Nextcloud httpd.conf renewed and tested

Thu, 23 Oct 2025 02:29:30 -0700 

Hello,
In case someone needs it: the httpd config in the attachment
passes all path checks in nextcloud "Security and setup
warnings" section.
-- 
Best regards
Maksim Rodin

server "default" {
        listen on * port 80

        directory auto index
        root "/pxeboot"
}

server "nc.domain.tld" {
        listen on egress port 80
        block return 301 "https://$SERVER_NAME$REQUEST_URI";
}

server "nc.domain.tld" {
        listen on egress tls port 443
        # directory index index.php

        hsts max-age 15768000

        tls {
                certificate "/etc/letsencrypt/live/domain.tld/fullchain.pem"
                key "/etc/letsencrypt/live/domain.tld/privkey.pem"
        }

        # Set max upload size to 513M (in bytes)
        connection max request body 537919488
        connection max requests 1000
        connection request timeout 3600
        connection timeout 3600

        block drop

        # only allow well-known and required php files for fastcgi
        # required for the webpage to work
        location "/nextcloud/index.php*" {
                root "/nextcloud"
                request strip 1
                fastcgi socket "/run/php-fpm.sock"
                pass
        }

        location "/nextcloud/public.php*" {
                root "/nextcloud"
                request strip 1
                fastcgi socket "/run/php-fpm.sock"
                pass
        }

        # required for caldav and carddav
        location "/nextcloud/remote.php*" {
                root "/nextcloud"
                request strip 1
                fastcgi socket "/run/php-fpm.sock"
                pass
        }

        # required for the sync app
        location "/nextcloud/status.php" {
                root "/nextcloud"
                request strip 1
                fastcgi socket "/run/php-fpm.sock"
                pass
        }

        location "/nextcloud/apps/*" {
                root "/nextcloud"
                request strip 1
                pass
        }

        location "/nextcloud/dist/*" {
                root "/nextcloud"
                request strip 1
                pass
        }

        location "/nextcloud/core/*" {
                root "/nextcloud"
                request strip 1
                pass
        }

        location "/nextcloud" {
                root "/nextcloud"
                request strip 1
                pass
        }

        location "/nextcloud/" {
                root "/nextcloud"
                request strip 1
                pass
        }

        location "/.well-known/carddav" {
                block return 301 "https://$SERVER_NAME/nextcloud/remote.php/dav";
        }

        location "/.well-known/caldav" {
                block return 301 "https://$SERVER_NAME/nextcloud/remote.php/dav";
        }

        location "/.well-known/webfinger" {
                block return 301 
"https://$SERVER_NAME/nextcloud/index.php/.well-known/webfinger";
        }

        location "/.well-known/nodeinfo" {
                block return 301 
"https://$SERVER_NAME/nextcloud/index.php/.well-known/nodeinfo";
        }

        location "/nextcloud/ocs-provider/*" {
                root "/nextcloud"
                request strip 1
                directory index index.php
                pass
        }
        location "/nextcloud/ocm-provider/*" {
                request rewrite "/nextcloud/index.php$REQUEST_URI"
        }
}

types {
    include "/usr/share/misc/mime.types"
}

Reply via email to