map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 80;
server_name cloud.bankai-tech.com;
# Redirect to https version of website
return 301 https://cloud.bankai-tech.com;
# Logging
access_log /var/log/nginx/nextcloud_access.log;
error_log /var/log/nginx/nextcloud_error.log;
}
server {
listen 443 ssl http2;
server_name cloud.bankai-tech.com;
# Load TLS Certs
ssl_certificate /etc/letsencrypt/live/bankai-tech.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/bankai-tech.com/privkey.pem;
proxy_ssl_trusted_certificate /etc/letsencrypt/live/bankai-tech.com/chain.pem;
# ssl_stapling on;
# ssl_stapling_verify on;
# Logging
access_log /var/log/nginx/nextcloud_access.log;
error_log /var/log/nginx/nextcloud_error.log;
# GZIP but do not remove etag
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
# Security Headers
add_header Expect-CT "enforce, max-age=31536000";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# add_header Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(),battery=(),camera=(),cross-origin-isolated=(self),display-capture=(),document-domain=(),encrypted-media=(),execution-while-not-rendered=(),execution-while-out-of-viewport=(),fullscreen=(self),geolocation=(),gyroscope=(),hid=(),idle-detection=(),magnetometer=(),microphone=(),midi=(),navigation-override=(),payment=(),picture-in-picture=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=(),web-share=(),web-share=(),clipboard-read=(self),clipboard-write=(self)";
# Allow upload of large files
client_max_body_size 10G;
# Cache
proxy_cache_key $scheme$proxy_host$request_uri;
add_header X-Cache-Status $upstream_cache_status;
client_header_buffer_size 50m;
client_body_buffer_size 50m;
client_body_timeout 300s;
# CALDAV CARDAV Discovery
rewrite ^/\.well-known/carddav https://cloud.bankai-tech.com/remote.php/dav/ redirect;
rewrite ^/\.well-known/caldav https://cloud.bankai-tech.com/remote.php/dav/ redirect;
# Connect to backend server
location / {
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
#proxy_cookie_path / "/; SameSite=strict; HTTPOnly; Secure";
proxy_pass http://192.168.4.130:8080$request_uri;
#proxy_pass http://192.168.4.109:8080;
proxy_set_header Host $host;
proxy_set_header Upgrade websocket;
proxy_set_header Connection Upgrade;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_read_timeout 300s;
#Cache
proxy_buffering on;
proxy_cache_valid 200;
proxy_cache_background_update on;
}
# Fix webfinger and nodefinger
location ^~ /.well-known/ {
return 301 /index.php$uri;
}
location ^~ /push/ {
proxy_pass http://192.168.4.130:7867/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location ^~ /metrics/ {
proxy_pass http://192.168.4.130:7868/metrics;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header Upgrade websocket;
proxy_set_header Connection Upgrade;
proxy_set_header CF-Connecting-IP $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_read_timeout 300s;
#Cache
proxy_buffering on;
proxy_cache_valid 200;
proxy_cache_background_update on;
}
}