> On 17. May 2019, at 21:33, Stefan Sperling <s...@stsp.name> wrote:
>
>> On Fri, May 17, 2019 at 06:11:08PM +0200, Bruno Flueckiger wrote:
>> @@ -48,23 +48,27 @@ server "domain.tld" {
>> key "/etc/ssl/private/domain.tld_private.pem"
>> }
>>
>> + directory index index.php
>> +
>> # First deny access to the specified files
>> - location "/.ht*" { block }
>> - location "/.user*" { block }
>> - location "/3rdparty*" { block }
>> - location "/README" { block }
>> - location "/autotest*" { block }
>> - location "/build*" { block }
>> - location "/config*" { block }
>> - location "/console*" { block }
>> - location "/data*" { block }
>> - location "/db_*" { block }
>> - location "/indie*" { block }
>> - location "/issue*" { block }
>> - location "/lib*" { block }
>> - location "/occ*" { block }
>> - location "/templates*" { block }
>> - location "/tests*" { block }
>> + location "/nextcloud/.ht*" { block }
>> + location "/nextcloud/.user*" { block }
>> + location "/nextcloud/3rdparty*" { block }
>> + location "/nextcloud/AUTHORS" { block }
>> + location "/nextcloud/COPYING" { block }
>> + location "/nextcloud/config*" { block }
>> + location "/nextcloud/console*" { block }
>> + location "/nextcloud/data*" { block }
>> + location "/nextcloud/lib*" { block }
>> + location "/nextcloud/occ*" { block }
>> +
>> + location "/.well-known/caldav" {
>> + block return 301 "https://$SERVER_NAME/nextcloud/remote.php/dav"
>> + }
>> +
>> + location "/.well-known/carddav" {
>> + block return 301 "https://$SERVER_NAME/nextcloud/remote.php/dav"
>> + }
>>
>> location "/*.php*" {
>> root "/nextcloud"
>
> It is possible to run nextcloud with a block-by-default ruleset policy.
> For example:
>
> block drop
>
> # Ensure that no '*.php*' files can be fetched from these directories
> location "/nextcloud/config/*" {
> block drop
> }
> location "/nextcloud/data/*" {
> block drop
> }
>
> # Note that this matches "*.php*" anywhere in the request path.
> location "/nextcloud/*.php*" {
> root "/nextcloud"
> request strip 1
> fastcgi socket "/run/php-fpm.sock"
> pass
> }
>
> location "/nextcloud/apps/*" {
> root "/nextcloud"
> request strip 1
> pass
> }
>
> location "/nextcloud/core/*" {
> root "/nextcloud"
> request strip 1
> pass
> }
>
> location "/nextcloud/settings/*" {
> root "/nextcloud"
> request strip 1
> pass
> }
>
> location "/nextcloud" {
> block return 301 "$DOCUMENT_URI/index.php"
> }
>
> location "/nextcloud/" {
> block return 301 "$DOCUMENT_URI/index.php"
> }
A diff would be nice, I like a simpler version of httpd.conf.