mother-docker-projects/nextcloud-knusperkerne
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
738fb9f993f68a8bfec021cc13de85cd15beb9e4
nextcloud-knusperkerne/nginx/README.md
Lars Klemstein 738fb9f993 version 1
2025-11-20 22:42:30 +01:00

83 lines
3.6 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Nextcloud NGINX Default Configuration Documentation
This README describes the exact behavior and requirements of the NGINX configuration file `default.conf` used to serve a standalone Nextcloud instance behind a reverse proxy. The documentation is intentionally written so that an AI can regenerate the correct `default.conf` **from this README alone**. The output must always be a working Nextcloud NGINX configuration without deviation.
## PURPOSE
This configuration provides a secure, reverse-proxy-compatible NGINX frontend for Nextcloud with PHP-FPM. It ensures:
- Clean routing via `index.php`
- No rewrite loops
- Correct handling of `.mjs` MIME type
- Compatibility with `/ocs` API endpoints
- Secure static asset handling and caching
- Protection of internal folders
- No directory listing
- Works behind an existing TLS reverse proxy
- Fully functional Dashboard and Apps
## REQUIRED PROPERTIES
A correct generated configuration MUST:
- Include exactly ONE `server { ... }` block
- Use `listen 8080;`
- Use `server_name _;`
- Set `root /var/www/html;`
- Use `try_files $uri $uri/ /index.php?$request_uri;` for main routing
- Use `fastcgi_pass nextcloud-fpm-v1:9000;` for PHP handling
- Include PHP entry location for `index.php`, `remote.php`, `public.php`, `ocs.php`, `ocs-provider.php`, `cron.php`
- Include a separate `/ocs/` handler BEFORE the PHP blocks
- Include MIME fix for `.mjs`
- Deny access to `config`, `data`, `lib`, `3rdparty`, etc.
- Block generic `.php` execution
- Allow static files caching
- Work with rewrite base `/`
- NOT configure TLS (handled externally)
- NOT include proxy headers inside this config
- Be valid under `nginx -t`
## FILE LOCATION REQUIREMENTS
- Filename: `default.conf`
- Must be mounted into NGINX container as `/etc/nginx/conf.d/default.conf`
- File must NOT include other config files via `include`
## NO AUTO REDIRECTS TO PORT 8080
The configuration must not cause browsers to redirect to `https://host:8080`. It must work normally when served over reverse proxy.
## SECURITY REQUIREMENTS
- Deny access to internal folders:
`/config`, `/data`, `/templates`, `/tests`, `/lib`, `/build`, `/3rdparty`
- Deny access to CLI entrypoints like `/occ`
- Disable execution of arbitrary `.php` files
- Allow only approved PHP entry scripts
## MUST-HAVE SECTIONS
1. Basic server declaration
2. Security headers
3. Well-known redirects for CalDAV/CardDAV
4. Root route using `try_files`
5. Allowed PHP routing
6. `/ocs/` API passthrough
7. Static file handlers
8. `.mjs` MIME type fix
## ROUTING BEHAVIOR
| URL Example | Must Result |
|-------------------------------------------|--------------------------------------|
| `/apps/dashboard/` | Render dashboard, no 403 |
| `/ocs/v2.php/apps/user_status/api/v1/*` | Must NOT return 404 or 500 |
| `/remote.php/dav/` | Must work |
| `/index.php/...` | Must work |
| `/favicon.ico` | 200 or cached |
## NO CHANGES ALLOWED
These things MUST NOT be modified:
- No gzip or brotli here
- No `proxy_set_header` here
- No HTTPS config
- No HTTP → HTTPS redirects
## GUARANTEE
If an AI uses ONLY this README as input, the result MUST be a valid, production-ready NGINX `default.conf` for Nextcloud that passes all tests above and prevents:
- `rewrite or internal redirection cycle` errors
- `403 forbidden` on `/apps/dashboard`
- `500` errors on `/ocs/v2.php`
- MIME type warnings for `.mjs`
- Looping on `/index.php/index.php`
Reference in New Issue View Git Blame Copy Permalink