[enh] Update NGINX configuration to fit ownCloud manual one

10 years ago · 7e84973334
2 changed files with 79 additions and 47 deletions
--- a/README.md
+++ b/README.md
@ -28,7 +28,6 @@ or from the Web administration:

 ## TODO

- * Update NGINX configuration to fix security issues
 * Rewrite the upgrade script and update backup/restore too
 * Test the upgrade from the current official package
 * Develop an app to integrate SSOwat logout - see
--- a/conf/nginx.conf
+++ b/conf/nginx.conf
@ -1,58 +1,91 @@
 location #LOCATION# {
-    alias #DESTDIR#;
-    if ($scheme = http) {
-        rewrite ^ https://$server_name$request_uri? permanent;
-    }
-
-    #fastcgi_buffers 64 4K;
-
-    rewrite ^#PATH#/caldav(.*)$ #PATH#/remote.php/caldav$1 redirect;
-    rewrite ^#PATH#/carddav(.*)$ #PATH#/remote.php/carddav$1 redirect;
-    rewrite ^#PATH#/webdav(.*)$ #PATH#/remote.php/webdav$1 redirect;
-
-    error_page 403 #PATH#/core/templates/403.php;
-    error_page 404 #PATH#/core/templates/404.php;
-
-    rewrite ^#PATH#/.well-known/host-meta #PATH#/public.php?service=host-meta last;
-    rewrite ^#PATH#/.well-known/host-meta.json #PATH#/public.php?service=host-meta-json last;
-
-    rewrite ^#PATH#/.well-known/carddav #PATH#/remote.php/carddav/ redirect;
-    rewrite ^#PATH#/.well-known/caldav #PATH#/remote.php/caldav/ redirect;
-
-    rewrite ^(#PATH#/core/doc/[^\/]+/)$ $1/index.html;
-
-    client_max_body_size 10G;
-    index index.php;
-    try_files $uri $uri/ /index.php;
-    location ~ [^/]\.php(/|$) {
-       fastcgi_split_path_info ^(.+?\.php)(/.*)$;
-       fastcgi_pass unix:/var/run/php5-fpm-#APP#.sock;
-       include fastcgi_params;
-       fastcgi_param REMOTE_USER $remote_user;
-       fastcgi_param PATH_INFO $fastcgi_path_info;
-       fastcgi_param HTTPS on;
-       fastcgi_param SCRIPT_FILENAME $request_filename;
-       fastcgi_param modHeadersAvailable true;
-       fastcgi_buffers 64 4K;
-    }
-    location ~ robots\.txt {
-        allow all;
-        log_not_found off;
-        access_log off;
-    }
-    gzip off;
+  alias #DESTDIR#;

+  if ($scheme = http) {
+    rewrite ^ https://$server_name$request_uri? permanent;
+  }
+
+  # Add headers to serve security related headers
+  add_header Strict-Transport-Security "max-age=15768000;";
+  add_header X-Content-Type-Options nosniff;
+  add_header X-Frame-Options "SAMEORIGIN";
+  add_header X-XSS-Protection "1; mode=block";
+  add_header X-Robots-Tag none;
+  add_header X-Download-Options noopen;
+  add_header X-Permitted-Cross-Domain-Policies none;
+
+  # Set max upload size
+  client_max_body_size 10G;
+
+  # Disable gzip to avoid the removal of the ETag header
+  gzip off;
+
+  # Index and errors pages
+  index index.php;
+  error_page 403 #PATH#/core/templates/403.php;
+  error_page 404 #PATH#/core/templates/404.php;
+
+  # Rules for served well-known paths
+  rewrite ^#PATH#/.well-known/carddav #PATH#/remote.php/dav/ permanent;
+  rewrite ^#PATH#/.well-known/caldav #PATH#/remote.php/dav/ permanent;
+
+  # The following 2 rules are only needed for the user_webfinger app.
+  # Uncomment it if you're planning to use this app.
+  #rewrite ^#PATH#/.well-known/host-meta #PATH#/public.php?service=host-meta last;
+  #rewrite ^#PATH#/.well-known/host-meta.json #PATH#/public.php?service=host-meta-json last;
+
+  # Other rewrite rules
+  rewrite ^#PATH#/remote/(.*) /remote.php last;
+  rewrite ^(#PATH#/core/doc/[^\/]+/)$ $1/index.html;
+
+  # Catch unknown files
+  try_files $uri $uri/ =404;
+
+  location = #PATH#/robots.txt {
+    allow all;
+    log_not_found off;
+    access_log off;
+  }
+
+  location ~ \.php(?:$|/) {
+    fastcgi_split_path_info ^(.+\.php)(/.+)$;
+    include fastcgi_params;
+    fastcgi_buffers 64 4K;
+    fastcgi_param SCRIPT_FILENAME $request_filename;
+    fastcgi_param PATH_INFO $fastcgi_path_info;
+    fastcgi_param HTTPS on;
+    fastcgi_param modHeadersAvailable true;
+    fastcgi_param REMOTE_USER $remote_user;
+    fastcgi_pass unix:/var/run/php5-fpm-#APP#.sock;
+  }
+
+  # Adding the cache control header for js and css files
+  location ~* \.(?:css|js)$ {
+    add_header Cache-Control "public, max-age=7200";
    # Add headers to serve security related headers
    add_header Strict-Transport-Security "max-age=15768000;";
    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
+    add_header X-Download-Options noopen;
+    add_header X-Permitted-Cross-Domain-Policies none;
+    # Optional: Don't log access to assets
+    access_log off;
+  }
+
+  # Optional: Don't log access to other assets
+  location ~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$ {
+    access_log off;
+  }

-    # show YunoHost panel access
-    include conf.d/yunohost_panel.conf.inc;
+  # show YunoHost panel access
+  include conf.d/yunohost_panel.conf.inc;
 }

-location ~ ^#PATH#/(data|config|\.ht|db_structure\.xml|README) {
-      deny all;
+location ~ ^#PATH#/(build|tests|config|lib|3rdparty|templates|data)/ {
+  deny all;
+}
+location ~ ^#PATH#/(?:\.|autotest|occ|issue|indie|db_|console) {
+  deny all;
 }