On Fri, May 17, 2019 at 06:11:08PM +0200, Bruno Flueckiger wrote: > @@ -48,23 +48,27 @@ server "domain.tld" { > key "/etc/ssl/private/domain.tld_private.pem" > } > > + directory index index.php > + > # First deny access to the specified files > - location "/.ht*" { block } > - location "/.user*" { block } > - location "/3rdparty*" { block } > - location "/README" { block } > - location "/autotest*" { block } > - location "/build*" { block } > - location "/config*" { block } > - location "/console*" { block } > - location "/data*" { block } > - location "/db_*" { block } > - location "/indie*" { block } > - location "/issue*" { block } > - location "/lib*" { block } > - location "/occ*" { block } > - location "/templates*" { block } > - location "/tests*" { block } > + location "/nextcloud/.ht*" { block } > + location "/nextcloud/.user*" { block } > + location "/nextcloud/3rdparty*" { block } > + location "/nextcloud/AUTHORS" { block } > + location "/nextcloud/COPYING" { block } > + location "/nextcloud/config*" { block } > + location "/nextcloud/console*" { block } > + location "/nextcloud/data*" { block } > + location "/nextcloud/lib*" { block } > + location "/nextcloud/occ*" { block } > + > + location "/.well-known/caldav" { > + block return 301 "https://$SERVER_NAME/nextcloud/remote.php/dav" > + } > + > + location "/.well-known/carddav" { > + block return 301 "https://$SERVER_NAME/nextcloud/remote.php/dav" > + } > > location "/*.php*" { > root "/nextcloud"
It is possible to run nextcloud with a block-by-default ruleset policy. For example: block drop # Ensure that no '*.php*' files can be fetched from these directories location "/nextcloud/config/*" { block drop } location "/nextcloud/data/*" { block drop } # Note that this matches "*.php*" anywhere in the request path. location "/nextcloud/*.php*" { root "/nextcloud" request strip 1 fastcgi socket "/run/php-fpm.sock" pass } location "/nextcloud/apps/*" { root "/nextcloud" request strip 1 pass } location "/nextcloud/core/*" { root "/nextcloud" request strip 1 pass } location "/nextcloud/settings/*" { root "/nextcloud" request strip 1 pass } location "/nextcloud" { block return 301 "$DOCUMENT_URI/index.php" } location "/nextcloud/" { block return 301 "$DOCUMENT_URI/index.php" }