Update for NC 28

docker-compose.yml

@@ -3,7 +3,7 @@ services:
 
   nextcloud:
     container_name: nextcloud-server
-    image: nextcloud:22-fpm
+    image: nextcloud:28-fpm
     stdin_open: true
     tty: true
     restart: always
@@ -20,7 +20,7 @@ services:
 
   cron:
     container_name: cron
-    image: nextcloud:21-fpm
+    image: nextcloud:28-fpm
     restart: always
     volumes:
       - app_data:/var/www/html

nginx.conf.sample

@@ -14,7 +14,11 @@ http {
 		server nextcloud-server:9000;
 	}
 
-
+	# Set the `immutable` cache control options only for assets with a cache busting `v` argument
+	map $arg_v $asset_immutable {
+		"" "";
+		default ", immutable";
+	}
 	include       /etc/nginx/mime.types;
 	default_type  application/octet-stream;
 
@@ -44,28 +48,82 @@ http {
 		"" $this_host;
 	}
 
+
 	server {
 		listen 80;
+		# Prevent nginx HTTP Server Detection
+		server_tokens off;
+
+		# HSTS settings
+		# WARNING: Only add the preload option once you read about
+		# the consequences in https://hstspreload.org/. This option
+		# will add the domain to a hardcoded list that is shipped
+		# in all major browsers and getting removed from this list
+		# could take several months.
+		#add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
+
+		# set max upload size and increase upload timeout:
+		client_max_body_size 10G;
+		client_body_timeout 300s;
+		fastcgi_buffers 64 4K;
 
-        # Add headers to serve security related headers
+		# Enable gzip but do not remove ETag headers
+		gzip on;
+		gzip_vary on;
+		gzip_comp_level 4;
+		gzip_min_length 256;
+		gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
+		gzip_types application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+
+		# Pagespeed is not supported by Nextcloud, so if your server is built
+		# with the `ngx_pagespeed` module, uncomment this line to disable it.
+		#pagespeed off;
+
+		# The settings allows you to optimize the HTTP2 bandwidth.
+		# See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/
+		# for tuning hints
+		client_body_buffer_size 512k;
+
+		# HTTP response headers borrowed from Nextcloud `.htaccess`
 		add_header Referrer-Policy                   "no-referrer"       always;
-        add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
+		add_header X-Content-Type-Options            "nosniff"           always;
 		add_header X-Frame-Options                   "SAMEORIGIN"        always;
-        add_header X-Content-Type-Options nosniff;
-        add_header X-XSS-Protection "1; mode=block";
-        add_header X-Robots-Tag none;
-        add_header X-Download-Options noopen;
-        add_header X-Permitted-Cross-Domain-Policies none;
-
+		add_header X-Permitted-Cross-Domain-Policies "none"              always;
+		add_header X-Robots-Tag                      "noindex, nofollow" always;
+		add_header X-XSS-Protection                  "1; mode=block"     always;
+
+		# Remove X-Powered-By, which is an information leak
+		fastcgi_hide_header X-Powered-By;
+
+		# Set .mjs and .wasm MIME types
+		# Either include it in the default mime.types list
+		# and include that list explicitly or add the file extension
+		# only for Nextcloud like below:
+		include mime.types;
+		types {
+			text/javascript js mjs;
+			application/wasm wasm;
+		}
         	root /var/www/html;
-        client_max_body_size 10G; # 0=unlimited - set max upload size
-        fastcgi_buffers 64 4K;
 
-        gzip off;
-
-        index index.php;
-        error_page 403 /core/templates/403.php;
-        error_page 404 /core/templates/404.php;
+		# Specify how to handle directories -- specifying `/index.php$request_uri`
+		# here as the fallback means that Nginx always exhibits the desired behaviour
+		# when a client requests a path that corresponds to a directory that exists
+		# on the server. In particular, if that directory contains an index.php file,
+		# that file is correctly served; if it doesn't, then the request is passed to
+		# the front-end controller. This consistent behaviour means that we don't need
+		# to specify custom rules for certain paths (e.g. images and other assets,
+		# `/updater`, `/ocs-provider`), and thus
+		# `try_files $uri $uri/ /index.php$request_uri`
+		# always provides the desired behaviour.
+		index index.php index.html /index.php$request_uri;
+
+		# Rule borrowed from `.htaccess` to handle Microsoft DAV clients
+		location = / {
+			if ( $http_user_agent ~ ^DavClnt ) {
+				return 302 /remote.php/webdav/$is_args$args;
+			}
+		}
 
 		location = /robots.txt {
 			allow all;
@@ -73,72 +131,86 @@ http {
 			access_log off;
 		}
 
-        location ~ ^/(build|tests|config|lib|3rdparty|templates|data)/ {
-            deny all;
-        }
+		# Make a regex exception for `/.well-known` so that clients can still
+		# access it despite the existence of the regex rule
+		# `location ~ /(\.|autotest|...)` which would otherwise handle requests
+		# for `/.well-known`.
+		location ^~ /.well-known {
+			# The rules in this block are an adaptation of the rules
+			# in `.htaccess` that concern `/.well-known`.
 
-        location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
-            deny all;
-        }
+			location = /.well-known/carddav { return 301 /remote.php/dav/; }
+			location = /.well-known/caldav  { return 301 /remote.php/dav/; }
 
-        location / {
-            rewrite ^/remote/(.*) /remote.php last;
-            rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
-            try_files $uri $uri/ =404;
+			location /.well-known/acme-challenge    { try_files $uri $uri/ =404; }
+			location /.well-known/pki-validation    { try_files $uri $uri/ =404; }
+
+			# Let Nextcloud's API for `/.well-known` URIs handle all other
+			# requests by passing them to the front-end controller.
+			return 301 /index.php$request_uri;
 		}
 
-        # Uncomment the block below to use onlyoffice
-        #location ~* ^/ds-vpath/ {
-        #    rewrite /ds-vpath/(.*) /$1  break;
-        #    proxy_pass http://onlyoffice-document-server;
-        #    proxy_redirect     off;
+		# Rules borrowed from `.htaccess` to hide certain paths from clients
+		location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
+		location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; }
 
-        #    client_max_body_size 100m;
+		# Ensure this block, which passes PHP files to the PHP process, is above the blocks
+		# which handle static assets (as seen below). If this block is not declared first,
+		# then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
+		# to the URI, resulting in a HTTP 500 error response.
+		location ~ \.php(?:$|/) {
+			# Required for legacy support
+			rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
 
-        #    proxy_http_version 1.1;
-        #    proxy_set_header Upgrade $http_upgrade;
-        #    # Disabled, if enable we get "Unknown error on OnlyOffice
-        #    # proxy_set_header Connection "upgrade";
+			fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+			set $path_info $fastcgi_path_info;
 
-        #    proxy_set_header Host $http_host;
-        #    proxy_set_header X-Real-IP $remote_addr;
-        #    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        #    proxy_set_header X-Forwarded-Host $the_host/ds-vpath;
-        #    # Manually set to https to avoid "Unknown error" on OnlyOffice
-        #    proxy_set_header X-Forwarded-Proto "https";
-        #}
+			try_files $fastcgi_script_name =404;
 
-        location ~ \.php(?:$|/) {
-            fastcgi_split_path_info ^(.+\.php)(/.+)$;
 			include fastcgi_params;
 			fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            fastcgi_param PATH_INFO $fastcgi_path_info;
-            fastcgi_param HTTPS off;
+			fastcgi_param PATH_INFO $path_info;
+			fastcgi_param HTTPS on;
+
 			fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
+			fastcgi_param front_controller_active true;     # Enable pretty urls
 			fastcgi_pass backend;
+
 			fastcgi_intercept_errors on;
+			fastcgi_request_buffering off;
+
+			fastcgi_max_temp_file_size 0;
 		}
 
-        # Adding the cache control header for js and css files
-        # Make sure it is BELOW the location ~ \.php(?:$|/) { block
-        location ~* \.(?:css|js)$ {
-            add_header Cache-Control "public, max-age=7200";
-            # Add headers to serve security related headers
-            add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
-            add_header X-Content-Type-Options nosniff;
-            add_header X-Frame-Options "SAMEORIGIN";
-            add_header X-XSS-Protection "1; mode=block";
-            add_header X-Robots-Tag none;
-            add_header X-Download-Options noopen;
-            add_header X-Permitted-Cross-Domain-Policies none;
-            # Optional: Don't log access to assets
-            access_log off;
+		# Serve static files
+		location ~ \.(?:css|js|mjs|svg|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ {
+			try_files $uri /index.php$request_uri;
+			# HTTP response headers borrowed from Nextcloud `.htaccess`
+			add_header Cache-Control                     "public, max-age=15778463$asset_immutable";
+			add_header Referrer-Policy                   "no-referrer"       always;
+			add_header X-Content-Type-Options            "nosniff"           always;
+			add_header X-Frame-Options                   "SAMEORIGIN"        always;
+			add_header X-Permitted-Cross-Domain-Policies "none"              always;
+			add_header X-Robots-Tag                      "noindex, nofollow" always;
+			add_header X-XSS-Protection                  "1; mode=block"     always;
+			access_log off;     # Optional: Don't log access to assets
 		}
 
-        # Optional: Don't log access to other assets
-        location ~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$ {
-            access_log off;
+		location ~ \.woff2?$ {
+			try_files $uri /index.php$request_uri;
+			expires 7d;         # Cache-Control policy borrowed from `.htaccess`
+			access_log off;     # Optional: Don't log access to assets
+		}
+
+		# Rule borrowed from `.htaccess`
+		location /remote {
+			return 301 /remote.php$request_uri;
 		}
 
+		location / {
+			try_files $uri $uri/ /index.php$request_uri;
+		}
 	}
+
+
 }

traefik.yml

@@ -11,10 +11,11 @@ services:
       - "traefik.http.routers.nextcloud.rule=Host(`${HOST}`)"
       - "traefik.http.routers.nextcloud.tls.certresolver=myresolver"
       - "traefik.http.routers.nextcloud.entrypoints=web,websecure"
-      - "traefik.http.routers.nextcloud.middlewares=nextcloud-caldav@docker,hardening@docker"
-      - "traefik.http.middlewares.nextcloud-caldav.redirectregex.permanent=true"
-      - "traefik.http.middlewares.nextcloud-caldav.redirectregex.regex=^https://(.*)/.well-known/(card|cal)dav"
-      - "traefik.http.middlewares.nextcloud-caldav.redirectregex.replacement=https://$${1}/remote.php/dav/"
+      - "traefik.http.routers.nextcloud.middlewares=hardening@docker,nextcloud_redirectregex"
+      - "traefik.http.middlewares.nextcloud_redirectregex.redirectregex.permanent=true"
+      - "traefik.http.middlewares.nextcloud_redirectregex.redirectregex.regex=https://(.*)/.well-known/(?:card|cal)dav"
+      - "traefik.http.middlewares.nextcloud_redirectregex.redirectregex.replacement=https://$${1}/remote.php/dav"
+
 
 networks:
   traefik: