1- {{- define "nginx.conf" }}
2- worker_processes auto;
3-
4- error_log /var/log/nginx/error.log warn;
5- pid /tmp/nginx.pid;
6-
7-
8- events {
9- worker_connections 1024;
1+ {{- define "default.conf" }}
2+ upstream php-handler {
3+ server 127.0.0.1:9000;
104 }
115
12-
13- http {
14- include /etc/nginx/mime.types;
15- default_type application/octet-stream;
16-
17- log_format main '$remote_addr - $remote_user [$time_local] "$request" '
18- ' $status $body_bytes_sent "$http_referer" '
19- ' "$http_user_agent" "$http_x_forwarded_for"' ;
20-
21- access_log /var/log/nginx/access.log main;
22-
23- sendfile on;
24- # tcp_nopush on;
25-
26- keepalive_timeout 65;
27-
28- # gzip on;
29-
30- upstream php-handler {
31- server 127.0.0.1:9000;
32- }
33-
34- server {
35- listen {{ .Values.nginx.containerPort | default "80" }};
36-
37- # HSTS settings
38- # WARNING: Only add the preload option once you read about
39- # the consequences in https://hstspreload.org/. This option
40- # will add the domain to a hardcoded list that is shipped
41- # in all major browsers and getting removed from this list
42- # could take several months.
43- # add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
44-
45- # set max upload size
46- client_max_body_size 10G;
47- fastcgi_buffers 64 4K;
48-
49- # Enable gzip but do not remove ETag headers
50- gzip on;
51- gzip_vary on;
52- gzip_comp_level 4;
53- gzip_min_length 256;
54- gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
55- gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
56-
57- # Pagespeed is not supported by Nextcloud, so if your server is built
58- # with the `ngx_pagespeed` module, uncomment this line to disable it.
59- # pagespeed off;
60-
61- # HTTP response headers borrowed from Nextcloud `.htaccess`
62- add_header Referrer-Policy "no-referrer" always;
63- add_header X-Content-Type-Options "nosniff" always;
64- add_header X-Download-Options "noopen" always;
65- add_header X-Frame-Options "SAMEORIGIN" always;
66- add_header X-Permitted-Cross-Domain-Policies "none" always;
67- add_header X-Robots-Tag "noindex, nofollow" always;
68- add_header X-XSS-Protection "1; mode=block" always;
69-
70- # Remove X-Powered-By, which is an information leak
71- fastcgi_hide_header X-Powered-By;
72-
73- # Path to the root of your installation
74- root /var/www/html;
75-
76- # Specify how to handle directories -- specifying `/index.php$request_uri`
77- # here as the fallback means that Nginx always exhibits the desired behaviour
78- # when a client requests a path that corresponds to a directory that exists
79- # on the server. In particular, if that directory contains an index.php file,
80- # that file is correctly served; if it doesn't, then the request is passed to
81- # the front-end controller. This consistent behaviour means that we don't need
82- # to specify custom rules for certain paths (e.g. images and other assets,
83- # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
84- # `try_files $uri $uri/ /index.php$request_uri`
85- # always provides the desired behaviour.
86- index index.php index.html /index.php$request_uri;
87-
88- # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
89- location = / {
90- if ( $http_user_agent ~ ^DavClnt ) {
91- return 302 /remote.php/webdav/$is_args$args;
92- }
6+ server {
7+ listen {{ .Values.nginx.containerPort | default "80" }};
8+
9+ # HSTS settings
10+ # WARNING: Only add the preload option once you read about
11+ # the consequences in https://hstspreload.org/. This option
12+ # will add the domain to a hardcoded list that is shipped
13+ # in all major browsers and getting removed from this list
14+ # could take several months.
15+ # add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
16+
17+ # set max upload size
18+ client_max_body_size 10G;
19+ fastcgi_buffers 64 4K;
20+
21+ # Enable gzip but do not remove ETag headers
22+ gzip on;
23+ gzip_vary on;
24+ gzip_comp_level 4;
25+ gzip_min_length 256;
26+ gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
27+ gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
28+
29+ # Pagespeed is not supported by Nextcloud, so if your server is built
30+ # with the `ngx_pagespeed` module, uncomment this line to disable it.
31+ # pagespeed off;
32+
33+ # HTTP response headers borrowed from Nextcloud `.htaccess`
34+ add_header Referrer-Policy "no-referrer" always;
35+ add_header X-Content-Type-Options "nosniff" always;
36+ add_header X-Download-Options "noopen" always;
37+ add_header X-Frame-Options "SAMEORIGIN" always;
38+ add_header X-Permitted-Cross-Domain-Policies "none" always;
39+ add_header X-Robots-Tag "noindex, nofollow" always;
40+ add_header X-XSS-Protection "1; mode=block" always;
41+
42+ # Remove X-Powered-By, which is an information leak
43+ fastcgi_hide_header X-Powered-By;
44+
45+ # Path to the root of your installation
46+ root /var/www/html;
47+
48+ # Specify how to handle directories -- specifying `/index.php$request_uri`
49+ # here as the fallback means that Nginx always exhibits the desired behaviour
50+ # when a client requests a path that corresponds to a directory that exists
51+ # on the server. In particular, if that directory contains an index.php file,
52+ # that file is correctly served; if it doesn't, then the request is passed to
53+ # the front-end controller. This consistent behaviour means that we don't need
54+ # to specify custom rules for certain paths (e.g. images and other assets,
55+ # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
56+ # `try_files $uri $uri/ /index.php$request_uri`
57+ # always provides the desired behaviour.
58+ index index.php index.html /index.php$request_uri;
59+
60+ # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
61+ location = / {
62+ if ( $http_user_agent ~ ^DavClnt ) {
63+ return 302 /remote.php/webdav/$is_args$args;
9364 }
65+ }
9466
95- location = /robots.txt {
96- allow all;
97- log_not_found off;
98- access_log off;
99- }
67+ location = /robots.txt {
68+ allow all;
69+ log_not_found off;
70+ access_log off;
71+ }
10072
101- # Make a regex exception for `/.well-known` so that clients can still
102- # access it despite the existence of the regex rule
103- # `location ~ /(\.|autotest|...)` which would otherwise handle requests
104- # for `/.well-known`.
105- location ^~ /.well-known {
106- # The following 6 rules are borrowed from `.htaccess`
73+ # Make a regex exception for `/.well-known` so that clients can still
74+ # access it despite the existence of the regex rule
75+ # `location ~ /(\.|autotest|...)` which would otherwise handle requests
76+ # for `/.well-known`.
77+ location ^~ /.well-known {
78+ # The following 6 rules are borrowed from `.htaccess`
10779
108- location = /.well-known/carddav { return 301 /remote.php/dav/; }
109- location = /.well-known/caldav { return 301 /remote.php/dav/; }
110- # Anything else is dynamically handled by Nextcloud
111- location ^~ /.well-known { return 301 /index.php$uri; }
80+ location = /.well-known/carddav { return 301 /remote.php/dav/; }
81+ location = /.well-known/caldav { return 301 /remote.php/dav/; }
82+ # Anything else is dynamically handled by Nextcloud
83+ location ^~ /.well-known { return 301 /index.php$uri; }
11284
113- try_files $uri $uri/ =404;
114- }
85+ try_files $uri $uri/ =404;
86+ }
11587
116- # Rules borrowed from `.htaccess` to hide certain paths from clients
117- location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; }
118- location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; }
88+ # Rules borrowed from `.htaccess` to hide certain paths from clients
89+ location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; }
90+ location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; }
11991
120- # Ensure this block, which passes PHP files to the PHP process, is above the blocks
121- # which handle static assets (as seen below). If this block is not declared first,
122- # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
123- # to the URI, resulting in a HTTP 500 error response.
124- location ~ \.php(?:$|/) {
125- # Required for legacy support
126- rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
92+ # Ensure this block, which passes PHP files to the PHP process, is above the blocks
93+ # which handle static assets (as seen below). If this block is not declared first,
94+ # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
95+ # to the URI, resulting in a HTTP 500 error response.
96+ location ~ \.php(?:$|/) {
97+ # Required for legacy support
98+ rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
12799
128- fastcgi_split_path_info ^(.+?\.php)(/.*)$;
129- set $path_info $fastcgi_path_info;
100+ fastcgi_split_path_info ^(.+?\.php)(/.*)$;
101+ set $path_info $fastcgi_path_info;
130102
131- try_files $fastcgi_script_name =404;
103+ try_files $fastcgi_script_name =404;
132104
133- include fastcgi_params;
134- fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
135- fastcgi_param PATH_INFO $path_info;
136- # fastcgi_param HTTPS on;
105+ include fastcgi_params;
106+ fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
107+ fastcgi_param PATH_INFO $path_info;
108+ # fastcgi_param HTTPS on;
137109
138- fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice
139- fastcgi_param front_controller_active true; # Enable pretty urls
140- fastcgi_pass php-handler;
110+ fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice
111+ fastcgi_param front_controller_active true; # Enable pretty urls
112+ fastcgi_pass php-handler;
141113
142- fastcgi_intercept_errors on;
143- fastcgi_request_buffering off;
144- }
114+ fastcgi_intercept_errors on;
115+ fastcgi_request_buffering off;
116+ }
145117
146- location ~ \.(?:css|js|svg|gif)$ {
147- try_files $uri /index.php$request_uri;
148- expires 6M; # Cache-Control policy borrowed from `.htaccess`
149- access_log off; # Optional: Don't log access to assets
150- }
118+ location ~ \.(?:css|js|svg|gif)$ {
119+ try_files $uri /index.php$request_uri;
120+ expires 6M; # Cache-Control policy borrowed from `.htaccess`
121+ access_log off; # Optional: Don't log access to assets
122+ }
151123
152- location ~ \.woff2?$ {
153- try_files $uri /index.php$request_uri;
154- expires 7d; # Cache-Control policy borrowed from `.htaccess`
155- access_log off; # Optional: Don't log access to assets
156- }
124+ location ~ \.woff2?$ {
125+ try_files $uri /index.php$request_uri;
126+ expires 7d; # Cache-Control policy borrowed from `.htaccess`
127+ access_log off; # Optional: Don't log access to assets
128+ }
157129
158- location / {
159- try_files $uri $uri/ /index.php$request_uri;
160- }
130+ location / {
131+ try_files $uri $uri/ /index.php$request_uri;
161132 }
162133 }
163134{{- end }}
@@ -173,10 +144,12 @@ metadata:
173144 app.kubernetes.io/instance : {{ .Release.Name }}
174145 app.kubernetes.io/managed-by : {{ .Release.Service }}
175146data :
176- nginx.conf : |-
177147{{- if .Values.nginx.config.default }}
178- {{- template "nginx.conf" $ }}
179- {{- else }}
148+ default.conf : |-
149+ {{- template "default.conf" $ }}
150+ {{- end }}
151+ {{- if .Values.nginx.config.custom }}
152+ zz-custom.conf : |-
180153{{ .Values.nginx.config.custom | indent 4 }}
181154{{- end }}
182155{{- end }}
0 commit comments