {
|
||||||
file_server
|
trusted_proxies static 10.0.0.0/8
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
:80 {
|
||||||
|
encode zstd gzip
|
||||||
|
root * /var/www/html
|
||||||
|
|
||||||
php_fastcgi app:9000
|
|
||||||
header {
|
header {
|
||||||
# enable HSTS
|
# enable HSTS
|
||||||
Strict-Transport-Security max-age=31536000;
|
Strict-Transport-Security max-age=31536000;
|
||||||
|
Permissions-Policy interest-cohort=()
|
||||||
|
X-Content-Type-Options nosniff
|
||||||
|
X-Frame-Options SAMEORIGIN
|
||||||
|
Referrer-Policy no-referrer
|
||||||
|
X-XSS-Protection "1; mode=block"
|
||||||
|
X-Permitted-Cross-Domain-Policies none
|
||||||
|
X-Robots-Tag "noindex, nofollow"
|
||||||
|
-X-Powered-By
|
||||||
}
|
}
|
||||||
|
|
||||||
redir /.well-known/carddav /remote.php/dav 301
|
redir /.well-known/carddav /remote.php/dav 301
|
||||||
redir /.well-known/caldav /remote.php/dav 301
|
redir /.well-known/caldav /remote.php/dav 301
|
||||||
|
|
||||||
|
# Uncomment this block if you use the high speed files backend: https://github.com/nextcloud/notify_push
|
||||||
|
#handle_path /push/* {
|
||||||
|
# reverse_proxy unix//run/notify_push/notify_push.sock # I love Unix sockets, but you can do :7867 also
|
||||||
|
#}
|
||||||
|
|
||||||
# .htaccess / data / config / ... shouldn't be accessible from outside
|
# .htaccess / data / config / ... shouldn't be accessible from outside
|
||||||
@forbidden {
|
@forbidden {
|
||||||
path /.htaccess
|
path /.htaccess
|
||||||
|
|
@ -25,8 +43,36 @@
|
||||||
path /occ
|
path /occ
|
||||||
path /console.php
|
path /console.php
|
||||||
}
|
}
|
||||||
|
handle @forbidden {
|
||||||
|
respond 404
|
||||||
|
}
|
||||||
|
|
||||||
respond @forbidden 404
|
handle {
|
||||||
|
root * /var/www/html
|
||||||
|
php_fastcgi app:9000 {
|
||||||
|
# Tells nextcloud to remove /index.php from URLs in links
|
||||||
|
env front_controller_active true
|
||||||
|
env modHeadersAvailable true # Avoid sending the security headers twice
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
# From .htaccess, set cache for versioned static files (cache-busting)
|
||||||
|
@immutable {
|
||||||
|
path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite
|
||||||
|
query v=*
|
||||||
|
}
|
||||||
|
header @immutable Cache-Control "max-age=15778463, immutable"
|
||||||
|
|
||||||
|
# From .htaccess, set cache for normal static files
|
||||||
|
@static {
|
||||||
|
path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite
|
||||||
|
not query v=*
|
||||||
|
}
|
||||||
|
header @static Cache-Control "max-age=15778463"
|
||||||
|
|
||||||
|
# From .htaccess, cache fonts for 1 week
|
||||||
|
@woff2 path *.woff2
|
||||||
|
header @woff2 Cache-Control "max-age=604800"
|
||||||
|
|
||||||
|
file_server
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue