map $http_upgrade $connection_upgrade { default upgrade; '' close; } server { listen 80; listen [::]:80; # comment to disable IPv6 if ($scheme = "http") { return 301 https://$host$request_uri; } if ($http_x_forwarded_proto = "http") { return 301 https://$host$request_uri; } listen 443 ssl http2; # for nginx versions below v1.25.1 listen [::]:443 ssl http2; # for nginx versions below v1.25.1 - comment to disable IPv6 # listen 443 ssl; # for nginx v1.25.1+ # listen [::]:443 ssl; # for nginx v1.25.1+ - keep comment to disable IPv6 # http2 on; # uncomment to enable HTTP/2 - supported on nginx v1.25.1+ # listen 443 quic reuseport; # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+ - please remove "reuseport" if there is already another quic listener on port 443 with enabled reuseport # listen [::]:443 quic reuseport; # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+ - please remove "reuseport" if there is already another quic listener on port 443 with enabled reuseport - keep comment to disable IPv6 # http3 on; # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+ # quic_gso on; # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+ # quic_retry on; # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+ # quic_bpf on; # improves HTTP/3 / QUIC - supported on nginx v1.25.0+, if nginx runs as a docker container you need to give it privileged permission to use this option # add_header Alt-Svc 'h3=":443"; ma=86400'; # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+ proxy_buffering off; proxy_request_buffering off; client_max_body_size 0; client_body_buffer_size 512k; # http3_stream_buffer_size 512k; # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+ proxy_read_timeout 86400s; server_name nextcloud.rschneider.hu; location / { proxy_pass http://${nuc}:4430${nuc}:4430$request_uri; # Adjust to match APACHE_PORT and APACHE_IP_BINDING. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md#adapting-the-sample-web-server-configurations-below proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Port $server_port; proxy_set_header X-Forwarded-Scheme $scheme; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header Early-Data $ssl_early_data; # Websocket proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; } # If running nginx on a subdomain (eg. nextcloud.example.com) of a domain that already has an wildcard ssl certificate from certbot on this machine, # the in the below lines should be replaced with just the domain (eg. example.com), not the subdomain. # In this case the subdomain should already be secured without additional actions # ssl_certificate /etc/letsencrypt/live//fullchain.pem; # managed by certbot on host machine # ssl_certificate_key /etc/letsencrypt/live//privkey.pem; # managed by certbot on host machine ssl_certificate /etc/nginx/ssl/live/nextcloud.rschneider.hu/fullchain.pem; ssl_certificate_key /etc/nginx/ssl/live/nextcloud.rschneider.hu/privkey.pem; ssl_dhparam /etc/dhparam; # curl -L https://ssl-config.mozilla.org/ffdhe2048.txt -o /etc/dhparam ssl_early_data on; ssl_session_timeout 1d; ssl_session_cache shared:SSL:10m; ssl_protocols TLSv1.2 TLSv1.3; ssl_ecdh_curve x25519:x448:secp521r1:secp384r1:secp256r1; ssl_prefer_server_ciphers on; ssl_conf_command Options PrioritizeChaCha; ssl_ciphers TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256; }