diff options
| author | Dennis Brentjes <d.brentjes@gmail.com> | 2016-08-28 16:08:42 +0200 |
|---|---|---|
| committer | Dennis Brentjes <d.brentjes@gmail.com> | 2016-08-28 16:14:56 +0200 |
| commit | 68515bbb478f326a252ca688fcc97f3fdc8c4f97 (patch) | |
| tree | 05954f1bf339c6ad973ed07736e0d328d5fbe3db /roles/owncloud/templates | |
| download | ansible-68515bbb478f326a252ca688fcc97f3fdc8c4f97.tar.gz ansible-68515bbb478f326a252ca688fcc97f3fdc8c4f97.tar.bz2 ansible-68515bbb478f326a252ca688fcc97f3fdc8c4f97.zip | |
Initial commit, finally got around to cleanup and make it into a
gitrepo.
Diffstat (limited to 'roles/owncloud/templates')
| -rw-r--r-- | roles/owncloud/templates/owncloud.j2 | 83 |
1 files changed, 83 insertions, 0 deletions
diff --git a/roles/owncloud/templates/owncloud.j2 b/roles/owncloud/templates/owncloud.j2 new file mode 100644 index 0000000..4410ade --- /dev/null +++ b/roles/owncloud/templates/owncloud.j2 @@ -0,0 +1,83 @@ + +server { + include mime.types; + default_type application/octet-stream; + + listen 444 ssl; + listen [::]:444 ssl; + + ssl_certificate /etc/letsencrypt/live/{{ lets_encrypt_domains[0] }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ lets_encrypt_domains[0] }}/privkey.pem; + + server_name www.brentj.es brentj.es www.alexstrasza.kassala.de alexstrasza.kassala.de; + + # Add headers to serve security related headers + add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; + add_header X-Content-Type-Options nosniff; + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + + # Path to the root of your installation + root /usr/share/webapps/owncloud; + # set max upload size + client_max_body_size 10G; + fastcgi_buffers 64 4K; + + # Disable gzip to avoid the removal of the ETag header + gzip off; + + # Uncomment if your server is build with the ngx_pagespeed module + # This module is currently not supported. + #pagespeed off; + + rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect; + rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect; + rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect; + + index index.php; + error_page 403 /core/templates/403.php; + error_page 404 /core/templates/404.php; + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + location ~ ^/(?:\.htaccess|data|config|db_structure\.xml|README){ + deny all; + } + + location / { + # The following 2 rules are only needed with webfinger + rewrite ^/.well-known/host-meta /public.php?service=host-meta last; + rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; + + rewrite ^/.well-known/carddav /remote.php/carddav/ redirect; + rewrite ^/.well-known/caldav /remote.php/caldav/ redirect; + + rewrite ^(/core/doc/[^\/]+/)$ $1/index.html; + + try_files $uri $uri/ /index.php; + } + + location ~ \.php(?:$|/) { + fastcgi_split_path_info ^(.+\.php)(/.+)$; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_param HTTPS on; + fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice + # Unix domain sockets are faster than TCP sockets + fastcgi_pass unix:/run/php-fpm/php-fpm.sock; + } + + # Optional: set long EXPIRES header on static assets + location ~* \.(?:jpg|jpeg|gif|bmp|ico|png|css|js|swf)$ { + expires 30d; + # Optional: Don't log access to assets + access_log off; + } + +} |