From f2bace207f218ac9c882078fb8e16e1f513fae9c Mon Sep 17 00:00:00 2001
From: La sif serveur <david.beniamine@tetras-libre.fr>
Date: Tue, 5 Jan 2021 14:26:48 +0000
Subject: [PATCH] Fix Nextcloud headers

---
 docker-compose.yml | 15 +++++++++++----
 nginx.conf         |  5 ++---
 2 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 8fa3cb9..f676d32 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -75,10 +75,17 @@ services:
       - "traefik.http.routers.nextcloud.rule=Host(`${HOST}`)"
       - "traefik.http.routers.nextcloud.tls.certresolver=myresolver"
       - "traefik.http.routers.nextcloud.entrypoints=web,websecure"
-      - "traefik.http.routers.nextcloud.middlewares=nextcloud@docker"
-      - "traefik.http.middlewares.nextcloud.headers.forceSTSHeader=true"
-      - "traefik.http.middlewares.nextcloud.headers.stsIncludeSubdomains=true"
-      - "traefik.http.middlewares.nextcloud.headers.stsSeconds=31536000"
+      - "traefik.http.routers.nextcloud.middlewares=nextcloud-caldav@docker,nextcloud-hardening@docker"
+      - "traefik.http.middlewares.nextcloud-caldav.redirectregex.permanent=true"
+      - "traefik.http.middlewares.nextcloud-caldav.redirectregex.regex=^https://(.*)/.well-known/(card|cal)dav"
+      - "traefik.http.middlewares.nextcloud-caldav.redirectregex.replacement=https://$${1}/remote.php/dav/"
+      - "traefik.http.middlewares.nextcloud-hardening.headers.sslredirect=true"
+      - "traefik.http.middlewares.nextcloud-hardening.headers.forceSTSHeader=true"
+      - "traefik.http.middlewares.nextcloud-hardening.headers.stsIncludeSubdomains=true"
+      - "traefik.http.middlewares.nextcloud-hardening.headers.stsSeconds=15552000"
+      - "traefik.http.middlewares.nextcloud-hardening.headers.stsPreload=true"
+      - "traefik.http.middlewares.nextcloud-hardening.headers.referrerPolicy=no-referrer"
+      - "traefik.http.middlewares.nextcloud-hardening.headers.customFrameOptionsValue=SAMEORIGIN"
 
 volumes:
   document_data:
diff --git a/nginx.conf b/nginx.conf
index 0de695f..aacb81d 100644
--- a/nginx.conf
+++ b/nginx.conf
@@ -48,7 +48,9 @@ http {
    	listen 80;
 
         # Add headers to serve security related headers
+	add_header Referrer-Policy "no-referrer" always;
         add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
+	add_header X-Frame-Options "SAMEORIGIN" always;
         add_header X-Content-Type-Options nosniff;
         add_header X-XSS-Protection "1; mode=block";
         add_header X-Robots-Tag none;
@@ -65,9 +67,6 @@ http {
         error_page 403 /core/templates/403.php;
         error_page 404 /core/templates/404.php;
 
-        rewrite ^/.well-known/carddav /remote.php/dav/ permanent;
-        rewrite ^/.well-known/caldav /remote.php/dav/ permanent;
-
         location = /robots.txt {
             allow all;
             log_not_found off;
-- 
GitLab