Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Beide Seiten der vorigen Revision Vorhergehende Überarbeitung Nächste Überarbeitung | Vorhergehende Überarbeitung | ||
dienste:bytecluster0002:nextcloud [05.10.2020 22:42] – [Ansible Script] updated ansible script chaos | dienste:bytecluster0002:nextcloud [19.07.2023 19:17] (aktuell) – mape2k | ||
---|---|---|---|
Zeile 1: | Zeile 1: | ||
- | ====== Proxmox container ' | + | ====== Proxmox container ' |
===== Status ===== | ===== Status ===== | ||
- | * nginx momentan deaktiviert | + | * läuft, beta |
- | * /etc/nginx/sites-enabled leer | + | * https://cloudtest.technikkultur-erfurt.de |
+ | * bisher noch ohne redis cache | ||
===== Container setup ===== | ===== Container setup ===== | ||
Zeile 12: | Zeile 13: | ||
* 2. Netzwerkinterface: | * 2. Netzwerkinterface: | ||
* eth1, | * eth1, | ||
- | * 10.3.0.20/ | + | * 10.3.0.20/ |
* bridge: vmbr1 | * bridge: vmbr1 | ||
===== Ansible setup ===== | ===== Ansible setup ===== | ||
Zeile 115: | Zeile 116: | ||
+ | </ | ||
+ | |||
+ | ==== Notizen ==== | ||
+ | |||
+ | * Ansible script läd momentan das .zip nicht herunter. Fehler unbekannt. | ||
+ | * Sonderzeichen in Passwörtern führen zu fehlern. Genaue Escape-Sequence noch unbekannt. | ||
+ | |||
+ | ===== Nginx Config ===== | ||
+ | < | ||
+ | upstream php-handler { | ||
+ | #server 127.0.0.1: | ||
+ | server unix:/ | ||
+ | } | ||
+ | |||
+ | server { | ||
+ | listen 8087; | ||
+ | listen [::]:8087; | ||
+ | server_name cloud.technikkultur-erfurt.de; | ||
+ | |||
+ | # Enforce HTTPS | ||
+ | #return 301 https:// | ||
+ | #} | ||
+ | |||
+ | #server { | ||
+ | # listen 443 ssl http2; | ||
+ | # listen [::]:443 ssl http2; | ||
+ | # server_name cloud.technikkultur-erfurt.de; | ||
+ | |||
+ | # Use Mozilla' | ||
+ | # https:// | ||
+ | # ssl_certificate | ||
+ | # ssl_certificate_key / | ||
+ | |||
+ | # HSTS settings | ||
+ | # WARNING: Only add the preload option once you read about | ||
+ | # the consequences in https:// | ||
+ | # will add the domain to a hardcoded list that is shipped | ||
+ | # in all major browsers and getting removed from this list | ||
+ | # could take several months. | ||
+ | #add_header Strict-Transport-Security " | ||
+ | |||
+ | # set max upload size | ||
+ | client_max_body_size 512M; | ||
+ | fastcgi_buffers 64 4K; | ||
+ | |||
+ | # Enable gzip but do not remove ETag headers | ||
+ | gzip on; | ||
+ | gzip_vary on; | ||
+ | gzip_comp_level 4; | ||
+ | gzip_min_length 256; | ||
+ | gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; | ||
+ | gzip_types application/ | ||
+ | |||
+ | # Pagespeed is not supported by Nextcloud, so if your server is built | ||
+ | # with the `ngx_pagespeed` module, uncomment this line to disable it. | ||
+ | #pagespeed off; | ||
+ | |||
+ | # HTTP response headers borrowed from Nextcloud `.htaccess` | ||
+ | add_header Referrer-Policy | ||
+ | add_header X-Content-Type-Options | ||
+ | add_header X-Download-Options | ||
+ | add_header X-Frame-Options | ||
+ | add_header X-Permitted-Cross-Domain-Policies | ||
+ | add_header X-Robots-Tag | ||
+ | add_header X-XSS-Protection | ||
+ | |||
+ | # Remove X-Powered-By, | ||
+ | fastcgi_hide_header X-Powered-By; | ||
+ | |||
+ | # Path to the root of your installation | ||
+ | root / | ||
+ | |||
+ | # Specify how to handle directories -- specifying `/ | ||
+ | # here as the fallback means that Nginx always exhibits the desired behaviour | ||
+ | # when a client requests a path that corresponds to a directory that exists | ||
+ | # on the server. In particular, if that directory contains an index.php file, | ||
+ | # that file is correctly served; if it doesn' | ||
+ | # the front-end controller. This consistent behaviour means that we don't need | ||
+ | # to specify custom rules for certain paths (e.g. images and other assets, | ||
+ | # `/updater`, `/ | ||
+ | # `try_files $uri $uri/ / | ||
+ | # always provides the desired behaviour. | ||
+ | index index.php index.html / | ||
+ | |||
+ | # Default Cache-Control policy | ||
+ | expires 1m; | ||
+ | |||
+ | # Rule borrowed from `.htaccess` to handle Microsoft DAV clients | ||
+ | location = / { | ||
+ | if ( $http_user_agent ~ ^DavClnt ) { | ||
+ | return 302 / | ||
+ | } | ||
+ | } | ||
+ | |||
+ | location = /robots.txt { | ||
+ | allow all; | ||
+ | log_not_found off; | ||
+ | access_log off; | ||
+ | } | ||
+ | |||
+ | # Make a regex exception for `/ | ||
+ | # access it despite the existence of the regex rule | ||
+ | # `location ~ / | ||
+ | # for `/ | ||
+ | location ^~ / | ||
+ | # The following 6 rules are borrowed from `.htaccess` | ||
+ | |||
+ | rewrite ^/ | ||
+ | rewrite ^/ | ||
+ | rewrite ^/ | ||
+ | rewrite ^/ | ||
+ | |||
+ | location = / | ||
+ | location = / | ||
+ | |||
+ | try_files $uri $uri/ =404; | ||
+ | } | ||
+ | |||
+ | # Rules borrowed from `.htaccess` to hide certain paths from clients | ||
+ | location ~ ^/ | ||
+ | location ~ ^/ | ||
+ | |||
+ | # Ensure this block, which passes PHP files to the PHP process, is above the blocks | ||
+ | # which handle static assets (as seen below). If this block is not declared first, | ||
+ | # then Nginx will encounter an infinite rewriting loop when it prepends `/ | ||
+ | # to the URI, resulting in a HTTP 500 error response. | ||
+ | location ~ \.php(?: | ||
+ | fastcgi_split_path_info ^(.+? | ||
+ | set $path_info $fastcgi_path_info; | ||
+ | |||
+ | try_files $fastcgi_script_name =404; | ||
+ | |||
+ | include fastcgi_params; | ||
+ | fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; | ||
+ | fastcgi_param PATH_INFO $path_info; | ||
+ | fastcgi_param HTTPS on; | ||
+ | |||
+ | fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice | ||
+ | fastcgi_param front_controller_active true; # Enable pretty urls | ||
+ | fastcgi_pass php-handler; | ||
+ | |||
+ | fastcgi_intercept_errors on; | ||
+ | fastcgi_request_buffering off; | ||
+ | } | ||
+ | |||
+ | location ~ \.(?: | ||
+ | try_files $uri / | ||
+ | expires 6M; # Cache-Control policy borrowed from `.htaccess` | ||
+ | access_log off; # Optional: Don't log access to assets | ||
+ | } | ||
+ | |||
+ | location ~ \.woff2?$ { | ||
+ | try_files $uri / | ||
+ | expires 7d; # Cache-Control policy borrowed from `.htaccess` | ||
+ | access_log off; # Optional: Don't log access to assets | ||
+ | } | ||
+ | |||
+ | location / { | ||
+ | try_files $uri $uri/ / | ||
+ | } | ||
+ | } | ||
</ | </ |