# Run as a less privileged user for security reasons. user nginx; # #worker_threads to run; # "auto" sets it to the #CPU_cores available in the system, and # offers the best performance. worker_processes auto; events { worker_connections 1024; } http { # upstream backend { # server nextcloud; # } server { listen 80; server_name cloud.stoopid.club; server_tokens off; location /.well-known/acme-challenge/ { root /var/www/certbot; } location / { return 301 https://$host$request_uri; } } server { # Hide nginx version information. server_tokens off; listen 443 ssl default_server; server_name cloud.stoopid.club; root /usr/share/nginx/html; include /etc/nginx/mime.types; ssl_certificate /etc/letsencrypt/live/cloud.stoopid.club/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/cloud.stoopid.club/privkey.pem; include /etc/letsencrypt/options-ssl-nginx.conf; ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # location / { # try_files $uri $uri/ /index.html; # } gzip on; gzip_vary on; gzip_http_version 1.0; gzip_comp_level 5; gzip_types application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/plain text/x-component; gzip_proxied no-cache no-store private expired auth; gzip_min_length 256; gunzip on; location @nextcloud { proxy_pass http://nextcloud; } location / { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $host; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; client_max_body_size 0; # default is 1M proxy_connect_timeout 10m; proxy_send_timeout 10m; proxy_read_timeout 10m; send_timeout 10m; try_files /dev/null @nextcloud; } } # server { # server_name cloud.stoopid.club; # # Hide nginx version information. # server_tokens off; # # listen 443 ssl http2; # listen [::]:443 ssl http2; # ssl_session_timeout 1d; # ssl_session_cache shared:MozSSL:10m; # about 40000 sessions # ssl_session_tickets off; # # # ssl_trusted_certificate /etc/letsencrypt/live/cloud.stoopid.club/chain.pem; # ssl_certificate /etc/letsencrypt/live/cloud.stoopid.club/fullchain.pem; # ssl_certificate_key /etc/letsencrypt/live/cloud.stoopid.club/privkey.pem; ## include /etc/letsencrypt/options-ssl-nginx.conf; # ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # ## ssl_protocols TLSv1.2 TLSv1.3; ## ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; ## ssl_prefer_server_ciphers off; ## # In case of an old server with an OpenSSL version of 1.0.2 or below, ## # leave only prime256v1 or comment out the following line. ## ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1; ## ssl_stapling on; ## ssl_stapling_verify on; # # gzip_vary on; # gzip_proxied any; # gzip_comp_level 6; # gzip_buffers 16 8k; # gzip_http_version 1.1; # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript application/activity+json application/atom+xml; # # proxy_http_version 1.1; # proxy_set_header Upgrade $http_upgrade; # proxy_set_header Connection "upgrade"; # proxy_set_header Host $http_host; # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # # location @nextcloud { # proxy_pass http://backend; # } # # location / { # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # proxy_set_header Host $host; # proxy_set_header X-Real-IP $remote_addr; # # client_max_body_size 0; # default is 1M # # proxy_connect_timeout 10m; # proxy_send_timeout 10m; # proxy_read_timeout 10m; # send_timeout 10m; # # try_files /dev/null @nextcloud; # } # # ## location ~ ^/(media|proxy) { ## proxy_cache pleroma_media_cache; ## slice 1m; ## proxy_cache_key $host$uri$is_args$args$slice_range; ## proxy_set_header Range $slice_range; ## proxy_cache_valid 200 206 301 304 1h; ## proxy_cache_lock on; ## proxy_ignore_client_abort on; ## proxy_buffering on; ## chunked_transfer_encoding on; ## proxy_pass http://pleroma:4000/; ## } # # # # ## root /usr/share/nginx/html; ## include /etc/nginx/mime.types; ## ## ## location / { ## proxy_http_version 1.1; ## proxy_set_header Upgrade $http_upgrade; ## proxy_set_header Connection "upgrade"; ## proxy_read_timeout 300; # Some requests take more than 30 seconds. ## proxy_connect_timeout 300; # Some requests take more than 30 seconds. ## proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; ## proxy_set_header X-Forwarded-Proto $scheme; ## proxy_set_header Host $http_host; ## proxy_redirect off; ## proxy_pass http://pleroma:4000/; ## } ## ### map $remote_addr $proxy_forwarded_elem { ### # IPv4 addresses can be sent as-is ### ~^[0-9.]+$ "for=$remote_addr"; ### ### # IPv6 addresses need to be bracketed and quoted ### ~^[0-9A-Fa-f:.]+$ "for=\"[$remote_addr]\""; ### ### # Unix domain socket names cannot be represented in RFC 7239 syntax ### default "for=unknown"; ### } ### ### map $http_forwarded $proxy_add_forwarded { ### # If the incoming Forwarded header is syntactically valid, append to it ### "~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem"; ### ### # Otherwise, replace it ### default "$proxy_forwarded_elem"; ### } ## ### proxy_set_header Forwarded $proxy_add_forwarded; ### proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; ## ## gzip on; ## gzip_vary on; ## gzip_http_version 1.0; ## gzip_comp_level 5; ## gzip_types ## application/atom+xml ## application/javascript ## application/json ## application/rss+xml ## application/vnd.ms-fontobject ## application/x-font-ttf ## application/x-web-app-manifest+json ## application/xhtml+xml ## application/xml ## font/opentype ## image/svg+xml ## image/x-icon ## text/css ## text/plain ## text/x-component; ## gzip_proxied no-cache no-store private expired auth; ## gzip_min_length 256; ## gunzip on; # } include /etc/nginx/conf.d/*.conf; }