Hey everyone, the last thing i need to migrate is a really big nextcloud instance from my CLI based webserver, but i have some problems getting the nginx configured proberly. https://docs.nextcloud.com/server/31/admin_manual/installation/nginx.html I was able to get the most out of this example configuration and get most of Nextcloud working, but there are some things that does not get applied or it seems like. So my question is, if there is a way to build the nginx conf for a side mostly on my own to get some things working? I'm not sure with everything, but for example i would need within the php location block this line: Code: rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy) /index.php$request_uri; regarding this warning of nextcloud: Further it seems that this line does not get applied: Code: location ^~ /.well-known { # The rules in this block are an adaptation of the rules # in `.htaccess` that concern `/.well-known`. location = /.well-known/carddav { return 301 /remote.php/dav/; } location = /.well-known/caldav { return 301 /remote.php/dav/; } location = /.well-known/webfinger { return 301 /index.php/.well-known/webfinger; } location = /.well-known/nodeinfo { return 301 /index.php/.well-known/nodeinfo; } location /.well-known/acme-challenge { try_files $uri $uri/ =404; } location /.well-known/pki-validation { try_files $uri $uri/ =404; } return 301 /index.php$request_uri; } in regarding of this warning: at the last one for the first, this directives are not applied too: Code: add_header Referrer-Policy "no-referrer" always; add_header X-Content-Type-Options "nosniff" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Permitted-Cross-Domain-Policies "none" always; add_header X-Robots-Tag "noindex, nofollow" always; add_header X-XSS-Protection "1; mode=block" always; in regard of this warning: So would be nice to get a good and working nextcloud configuration as it's a important instance and i wouldnt like to create a single server just for it. I think get a good best practice case would help others too. Best regards
I'm using these settings, running Nextcloud with PHP8.3 Custom php.ini settings: Code: memory_limit = 1G upload_max_filesize = 5G post_max_size = 5G max_execution_time = 3600 apc.enable_cli = 1 opcache.enable = 1 opcache.enable_cli = 1 opcache.memory_consumption = 128 opcache.revalidate_freq = 60 opcache.interned_strings_buffer = 32 opcache.save_comments = 1 opcache.jit = 1255 opcache.jit_buffer_size = 128M display_errors = Off html_errors = Off Nginx Directives: Code: location ~ \.php$ { ##delete## } location @php { ##delete## } # set max upload size client_max_body_size 5G; client_body_timeout 900s; fastcgi_buffers 64 4K; # Enable gzip but do not remove ETag headers gzip on; gzip_vary on; gzip_comp_level 4; gzip_min_length 256; gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; # The settings allows you to optimize the HTTP2 bandwidth. # See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/ # for tuning hints client_body_buffer_size 512k; add_header Referrer-Policy "no-referrer" always; add_header X-Content-Type-Options "nosniff" always; add_header X-Download-Options "noopen" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Permitted-Cross-Domain-Policies "none" always; add_header X-Robots-Tag "noindex, nofollow" always; add_header X-XSS-Protection "1; mode=block" always; # Remove X-Powered-By, which is an information leak fastcgi_hide_header X-Powered-By; # Add .mjs as a file extension for javascript # Either include it in the default mime.types list # or include you can include that list explicitly and add the file extension # only for Nextcloud like below: include mime.types; types { text/javascript js mjs; application/wasm wasm; } index index.php index.html /index.php$request_uri; location = / { if ( $http_user_agent ~ ^DavClnt ) { return 302 /remote.php/webdav/$is_args$args; } } location = /robots.txt { allow all; log_not_found off; access_log off; } # Make a regex exception for `/.well-known` so that clients can still # access it despite the existence of the regex rule # `location ~ /(\.|autotest|...)` which would otherwise handle requests # for `/.well-known`. location ^~ /.well-known { rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; rewrite ^/.well-known/host-meta /public.php?service=host-meta last; rewrite ^/.well-known/webfinger /public.php?service=webfinger last; rewrite ^/.well-known/nodeinfo /public.php?service=nodeinfo last; location = /.well-known/carddav { return 302 $scheme://$host/remote.php/dav/; } location = /.well-known/caldav { return 302 $scheme://$host/remote.php/dav/; } location = /.well-known/webfinger { return 302 /index.php$uri; } location = /.well-known/nodeinfo { return 302 /index.php$uri; } location = /.well-known/security.txt { try_files $uri $uri/ @securitytxt; } location = /.well-known/mta-sts.txt { try_files $uri $uri/ @mta-sts; } location = /.well-known { return 302 /index.php$uri; } try_files $uri $uri/ =404; #return 302 /index.php$request_uri; } location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; } location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; } # Ensure this block, which passes PHP files to the PHP process, is above the blocks # which handle static assets (as seen below). If this block is not declared first, # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php` # to the URI, resulting in a HTTP 500 error response. location ~ \.php(?:$|/) { rewrite ^\/(?!index|info|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy)\.php(?:$|\/) /index.php$request_uri; fastcgi_split_path_info ^(.+?\.php)(/.*)$; set $path_info $fastcgi_path_info; try_files $fastcgi_script_name =404; include /etc/nginx/fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $path_info; fastcgi_param HTTPS on; fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice fastcgi_param front_controller_active true; # Enable pretty urls {FASTCGIPASS} fastcgi_intercept_errors on; fastcgi_request_buffering off; fastcgi_max_temp_file_size 0; } location ~ \.(?:css|js|mjs|svg|gif|png|jpg|ico|wasm|tflite)$ { try_files $uri /index.php$request_uri; expires 6M; # Cache-Control policy access_log off; # Optional: Don't log access to assets } location ~ \.(otf|woff2?)$ { try_files $uri /index.php$request_uri; expires 7d; # Cache-Control policy access_log off; # Optional: Don't log access to assets } location /remote { return 302 /remote.php$request_uri; } location = /data/htaccesstest.txt { allow all; log_not_found off; access_log off; } location / { #rewrite ^ /index.php$request_uri; try_files $uri $uri/ /index.php$request_uri; } (There are some custom settings because of my own security.txt and mta-sts.txt which are implemented into the webserver and every website through a customized nginx_vhost.conf.master file. Both my security.txt and mta-sts.txt can be found elsewhere on this forum.) Nextcloud isn't giving me any errors or warnings about the webserver. I do have yet to resolve issues with Collabora Online / Nextcloud Office being stuck in loading screen and not displaying documents.
Hey, thank you for your help in getting some things done. From your example i removed security and mta-sts for the first - i will handle that later. Further i removed the types { ... } cause application/javascript js; is already included in the mime.types and i just added mjs to that definition. application/wasm was also already within the mime.types file so i removed that part and just holded the include of the mime.types to dont get a warning of double content. Further, Nextcloud still reports:
