From ed37b759286a1989ee3830b0268134a177303d23 Mon Sep 17 00:00:00 2001
From: lassulus <lass@aidsballs.de>
Date: Sat, 9 Apr 2016 21:20:35 +0200
Subject: l 4: update owncloud config to solve errors

---
 lass/4lib/default.nix | 98 +++++++++++++++++++++++++++++++++++++--------------
 1 file changed, 72 insertions(+), 26 deletions(-)

(limited to 'lass/4lib')

diff --git a/lass/4lib/default.nix b/lass/4lib/default.nix
index d4531389..4d3adfd1 100644
--- a/lass/4lib/default.nix
+++ b/lass/4lib/default.nix
@@ -74,43 +74,89 @@ rec {
           "${domain}"
           "www.${domain}"
         ];
+        extraConfig = ''
+          # Add headers to serve security related headers
+          add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
+          add_header X-Content-Type-Options nosniff;
+          add_header X-Frame-Options "SAMEORIGIN";
+          add_header X-XSS-Protection "1; mode=block";
+          add_header X-Robots-Tag none;
+
+          # Path to the root of your installation
+          root /srv/http/${domain}/;
+          # set max upload size
+          client_max_body_size 10G;
+          fastcgi_buffers 64 4K;
+
+          # Disable gzip to avoid the removal of the ETag header
+          gzip off;
+
+          # Uncomment if your server is build with the ngx_pagespeed module
+          # This module is currently not supported.
+          #pagespeed off;
+
+          index index.php;
+          error_page 403 /core/templates/403.php;
+          error_page 404 /core/templates/404.php;
+
+          rewrite ^/.well-known/carddav /remote.php/carddav/ permanent;
+          rewrite ^/.well-known/caldav /remote.php/caldav/ permanent;
+
+          # The following 2 rules are only needed for the user_webfinger app.
+          # Uncomment it if you're planning to use this app.
+          rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
+          rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
+        '';
         locations = [
-          (nameValuePair "/" ''
-            # The following 2 rules are only needed with webfinger
-            rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
-            rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
+          (nameValuePair "/robots.txt" ''
+            allow all;
+            log_not_found off;
+            access_log off;
+          '')
+          (nameValuePair "~ ^/(build|tests|config|lib|3rdparty|templates|data)/" ''
+            deny all;
+          '')
 
-            rewrite ^/.well-known/carddav /remote.php/carddav/ redirect;
-            rewrite ^/.well-known/caldav /remote.php/caldav/ redirect;
+          (nameValuePair "~ ^/(?:autotest|occ|issue|indie|db_|console)" ''
+            deny all;
+          '')
 
+          (nameValuePair "/" ''
+            rewrite ^/remote/(.*) /remote.php last;
             rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
-
-            try_files $uri $uri/ /index.php;
+            try_files $uri $uri/ =404;
           '')
-          (nameValuePair "~ \.php$" ''
+
+          (nameValuePair "~ \.php(?:$|/)" ''
             fastcgi_split_path_info ^(.+\.php)(/.+)$;
-            include ${pkgs.nginx}/conf/fastcgi.conf;
+            include ${pkgs.nginx}/conf/fastcgi_params;
+            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
             fastcgi_param PATH_INFO $fastcgi_path_info;
+            fastcgi_param HTTPS on;
+            fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
             fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool;
+            fastcgi_intercept_errors on;
           '')
-        ];
-        extraConfig = ''
-          root /srv/http/${domain}/;
-          #index index.php;
-          access_log /tmp/nginx_acc.log;
-          error_log /tmp/nginx_err.log;
-
-          # set max upload size
-          client_max_body_size 10G;
-          fastcgi_buffers 64 4K;
 
-          rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect;
-          rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect;
-          rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect;
+          # Adding the cache control header for js and css files
+          # Make sure it is BELOW the location ~ \.php(?:$|/) { block
+          (nameValuePair "~* \.(?:css|js)$" ''
+            add_header Cache-Control "public, max-age=7200";
+            # Add headers to serve security related headers
+            add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
+            add_header X-Content-Type-Options nosniff;
+            add_header X-Frame-Options "SAMEORIGIN";
+            add_header X-XSS-Protection "1; mode=block";
+            add_header X-Robots-Tag none;
+            # Optional: Don't log access to assets
+            access_log off;
+          '')
 
-          error_page 403 /core/templates/403.php;
-          error_page 404 /core/templates/404.php;
-        '';
+          # Optional: Don't log access to other assets
+          (nameValuePair "~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$" ''
+            access_log off;
+          '')
+        ];
       };
       services.phpfpm.poolConfigs."${domain}" = ''
         listen = /srv/http/${domain}/phpfpm.pool
-- 
cgit v1.2.3