|
1 | 1 | apiVersion: v1 |
2 | 2 | data: |
3 | | - default.conf: "upstream php-handler {\n server 127.0.0.1:9000;\n}\n\nserver {\n\ |
4 | | - \ listen 80;\n\n # HSTS settings\n # WARNING: Only add the preload option\ |
5 | | - \ once you read about\n # the consequences in https://hstspreload.org/. This\ |
6 | | - \ option\n # will add the domain to a hardcoded list that is shipped\n #\ |
7 | | - \ in all major browsers and getting removed from this list\n # could take several\ |
8 | | - \ months.\n #add_header Strict-Transport-Security \"max-age=15768000; includeSubDomains;\ |
9 | | - \ preload;\" always;\n\n # set max upload size\n client_max_body_size 10G;\n\ |
10 | | - \ fastcgi_buffers 64 4K;\n\n # Enable gzip but do not remove ETag headers\n\ |
11 | | - \ gzip on;\n gzip_vary on;\n gzip_comp_level 4;\n gzip_min_length\ |
12 | | - \ 256;\n gzip_proxied expired no-cache no-store private no_last_modified no_etag\ |
13 | | - \ auth;\n gzip_types application/atom+xml application/javascript application/json\ |
14 | | - \ application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json\ |
15 | | - \ application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json\ |
16 | | - \ application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml\ |
17 | | - \ image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc\ |
18 | | - \ text/vtt text/x-component text/x-cross-domain-policy;\n\n # Pagespeed is\ |
19 | | - \ not supported by Nextcloud, so if your server is built\n # with the `ngx_pagespeed`\ |
20 | | - \ module, uncomment this line to disable it.\n #pagespeed off;\n\n # HTTP\ |
21 | | - \ response headers borrowed from Nextcloud `.htaccess`\n add_header Referrer-Policy\ |
22 | | - \ \"no-referrer\" always;\n add_header X-Content-Type-Options\ |
23 | | - \ \"nosniff\" always;\n add_header X-Download-Options\ |
24 | | - \ \"noopen\" always;\n add_header X-Frame-Options\ |
25 | | - \ \"SAMEORIGIN\" always;\n add_header X-Permitted-Cross-Domain-Policies\ |
26 | | - \ \"none\" always;\n add_header X-Robots-Tag \ |
27 | | - \ \"noindex, nofollow\" always;\n add_header X-XSS-Protection \ |
28 | | - \ \"1; mode=block\" always;\n\n # Remove X-Powered-By,\ |
29 | | - \ which is an information leak\n fastcgi_hide_header X-Powered-By;\n\n #\ |
30 | | - \ Add .mjs as a file extension for javascript\n # Either include it in the\ |
31 | | - \ default mime.types list\n # or include you can include that list explicitly\ |
32 | | - \ and add the file extension\n # only for Nextcloud like below:\n include\ |
33 | | - \ mime.types;\n types {\n text/javascript js mjs;\n } \n\n\ |
34 | | - \ # Path to the root of your installation\n root /var/www/html;\n\n #\ |
35 | | - \ Specify how to handle directories -- specifying `/index.php$request_uri`\n \ |
36 | | - \ # here as the fallback means that Nginx always exhibits the desired behaviour\n\ |
37 | | - \ # when a client requests a path that corresponds to a directory that exists\n\ |
38 | | - \ # on the server. In particular, if that directory contains an index.php file,\n\ |
39 | | - \ # that file is correctly served; if it doesn't, then the request is passed\ |
40 | | - \ to\n # the front-end controller. This consistent behaviour means that we\ |
41 | | - \ don't need\n # to specify custom rules for certain paths (e.g. images and\ |
42 | | - \ other assets,\n # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus\n\ |
43 | | - \ # `try_files $uri $uri/ /index.php$request_uri`\n # always provides the\ |
44 | | - \ desired behaviour.\n index index.php index.html /index.php$request_uri;\n\ |
45 | | - \n # Rule borrowed from `.htaccess` to handle Microsoft DAV clients\n location\ |
46 | | - \ = / {\n if ( $http_user_agent ~ ^DavClnt ) {\n return 302\ |
47 | | - \ /remote.php/webdav/$is_args$args;\n }\n }\n\n location = /robots.txt\ |
48 | | - \ {\n allow all;\n log_not_found off;\n access_log off;\n\ |
49 | | - \ }\n\n # Make a regex exception for `/.well-known` so that clients can\ |
50 | | - \ still\n # access it despite the existence of the regex rule\n # `location\ |
51 | | - \ ~ /(\\.|autotest|...)` which would otherwise handle requests\n # for `/.well-known`.\n\ |
52 | | - \ location ^~ /.well-known {\n # The following 6 rules are borrowed\ |
53 | | - \ from `.htaccess`\n\n location = /.well-known/carddav { return 301\ |
54 | | - \ /remote.php/dav/; }\n location = /.well-known/caldav { return 301\ |
55 | | - \ /remote.php/dav/; }\n # Anything else is dynamically handled by Nextcloud\n\ |
56 | | - \ location ^~ /.well-known { return 301 /index.php$uri; }\n\n\ |
57 | | - \ try_files $uri $uri/ =404;\n }\n\n # Rules borrowed from `.htaccess`\ |
58 | | - \ to hide certain paths from clients\n location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)\ |
59 | | - \ { return 404; }\n location ~ ^/(?:\\.|autotest|occ|issue|indie|db_|console)\ |
60 | | - \ { return 404; }\n\n # Ensure this block, which passes PHP files\ |
61 | | - \ to the PHP process, is above the blocks\n # which handle static assets (as\ |
62 | | - \ seen below). If this block is not declared first,\n # then Nginx will encounter\ |
63 | | - \ an infinite rewriting loop when it prepends `/index.php`\n # to the URI,\ |
64 | | - \ resulting in a HTTP 500 error response.\n location ~ \\.php(?:$|/) {\n \ |
65 | | - \ # Required for legacy support\n rewrite ^/(?!index|remote|public|cron|core\\\ |
66 | | - /ajax\\/update|status|ocs\\/v[12]|updater\\/.+|oc[ms]-provider\\/.+|.+\\/richdocumentscode(_arm64)?\\\ |
67 | | - /proxy) /index.php$request_uri;\n\n fastcgi_split_path_info ^(.+?\\.php)(/.*)$;\n\ |
68 | | - \ set $path_info $fastcgi_path_info;\n\n try_files $fastcgi_script_name\ |
69 | | - \ =404;\n\n include fastcgi_params;\n fastcgi_param SCRIPT_FILENAME\ |
70 | | - \ $document_root$fastcgi_script_name;\n fastcgi_param PATH_INFO $path_info;\n\ |
71 | | - \ #fastcgi_param HTTPS on;\n\n fastcgi_param modHeadersAvailable\ |
72 | | - \ true; # Avoid sending the security headers twice\n fastcgi_param\ |
73 | | - \ front_controller_active true; # Enable pretty urls\n fastcgi_pass\ |
74 | | - \ php-handler;\n\n fastcgi_intercept_errors on;\n fastcgi_request_buffering\ |
75 | | - \ off;\n }\n\n location ~ \\.(?:css|js|svg|gif)$ {\n try_files $uri\ |
76 | | - \ /index.php$request_uri;\n expires 6M; # Cache-Control policy\ |
77 | | - \ borrowed from `.htaccess`\n access_log off; # Optional: Don't log\ |
78 | | - \ access to assets\n }\n\n location ~ \\.woff2?$ {\n try_files $uri\ |
79 | | - \ /index.php$request_uri;\n expires 7d; # Cache-Control policy\ |
80 | | - \ borrowed from `.htaccess`\n access_log off; # Optional: Don't log\ |
81 | | - \ access to assets\n }\n\n location / {\n try_files $uri $uri/ /index.php$request_uri;\n\ |
82 | | - \ }\n}" |
| 3 | + default.conf: |- |
| 4 | + upstream php-handler { |
| 5 | + server 127.0.0.1:9000; |
| 6 | + } |
| 7 | +
|
| 8 | + server { |
| 9 | + # Default, IPv4 only |
| 10 | + listen 80; |
| 11 | +
|
| 12 | + # HSTS settings |
| 13 | + # WARNING: Only add the preload option once you read about |
| 14 | + # the consequences in https://hstspreload.org/. This option |
| 15 | + # will add the domain to a hardcoded list that is shipped |
| 16 | + # in all major browsers and getting removed from this list |
| 17 | + # could take several months. |
| 18 | + #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; |
| 19 | +
|
| 20 | + # set max upload size |
| 21 | + client_max_body_size 10G; |
| 22 | + fastcgi_buffers 64 4K; |
| 23 | +
|
| 24 | + # Enable gzip but do not remove ETag headers |
| 25 | + gzip on; |
| 26 | + gzip_vary on; |
| 27 | + gzip_comp_level 4; |
| 28 | + gzip_min_length 256; |
| 29 | + gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; |
| 30 | + gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; |
| 31 | +
|
| 32 | + # Pagespeed is not supported by Nextcloud, so if your server is built |
| 33 | + # with the `ngx_pagespeed` module, uncomment this line to disable it. |
| 34 | + #pagespeed off; |
| 35 | +
|
| 36 | + # HTTP response headers borrowed from Nextcloud `.htaccess` |
| 37 | + add_header Referrer-Policy "no-referrer" always; |
| 38 | + add_header X-Content-Type-Options "nosniff" always; |
| 39 | + add_header X-Download-Options "noopen" always; |
| 40 | + add_header X-Frame-Options "SAMEORIGIN" always; |
| 41 | + add_header X-Permitted-Cross-Domain-Policies "none" always; |
| 42 | + add_header X-Robots-Tag "noindex, nofollow" always; |
| 43 | + add_header X-XSS-Protection "1; mode=block" always; |
| 44 | +
|
| 45 | + # Remove X-Powered-By, which is an information leak |
| 46 | + fastcgi_hide_header X-Powered-By; |
| 47 | +
|
| 48 | + # Add .mjs as a file extension for javascript |
| 49 | + # Either include it in the default mime.types list |
| 50 | + # or include you can include that list explicitly and add the file extension |
| 51 | + # only for Nextcloud like below: |
| 52 | + include mime.types; |
| 53 | + types { |
| 54 | + text/javascript js mjs; |
| 55 | + } |
| 56 | +
|
| 57 | + # Path to the root of your installation |
| 58 | + root /var/www/html; |
| 59 | +
|
| 60 | + # Specify how to handle directories -- specifying `/index.php$request_uri` |
| 61 | + # here as the fallback means that Nginx always exhibits the desired behaviour |
| 62 | + # when a client requests a path that corresponds to a directory that exists |
| 63 | + # on the server. In particular, if that directory contains an index.php file, |
| 64 | + # that file is correctly served; if it doesn't, then the request is passed to |
| 65 | + # the front-end controller. This consistent behaviour means that we don't need |
| 66 | + # to specify custom rules for certain paths (e.g. images and other assets, |
| 67 | + # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus |
| 68 | + # `try_files $uri $uri/ /index.php$request_uri` |
| 69 | + # always provides the desired behaviour. |
| 70 | + index index.php index.html /index.php$request_uri; |
| 71 | +
|
| 72 | + # Rule borrowed from `.htaccess` to handle Microsoft DAV clients |
| 73 | + location = / { |
| 74 | + if ( $http_user_agent ~ ^DavClnt ) { |
| 75 | + return 302 /remote.php/webdav/$is_args$args; |
| 76 | + } |
| 77 | + } |
| 78 | +
|
| 79 | + location = /robots.txt { |
| 80 | + allow all; |
| 81 | + log_not_found off; |
| 82 | + access_log off; |
| 83 | + } |
| 84 | +
|
| 85 | + # Make a regex exception for `/.well-known` so that clients can still |
| 86 | + # access it despite the existence of the regex rule |
| 87 | + # `location ~ /(\.|autotest|...)` which would otherwise handle requests |
| 88 | + # for `/.well-known`. |
| 89 | + location ^~ /.well-known { |
| 90 | + # The following 6 rules are borrowed from `.htaccess` |
| 91 | +
|
| 92 | + location = /.well-known/carddav { return 301 /remote.php/dav/; } |
| 93 | + location = /.well-known/caldav { return 301 /remote.php/dav/; } |
| 94 | + # Anything else is dynamically handled by Nextcloud |
| 95 | + location ^~ /.well-known { return 301 /index.php$uri; } |
| 96 | +
|
| 97 | + try_files $uri $uri/ =404; |
| 98 | + } |
| 99 | +
|
| 100 | + # Rules borrowed from `.htaccess` to hide certain paths from clients |
| 101 | + location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; } |
| 102 | + location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; } |
| 103 | +
|
| 104 | + # Ensure this block, which passes PHP files to the PHP process, is above the blocks |
| 105 | + # which handle static assets (as seen below). If this block is not declared first, |
| 106 | + # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php` |
| 107 | + # to the URI, resulting in a HTTP 500 error response. |
| 108 | + location ~ \.php(?:$|/) { |
| 109 | + # Required for legacy support |
| 110 | + rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy) /index.php$request_uri; |
| 111 | +
|
| 112 | + fastcgi_split_path_info ^(.+?\.php)(/.*)$; |
| 113 | + set $path_info $fastcgi_path_info; |
| 114 | +
|
| 115 | + try_files $fastcgi_script_name =404; |
| 116 | +
|
| 117 | + include fastcgi_params; |
| 118 | + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; |
| 119 | + fastcgi_param PATH_INFO $path_info; |
| 120 | + #fastcgi_param HTTPS on; |
| 121 | +
|
| 122 | + fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice |
| 123 | + fastcgi_param front_controller_active true; # Enable pretty urls |
| 124 | + fastcgi_pass php-handler; |
| 125 | +
|
| 126 | + fastcgi_intercept_errors on; |
| 127 | + fastcgi_request_buffering off; |
| 128 | + } |
| 129 | +
|
| 130 | + location ~ \.(?:css|js|svg|gif)$ { |
| 131 | + try_files $uri /index.php$request_uri; |
| 132 | + expires 6M; # Cache-Control policy borrowed from `.htaccess` |
| 133 | + access_log off; # Optional: Don't log access to assets |
| 134 | + } |
| 135 | +
|
| 136 | + location ~ \.woff2?$ { |
| 137 | + try_files $uri /index.php$request_uri; |
| 138 | + expires 7d; # Cache-Control policy borrowed from `.htaccess` |
| 139 | + access_log off; # Optional: Don't log access to assets |
| 140 | + } |
| 141 | +
|
| 142 | + location / { |
| 143 | + try_files $uri $uri/ /index.php$request_uri; |
| 144 | + } |
| 145 | + } |
83 | 146 | kind: ConfigMap |
84 | 147 | metadata: |
85 | 148 | labels: |
86 | 149 | app.kubernetes.io/instance: nextcloud |
87 | 150 | app.kubernetes.io/managed-by: Helm |
88 | 151 | app.kubernetes.io/name: nextcloud |
89 | | - helm.sh/chart: nextcloud-5.5.2 |
| 152 | + helm.sh/chart: nextcloud-6.1.0 |
90 | 153 | name: nextcloud-nginxconfig |
0 commit comments