sync roles with changes from OWS

2023-10-21 13:13:20 +00:00
parent e14271eab0
commit ccd75528ed
43 changed files with 479 additions and 107 deletions
--- a/roles/webserver/templates/conf.d/cloud.conf.j2
+++ b/roles/webserver/templates/conf.d/cloud.conf.j2
@@ -22,7 +22,10 @@ server {
 server {
    listen 443 ssl;
    listen [::]:443 ssl;
-    http2 on;
+    # Enable QUIC and HTTP/3.
+    listen 443 quic;
+    listen [::]:443 quic;
+
    server_name {{ nextcloud_domain_name }} www.{{ nextcloud_domain_name }};
    include global/cert.conf;

@@ -35,7 +38,7 @@ server {
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
-    add_header Strict-Transport-Security "max-age=63072000" always;
+    add_header Strict-Transport-Security "max-age=15768000; preload" always;

    # set max upload size and increase upload timeout:
    client_max_body_size {{ nextcloud_max_upload_size }};
@@ -68,6 +71,10 @@ server {
    add_header X-Robots-Tag                      "noindex, nofollow" always;
    add_header X-XSS-Protection                  "1; mode=block"     always;

+    # Add Alt-Svc header to negotiate HTTP/3.
+    add_header Alt-Svc 'h2=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400' always;
+    add_header x-quic 'h3' always;
+
    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;