cloudserve-infrastructure/roles/nextcloud/files/Caddyfile

{
    servers {
        trusted_proxies static 10.0.0.0/8
    }
}

:80 {
    encode zstd gzip
	root * /var/www/html

	header {
		# enable HSTS
		Strict-Transport-Security max-age=31536000;
		Permissions-Policy interest-cohort=()
		X-Content-Type-Options nosniff
		X-Frame-Options SAMEORIGIN
		Referrer-Policy no-referrer
		X-XSS-Protection "1; mode=block"
		X-Permitted-Cross-Domain-Policies none
		X-Robots-Tag "noindex, nofollow"
		-X-Powered-By
	}

	redir /.well-known/carddav /remote.php/dav 301
	redir /.well-known/caldav /remote.php/dav 301

    # Uncomment this block if you use the high speed files backend: https://github.com/nextcloud/notify_push
	#handle_path /push/* {
	#	reverse_proxy unix//run/notify_push/notify_push.sock # I love Unix sockets, but you can do :7867 also
	#}

	# .htaccess / data / config / ... shouldn't be accessible from outside
	@forbidden {
		path /.htaccess
		path /data/*
		path /config/*
		path /db_structure
		path /.xml
		path /README
		path /3rdparty/*
		path /lib/*
		path /templates/*
		path /occ
		path /console.php
	}
	handle @forbidden {
	        respond 404
	}

    handle {
        root * /var/www/html
	    php_fastcgi app:9000 {
            # Tells nextcloud to remove /index.php from URLs in links
			env front_controller_active true
			env modHeadersAvailable true # Avoid sending the security headers twice
	    }
    }

	# From .htaccess, set cache for versioned static files (cache-busting)
	@immutable {
		path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite
		query v=*
	}
	header @immutable Cache-Control "max-age=15778463, immutable"

	# From .htaccess, set cache for normal static files
	@static {
		path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite
		not query v=*
	}
	header @static Cache-Control "max-age=15778463"

	# From .htaccess, cache fonts for 1 week
	@woff2 path *.woff2
	header @woff2 Cache-Control "max-age=604800"

	file_server
}