meine nginx-config für ownCloud

In einem anderen Artikel zeige ich eine optimierte Konfiguration für ownCloud.

Diese Config bietet folgende Features:

• HTTPS mit http2 (dafür brauchts u.u. einen aktuellen selbst kompilierten nginx (hier läuft 1.9.11 mit ngx_pagespeed)
• Automatische Umleitung auf SSL
• maximale Größe einer Datei beim Upload: 10 GB
• .well-known Adresse für die bequeme Einrichtung von Cal- und Card-DAV Apps
• Zugriff verbieten auf interne Bereiche von ownCloud (z.B. config)
• Dateien werden direkt heruntergeladen (X-ACCEL-REDIRECT) ohne über php geschleust zu werden
• Caching für Bilder, CSS, JS usw.
• Sichere Header für SSL und Frames (Strict-Transport-Security, X-Frame-Options)

server {
  listen 31.172.113.115:80;
  server_name cloud.ovtec.it;

  root /var/www/default;

  rewrite ^ https://$server_name$request_uri? permanent;

  location ~ /\.(svn|git) { deny all; }

  #access_log off;
  access_log /var/log/nginx/cloud.ovtec.it_access.log;
  error_log /var/log/nginx/cloud.ovtec.it_error.log;
}

server {
  listen 31.172.113.115:443 ssl http2;
  server_name cloud.ovtec.it;

  root /var/www/cloud.ovtec.it/;

  #pagespeed off;
  include pagespeed-include.conf;

  client_max_body_size 10G;
  client_header_buffer_size 64k;
  large_client_header_buffers 4 64k;
  fastcgi_buffers 64 4K;
  gzip off;

  rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect;
  rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect;
  rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect;

  index index.php;
  error_page 403 /core/templates/403.php;
  error_page 404 /core/templates/404.php;

  location = /robots.txt {
    allow all;
    log_not_found off;
    access_log off;
  }

  location ~ ^/(?:\.htaccess|data|config|db_structure\.xml|README){
    deny all;
  }

  location / {
    # The following 2 rules are only needed with webfinger
    rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
    rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
    rewrite ^/.well-known/carddav /remote.php/carddav/ redirect;
    rewrite ^/.well-known/caldav /remote.php/caldav/ redirect;
    rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
    try_files $uri $uri/ /index.php;
  }

  location ~ \.php(?:$|/) {
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    include fastcgi_params;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_param PATH_INFO $fastcgi_path_info;
    fastcgi_param HTTPS on;
    fastcgi_intercept_errors on;
    fastcgi_pass unix:/var/run/php5-fpm-owncloud.sock;
    #fastcgi_pass unix:/var/run/php7-fpm-owncloud.sock;
    fastcgi_param MOD_X_ACCEL_REDIRECT_ENABLED on;
  }

  location ^~ /data {
    internal;
    alias /srv/owncloud-data;
  }

  location ~* \.(?:jpg|jpeg|gif|bmp|ico|png|css|js|swf)$ {
    expires 30d;
    access_log off;
  }

  #access_log off;
  access_log /var/log/nginx/cloud.ovtec.it_access.log;
  error_log /var/log/nginx/cloud.ovtec.it_error.log;

  add_header Strict-Transport-Security $hsts_header;
  add_header X-Frame-Options SAMEORIGIN;
  ssl_certificate ssl/wildcard_ovtec.it-bundle.crt;
  ssl_certificate_key ssl/wildcard_ovtec.it.key;
}