disable QUIC and HTTP/3

Add .wasm file extension for javascript
Add .mjs file extension for javascript
2024-03-01 07:18:40 +00:00 · 2024-03-01 07:18:18 +00:00 · 2024-02-11 11:24:03 +00:00
1 changed files with 35 additions and 23 deletions
--- a/roles/webserver/templates/conf.d/cloud.conf.j2
+++ b/roles/webserver/templates/conf.d/cloud.conf.j2
@@ -7,24 +7,24 @@ upstream nextcloud-notify-push {
 # Set the `immutable` cache control options only for assets with a cache busting `v` argument
 map $arg_v $asset_immutable {
    "" "";
-    default "immutable";
+    default ", immutable";
 }

-
 server {
    listen 80;
    listen [::]:80;
    server_name {{ nextcloud_domain_name }} www.{{ nextcloud_domain_name }};
-    # enforce https
+
+    # Prevent nginx HTTP Server Detection
+    server_tokens off;
+
+    # Enforce HTTPS
    return 301 https://$server_name$request_uri;
 }

 server {
    listen 443 ssl;
    listen [::]:443 ssl;
-    # Enable QUIC and HTTP/3.
-    listen 443 quic;
-    listen [::]:443 quic;

    server_name {{ nextcloud_domain_name }} www.{{ nextcloud_domain_name }};
    include global/cert.conf;
@@ -32,6 +32,9 @@ server {
    # Path to the root of your installation
    root {{ nextcloud_dir }};

+    # Prevent nginx HTTP Server Detection
+    server_tokens off;
+
    # HSTS settings
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
@@ -51,33 +54,38 @@ server {
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
-    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+    gzip_types application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    # Pagespeed is not supported by Nextcloud, so if your server is built
    # with the `ngx_pagespeed` module, uncomment this line to disable it.
    #pagespeed off;

-    # The settings allows you to optimize the HTTP2 bandwitdth.
+    # The settings allows you to optimize the HTTP2 bandwidth.
    # See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/
-    # for tunning hints
+    # for tuning hints
    client_body_buffer_size 512k;

    # HTTP response headers borrowed from Nextcloud `.htaccess`
    add_header Referrer-Policy                   "no-referrer"       always;
    add_header X-Content-Type-Options            "nosniff"           always;
-    add_header X-Download-Options                "noopen"            always;
    add_header X-Frame-Options                   "SAMEORIGIN"        always;
    add_header X-Permitted-Cross-Domain-Policies "none"              always;
    add_header X-Robots-Tag                      "noindex, nofollow" always;
    add_header X-XSS-Protection                  "1; mode=block"     always;

-    # Add Alt-Svc header to negotiate HTTP/3.
-    add_header Alt-Svc 'h2=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400' always;
-    add_header x-quic 'h3' always;
-
    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;

+    # Set .mjs and .wasm MIME types
+    # Either include it in the default mime.types list
+    # and include that list explicitly or add the file extension
+    # only for Nextcloud like below:
+    include mime.types;
+    types {
+        text/javascript js mjs;
+	application/wasm wasm;
+    }
+
    # Specify how to handle directories -- specifying `/index.php$request_uri`
    # here as the fallback means that Nginx always exhibits the desired behaviour
    # when a client requests a path that corresponds to a directory that exists
@@ -85,7 +93,7 @@ server {
    # that file is correctly served; if it doesn't, then the request is passed to
    # the front-end controller. This consistent behaviour means that we don't need
    # to specify custom rules for certain paths (e.g. images and other assets,
-    # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
+    # `/updater`, `/ocs-provider`), and thus
    # `try_files $uri $uri/ /index.php$request_uri`
    # always provides the desired behaviour.
    index index.php index.html /index.php$request_uri;
@@ -132,7 +140,7 @@ server {
    # to the URI, resulting in a HTTP 500 error response.
    location ~ \.php(?:$|/) {
        # Required for legacy support
-        rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
+        rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;

        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        set $path_info $fastcgi_path_info;
@@ -154,14 +162,18 @@ server {
        fastcgi_max_temp_file_size 0;
    }

-    location ~ \.(?:css|js|svg|gif|png|jpg|ico|wasm|tflite|map)$ {
+    # Serve static files
+    location ~ \.(?:css|js|mjs|svg|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ {
        try_files $uri /index.php$request_uri;
-        add_header Cache-Control "public, max-age=15778463, $asset_immutable";
+        # HTTP response headers borrowed from Nextcloud `.htaccess`
+        add_header Cache-Control                     "public, max-age=15778463$asset_immutable";
+        add_header Referrer-Policy                   "no-referrer"       always;
+        add_header X-Content-Type-Options            "nosniff"           always;
+        add_header X-Frame-Options                   "SAMEORIGIN"        always;
+        add_header X-Permitted-Cross-Domain-Policies "none"              always;
+        add_header X-Robots-Tag                      "noindex, nofollow" always;
+        add_header X-XSS-Protection                  "1; mode=block"     always;
        access_log off;     # Optional: Don't log access to assets
-
-        location ~ \.wasm$ {
-            default_type application/wasm;
-        }
    }

    location ~ \.woff2?$ {
@@ -187,4 +199,4 @@ server {
    location / {
        try_files $uri $uri/ /index.php$request_uri;
    }
-}
+}
Author	SHA1	Message	Date
Oli	2b9eda9e9c	disable QUIC and HTTP/3	2024-03-01 07:18:40 +00:00
Oli	e5da9c9c54	Add .wasm file extension for javascript	2024-03-01 07:18:18 +00:00
Oli	acc4a64622	Add .mjs file extension for javascript	2024-02-11 11:24:03 +00:00