not sure why but the 2nd server block is incorrect and looks different on a default system. Should looks like this
server {
if ($host = nextcloud.hemertje.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80 default_server;
listen [::]:80 default_server;
server_name nextcloud.hemertje.com;
return 404; # managed by Certbot
}
So these blocks can be removed?
server {
if ($host = nextcloud.hemertje.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80 default_server;
listen [::]:80 default_server;
root /var/www/nextcloud; index index.php index.html index.htm index.nginx-debian.html;
server_name nextcloud.hemertje.com;
include /etc/nginx/sites-dietpi/*.conf;location / {
try_files $uri $uri/ =404;
}location ~ \.php(?:$|/) { include snippets/fastcgi-php.conf; fastcgi_pass php; }
And added:
return 404; # managed by Certbot
}
simply remove the whole block and replace it with the one I have shared.
So if I understand correctly:
server {
if ($host = nextcloud.hemertje.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80 default_server;
listen [::]:80 default_server;
# root /var/www/nextcloud;
# index index.php index.html index.htm index.nginx-debian.html;
server_name nextcloud.hemertje.com;
#
# include /etc/nginx/sites-dietpi/*.conf;
#
# location / {
# try_files $uri $uri/ =404;
# }
#
# location ~ \.php(?:$|/) {
# include snippets/fastcgi-php.conf;
# fastcgi_pass php;
# }
return 404; # managed by Certbot
}
?
Back to the example
https://docs.nextcloud.com/server/stable/admin_manual/installation/nginx.html#nextcloud-in-the-webroot-of-nginx
The Howto says:
Adjust server_name, root, ssl_certificate and ssl_certificate_key to suit your needs.
Nextcloud in the webroot of NGINX
See my command lines below with #
#The lines below are arranged somewhere else in DietPi?
upstream php-handler {
server 127.0.0.1:9000;
#server unix:/var/run/php/php7.4-fpm.sock;
}
Set the `immutable` cache control options only for assets with a cache busting `v` argument
map $arg_v $asset_immutable {
"" "";
default "immutable";
}
#The ‘listen 80’ lines below are arranged in the file ‘/etc/nginx/sites-available/default’
server {
listen 80;
listen [::]:80;
server_name cloud.example.com;
# Prevent nginx HTTP Server Detection
server_tokens off;
# Enforce HTTPS
return 301 https://$server_name$request_uri;
}
#The ‘listen 443’ lines below are arranged in the file ‘/etc/nginx/sites-available/default’
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name cloud.example.com;
#The ‘root path’ lines below are arranged in the file ‘/etc/nginx/sites-available/default’
# Path to the root of your installation
root /var/www/nextcloud;
#The ‘SSL settings’ lines below are arranged in the file ‘/etc/nginx/sites-available/default’
# Use Mozilla's guidelines for SSL/TLS settings
# https://mozilla.github.io/server-side-tls/ssl-config-generator/
ssl_certificate /etc/ssl/nginx/cloud.example.com.crt;
ssl_certificate_key /etc/ssl/nginx/cloud.example.com.key;
# Prevent nginx HTTP Server Detection
server_tokens off;
#The ‘HSTS settings’ lines below are arranged in the file ‘/etc/nginx/sites-available/default’
# HSTS settings
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
#add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
# The option preload" is missing in the DietPi Certbot, see above warning!
#The ‘Upload settings’ lines below are arranged in the file ‘/etc/nginx/sites-dietpi/dietpi-nextcloud.conf’
# set max upload size and increase upload timeout:
client_max_body_size 512M; # DietPi uses 1048576M instead of 512M
client_body_timeout 300s; # DietPi does not use the timeout setting
fastcgi_buffers 64 4K; # DietPi uses same option settings
#The ‘Gzip settings’ lines below are arranged in the file ‘/etc/nginx/sites-dietpi/dietpi-nextcloud.conf’
# Enable gzip but do not remove ETag headers
gzip on; # DietPi uses same option settings
gzip_vary on; # DietPi uses same option settings
gzip_comp_level 4; # DietPi uses same option settings
gzip_min_length 256; # DietPi uses same option settings
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; # DietPi uses same option settings
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; # DietPi uses the option settings gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifes>
# Pagespeed is not used in the file ‘/etc/nginx/sites-dietpi/dietpi-nextcloud.conf’ or the file ‘/etc/nginx/sites-available/default’
# Pagespeed is not supported by Nextcloud, so if your server is built
# with the `ngx_pagespeed` module, uncomment this line to disable it.
#pagespeed off;
# HTTP2 bandwidth is not used in the file ‘/etc/nginx/sites-dietpi/dietpi-nextcloud.conf’ or the file ‘/etc/nginx/sites-available/default’
# The settings allows you to optimize the HTTP2 bandwitdth.
# See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/
# for tunning hints
client_body_buffer_size 512k;
# HTTP response headers are used in the file ‘/etc/nginx/sites-dietpi/dietpi-nextcloud.conf’
# HTTP response headers borrowed from Nextcloud `.htaccess`
add_header Referrer-Policy "no-referrer" always; # DietPi uses same option settings
add_header X-Content-Type-Options "nosniff" always; # DietPi uses same option settings
add_header X-Download-Options "noopen" always; # DietPi uses same option settings
add_header X-Frame-Options "SAMEORIGIN" always; # DietPi uses same option settings
add_header X-Permitted-Cross-Domain-Policies "none" always; # DietPi uses same option settings
add_header X-Robots-Tag "none" always; # DietPi uses same option settings
add_header X-XSS-Protection "1; mode=block" always; # DietPi uses same option settings
# Remove X-Powered-By is used in the file ‘/etc/nginx/sites-dietpi/dietpi-nextcloud.conf’
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By; # DietPi uses same option
# Index is used in the file ‘/etc/nginx/sites-dietpi/dietpi-nextcloud.conf’
# Specify how to handle directories -- specifying `/index.php$request_uri`
# here as the fallback means that Nginx always exhibits the desired behaviour
# when a client requests a path that corresponds to a directory that exists
# on the server. In particular, if that directory contains an index.php file,
# that file is correctly served; if it doesn't, then the request is passed to
# the front-end controller. This consistent behaviour means that we don't need
# to specify custom rules for certain paths (e.g. images and other assets,
# `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
# `try_files $uri $uri/ /index.php$request_uri`
# always provides the desired behaviour.
index index.php index.html /index.php$request_uri; #My file contains /nextcloud/ : index index.php index.html /nextcloud/index.php$request_uri;
# Rule `.htaccess` is used in the file ‘/etc/nginx/sites-dietpi/dietpi-nextcloud.conf’
# Rule borrowed from `.htaccess` to handle Microsoft DAV clients
location = / { # my ‘dietpi-nextcloud.conf’ contains location = /nextcloud {
if ( $http_user_agent ~ ^DavClnt ) {
return 302 /remote.php/webdav/$is_args$args; # my ‘dietpi-nextcloud.conf’ contains location = return 302 /nextcloud/remote.php/webdav/$is_args$args;
# My file contains extra:
# Rules borrowed from `.htaccess` to hide certain paths from clients
# location ~ ^/nextcloud/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; }
# location ~ ^/nextcloud/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; }
}
}
# Robots is not used in the file ‘/etc/nginx/sites-dietpi/dietpi-nextcloud.conf’ or the file ‘/etc/nginx/sites-available/default’
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# These well-known is in my file ‘/etc/nginx/sites-dietpi/dietpi-nextcloud.conf’
# These follows a different setup of the line but it seems to me the result is the same?
# Redirect webfinger and nodeinfo requests to Nextcloud endpoint
#location /.well-known/webfinger { return 301 /nextcloud/index.php$request_uri; }
#location /.well-known/nodeinfo { return 301 /nextcloud/index.php$request_uri; }
# Below the extended lines
# Make a regex exception for `/.well-known` so that clients can still
# access it despite the existence of the regex rule
# `location ~ /(\.|autotest|...)` which would otherwise handle requests
# for `/.well-known`.
location ^~ /.well-known {
# The rules in this block are an adaptation of the rules
# in `.htaccess` that concern `/.well-known`.
location = /.well-known/carddav { return 301 /remote.php/dav/; }
location = /.well-known/caldav { return 301 /remote.php/dav/; }
location /.well-known/acme-challenge { try_files $uri $uri/ =404; }
location /.well-known/pki-validation { try_files $uri $uri/ =404; }
# Let Nextcloud's API for `/.well-known` URIs handle all other
# requests by passing them to the front-end controller.
return 301 /index.php$request_uri;
}
# The Rules below are not used in the file ‘/etc/nginx/sites-dietpi/dietpi-nextcloud.conf’ or the file ‘/etc/nginx/sites-available/default’
# Rules borrowed from `.htaccess` to hide certain paths from clients
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; }
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; }
# The Rules below are used in the file ‘/etc/nginx/sites-dietpi/dietpi-nextcloud.conf’
# Ensure this block, which passes PHP files to the PHP process, is above the blocks
# which handle static assets (as seen below). If this block is not declared first,
# then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
# to the URI, resulting in a HTTP 500 error response.
location ~ \.php(?:$|/) {
# Required for legacy support
#This part differs from my ‘/etc/nginx/sites-dietpi/dietpi-nextcloud.conf’
rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
#This part is equal with my ‘/etc/nginx/sites-dietpi/dietpi-nextcloud.conf’
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $path_info;
fastcgi_param HTTPS on; # ‘on’vh is extra here!
fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice
fastcgi_param front_controller_active true; # Enable pretty urls
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
fastcgi_max_temp_file_size 0;
}
location ~ \.(?:css|js|svg|gif|png|jpg|ico|wasm|tflite|map)$ {
try_files $uri /index.php$request_uri; # my ‘dietpi-nextcloud.conf’ contains extra /nextcloud/
# my ‘dietpi-nextcloud.conf’ contains extra:
#expires 6M; # Cache-Control policy borrowed from `.htaccess`
add_header Cache-Control "public, max-age=15778463, $asset_immutable"; # this line is missing in my ‘dietpi-nextcloud.conf’
access_log off; # Optional: Don't log access to assets # same as in my ‘dietpi-nextcloud.conf’
# my ‘dietpi-nextcloud.conf’ does not contain the lines below:
location ~ \.wasm$ {
default_type application/wasm;
}
}
# my ‘dietpi-nextcloud.conf’ does contain the lines below:
#location ~ \.woff2?$ {
# try_files $uri /nextcloud/index.php$request_uri;
# expires 7d; # Cache-Control policy borrowed from `.htaccess`
# access_log off; # Optional: Don't log access to assets
}
# Rule borrowed from `.htaccess`
location /remote { # my ‘dietpi-nextcloud.conf’ contains /nextcloud/remote
return 301 /remote.php$request_uri; # my ‘dietpi-nextcloud.conf’ contains /nextcloud/remote.php
}
location / { # my ‘dietpi-nextcloud.conf’ contains ‘location /nextcloud’
try_files $uri $uri/ /index.php$request_uri; # my ‘dietpi-nextcloud.conf’ contains /nextcloud/index.php…
}
}
I don’t think you need to do all this development. There should be no need to create own files. Basically, it is quite simple.
/etc/nginx/sites-available/default and change root /var/www into root /var/www/nextcloud
/etc/nginx/sites-available/default and remove small block for location /
/etc/nginx/sites-dietpi/dietpi-dav_redirect.conf and remove sub path /nextcloud from all configs/etc/nginx/sites-dietpi/dietpi-nextcloud.conf and remove sub path /nextcloud from all configs (should be quite some)1 and 2: What do you mean with?
remove small block for
location /
/etc/nginx/sites-available/default
# /etc/nginx/sites-available/default
server {
root /var/www/nextcloud;
index index.php index.html index.htm index.nginx-debian.html;
server_name nextcloud.hemertje.com;
include /etc/nginx/sites-dietpi/*.conf;
location / {
try_files $uri $uri/ =404;
}
location ~ \.php(?:$|/) {
include snippets/fastcgi-php.conf;
fastcgi_pass php;
}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/nextcloud.hemertje.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/nextcloud.hemertje.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
add_header Strict-Transport-Security "max-age=31536000" always; # managed by Certbot
ssl_trusted_certificate /etc/letsencrypt/live/nextcloud.hemertje.com/chain.pem; # managed by Certbot
ssl_stapling on; # managed by Certbot
ssl_stapling_verify on; # managed by Certbot
}
server {
if ($host = nextcloud.hemertje.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80 default_server;
listen [::]:80 default_server;
server_name nextcloud.hemertje.com;
return 404; # managed by Certbot
}
# Redirect Cal/CardDAV requests to Nextcloud endpoint:
location = /.well-known/carddav { return 301 /remote.php/dav/; }
location = /.well-known/caldav { return 301 /remote.php/dav/; }
location ^~ /nextcloud {
# Omit Nginx version on error response server_tokens off;
‘location ^~ /nextcloud {’ ?
will this be like ‘location ^~ / {’ ?
# Rule borrowed from `.htaccess` to handle Microsoft DAV clients
location = /nextcloud {
if ( $http_user_agent ~ ^DavClnt ) {
return 302 /nextcloud/remote.php/webdav/$is_args$args;
}
}
# Rule borrowed from `.htaccess`
location /nextcloud/remote {
return 301 /nextcloud/remote.php$request_uri;
}
location /nextcloud {
try_files $uri $uri/ /nextcloud/index.php$request_uri;
}
}
With the file (removed “nextcoud”)
# Based on: https://github.com/nextcloud/documentation/blob/master/admin_manual/installation/nginx-subdir.conf.sample
# Redirect webfinger and nodeinfo requests to Nextcloud endpoint
location /.well-known/webfinger { return 301 /index.php$request_uri; }
location /.well-known/nodeinfo { return 301 /index.php$request_uri; }
location ^~ / {
# Omit Nginx version on error response
server_tokens off;
# Set max upload size
client_max_body_size 1048576M;
fastcgi_buffers 64 4K;
# Enable gzip but do not remove ETag headers
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml app>
# HTTP response headers borrowed from Nextcloud `.htaccess`
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains" always;
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
# Specify how to handle directories -- specifying `/nextcloud/index.php$request_uri`
# here as the fallback means that Nginx always exhibits the desired behaviour
# when a client requests a path that corresponds to a directory that exists
# on the server. In particular, if that directory contains an index.php file,
# that file is correctly served; if it doesn't, then the request is passed to
# the front-end controller. This consistent behaviour means that we don't need
# to specify custom rules for certain paths (e.g. images and other assets,
# `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
# `try_files $uri $uri/ /nextcloud/index.php$request_uri`
# always provides the desired behaviour.
index index.php index.html /index.php$request_uri;
# Rule borrowed from `.htaccess` to handle Microsoft DAV clients
location = / {
if ( $http_user_agent ~ ^DavClnt ) {
return 302 /remote.php/webdav/$is_args$args;
}
}
# Rules borrowed from `.htaccess` to hide certain paths from clients
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; }
location ~ ^(?:\.|autotest|occ|issue|indie|db_|console) { return 404; }
# Ensure this block, which passes PHP files to the PHP process, is above the blocks
# which handle static assets (as seen below). If this block is not declared first,
# then Nginx will encounter an infinite rewriting loop when it prepends
# `/nextcloud/index.php` to the URI, resulting in a HTTP 500 error response.
location ~ \.php(?:$|/) {
fastcgi_split_path_info ^(.+?\.php)(/.*|)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS $https;
fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice
fastcgi_param front_controller_active true; # Enable pretty URLs without /index.php/
fastcgi_pass php;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
fastcgi_max_temp_file_size 0; # Allow downloads 1 GiB: https://github.com/nextcloud/documentation/pull/7979
}
location ~ \.(?:css|js|svg|gif|png|jpg|ico|wasm|tflite|map)$ {
try_files $uri /index.php$request_uri;
expires 6M; # Cache-Control policy borrowed from `.htaccess`
access_log off; # Optional: Don't log access to assets
}
location ~ \.woff2?$ {
try_files $uri /index.php$request_uri;
expires 7d; # Cache-Control policy borrowed from `.htaccess`
access_log off; # Optional: Don't log access to assets
}
# Rule borrowed from `.htaccess`
location /remote {
return 301 /remote.php$request_uri;
}
location / {
try_files $uri $uri/ /index.php$request_uri;
}
}
I get the error:
root@DietPi:/# systemctl restart nginx
Job for nginx.service failed because the control process exited with error code.
See "systemctl status nginx.service" and "journalctl -xe" for details.
root@DietPi:/#
Jan 06 15:17:04 DietPi systemd[1]: Starting A high performance web server and a reverse proxy server...
░░ Subject: A start job for unit nginx.service has begun execution
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░
░░ A start job for unit nginx.service has begun execution.
░░
░░ The job identifier is 1124.
Jan 06 15:17:04 DietPi nginx[4569]: nginx: [emerg] location "/remote" is outside location "/nextcloud" in /etc/nginx/sites-dietpi/dietpi-nextcloud.conf:93
Jan 06 15:17:04 DietPi nginx[4569]: nginx: configuration file /etc/nginx/nginx.conf test failed
Jan 06 15:17:04 DietPi systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAILURE
░░ Subject: Unit process exited
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░
░░ An ExecStartPre= process belonging to unit nginx.service has exited.
░░
░░ The process' exit code is 'exited' and its exit status is 1.
Jan 06 15:17:04 DietPi systemd[1]: nginx.service: Failed with result 'exit-code'.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░
░░ The unit nginx.service has entered the 'failed' state with result 'exit-code'.
Jan 06 15:17:04 DietPi systemd[1]: Failed to start A high performance web server and a reverse proxy server.
░░ Subject: A start job for unit nginx.service has failed
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░
░░ A start job for unit nginx.service has finished with a failure.
░░
░░ The job identifier is 1124 and the job result is failed.
Jan 06 15:18:30 DietPi systemd[1]: Starting A high performance web server and a reverse proxy server...
░░ Subject: A start job for unit nginx.service has begun execution
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░
░░ A start job for unit nginx.service has begun execution.
░░
░░ The job identifier is 1182.
Jan 06 15:18:30 DietPi nginx[4575]: nginx: [emerg] duplicate location "/" in /etc/nginx/sites-enabled/default:11
Jan 06 15:18:30 DietPi nginx[4575]: nginx: configuration file /etc/nginx/nginx.conf test failed
Jan 06 15:18:30 DietPi systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAILURE
░░ Subject: Unit process exited
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░
░░ An ExecStartPre= process belonging to unit nginx.service has exited.
░░
░░ The process' exit code is 'exited' and its exit status is 1.
Jan 06 15:18:30 DietPi systemd[1]: nginx.service: Failed with result 'exit-code'.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░
░░ The unit nginx.service has entered the 'failed' state with result 'exit-code'.
Jan 06 15:18:30 DietPi systemd[1]: Failed to start A high performance web server and a reverse proxy server.
░░ Subject: A start job for unit nginx.service has failed
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░
░░ A start job for unit nginx.service has finished with a failure.
░░
░░ The job identifier is 1182 and the job result is failed.
root@DietPi:/#
Seems there is something wrong with te latest part?
remove that folowing small location / block
And pls, don’t change anything else inside /etc/nginx/sites-dietpi/dietpi-nextcloud.conf except removing the nextcloud sub folder. On my demo system, following is working. Simply delete the whole content of your file and replace it fully with:
# Based on: https://github.com/nextcloud/documentation/blob/master/admin_manual/installation/nginx-subdir.conf.sample
# Redirect webfinger and nodeinfo requests to Nextcloud endpoint
location /.well-known/webfinger { return 301 /index.php$request_uri; }
location /.well-known/nodeinfo { return 301 /index.php$request_uri; }
location ^~ / {
# Omit Nginx version on error response
server_tokens off;
# Set max upload size
client_max_body_size 1048576M;
fastcgi_buffers 64 4K;
# Enable gzip but do not remove ETag headers
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
# HTTP response headers borrowed from Nextcloud `.htaccess`
#add_header Strict-Transport-Security "max-age=15768000; includeSubDomains" always;
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
# Specify how to handle directories -- specifying `/nextcloud/index.php$request_uri`
# here as the fallback means that Nginx always exhibits the desired behaviour
# when a client requests a path that corresponds to a directory that exists
# on the server. In particular, if that directory contains an index.php file,
# that file is correctly served; if it doesn't, then the request is passed to
# the front-end controller. This consistent behaviour means that we don't need
# to specify custom rules for certain paths (e.g. images and other assets,
# `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
# `try_files $uri $uri/ /nextcloud/index.php$request_uri`
# always provides the desired behaviour.
index index.php index.html /index.php$request_uri;
# Rule borrowed from `.htaccess` to handle Microsoft DAV clients
location = / {
if ( $http_user_agent ~ ^DavClnt ) {
return 302 /remote.php/webdav/$is_args$args;
}
}
# Rules borrowed from `.htaccess` to hide certain paths from clients
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; }
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; }
# Ensure this block, which passes PHP files to the PHP process, is above the blocks
# which handle static assets (as seen below). If this block is not declared first,
# then Nginx will encounter an infinite rewriting loop when it prepends
# `/nextcloud/index.php` to the URI, resulting in a HTTP 500 error response.
location ~ \.php(?:$|/) {
fastcgi_split_path_info ^(.+?\.php)(/.*|)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS $https;
fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice
fastcgi_param front_controller_active true; # Enable pretty URLs without /index.php/
fastcgi_pass php;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
fastcgi_max_temp_file_size 0; # Allow downloads > 1 GiB: https://github.com/nextcloud/documentation/pull/7979
}
location ~ \.(?:css|js|svg|gif|png|jpg|ico|wasm|tflite|map)$ {
try_files $uri /index.php$request_uri;
expires 6M; # Cache-Control policy borrowed from `.htaccess`
access_log off; # Optional: Don't log access to assets
}
location ~ \.woff2?$ {
try_files $uri /index.php$request_uri;
expires 7d; # Cache-Control policy borrowed from `.htaccess`
access_log off; # Optional: Don't log access to assets
}
# Rule borrowed from `.htaccess`
location /remote {
return 301 /remote.php$request_uri;
}
location / {
try_files $uri $uri/ /index.php$request_uri;
}
}
The idea with the dedicated file was so that Nextcloud reinstalls won’t overwrite them. But at least the Cal/CardDAV redirects would conflict anyway without adjusting the original file.
Sadly I get this error with your file
root@DietPi:~# nano /etc/nginx/sites-dietpi/dietpi-nextcloud.conf
root@DietPi:~# systemctl restart nginx
Job for nginx.service failed because the control process exited with error code.
See “systemctl status nginx.service” and “journalctl -xe” for details.
root@DietPi:~# systemctl status nginx.service
● nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; disabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Sun 2023-01-08 13:30:18 CET; 1min 20s ago
Docs: man:nginx(8)
Process: 23109 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=1/FAILURE)
CPU: 33msJan 08 13:30:18 DietPi systemd[1]: Starting A high performance web server and a reverse proxy server…
Jan 08 13:30:18 DietPi nginx[23109]: nginx: [emerg] duplicate location “/” in /etc/nginx/sites-enabled/default:11
Jan 08 13:30:18 DietPi nginx[23109]: nginx: configuration file /etc/nginx/nginx.conf test failed
Jan 08 13:30:18 DietPi systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAILURE
Jan 08 13:30:18 DietPi systemd[1]: nginx.service: Failed with result ‘exit-code’.
Jan 08 13:30:18 DietPi systemd[1]: Failed to start A high performance web server and a reverse proxy server.
root@DietPi:~#
root@DietPi:~# journalctl -xe
Jan 08 13:09:01 DietPi systemd[1]: Starting Clean php session files…
░░ Subject: A start job for unit phpsessionclean.service has begun execution
░░ Defined-By: systemd
░░ Support: Debian -- User Support
░░
░░ A start job for unit phpsessionclean.service has begun execution.
░░
░░ The job identifier is 7010.
Jan 08 13:09:01 DietPi systemd[1]: phpsessionclean.service: Succeeded.
░░ Subject: Unit succeeded
░░ Defined-By: systemd
░░ Support: Debian -- User Support
░░
░░ The unit phpsessionclean.service has successfully entered the ‘dead’ state.
Jan 08 13:09:01 DietPi systemd[1]: Finished Clean php session files.
░░ Subject: A start job for unit phpsessionclean.service has finished successfully
░░ Defined-By: systemd
░░ Support: Debian -- User Support
░░
░░ A start job for unit phpsessionclean.service has finished successfully.
░░
░░ The job identifier is 7010.
Jan 08 13:10:01 DietPi CRON[22713]: pam_unix(cron:session): session opened for user www-data(uid=33) by (uid=0)
Jan 08 13:10:01 DietPi CRON[22714]: (www-data) CMD (php /var/www/nextcloud/cron.php)
Jan 08 13:10:07 DietPi CRON[22713]: pam_unix(cron:session): session closed for user www-data
Jan 08 13:15:01 DietPi CRON[22821]: pam_unix(cron:session): session opened for user www-data(uid=33) by (uid=0)
Jan 08 13:15:01 DietPi CRON[22822]: (www-data) CMD (php /var/www/nextcloud/cron.php)
Jan 08 13:15:09 DietPi CRON[22821]: pam_unix(cron:session): session closed for user www-data
Jan 08 13:17:01 DietPi CRON[22827]: pam_unix(cron:session): session opened for user root(uid=0) by (uid=0)
Jan 08 13:17:01 DietPi CRON[22828]: (root) CMD (cd / && run-parts --report /etc/cron.hourly)
Jan 08 13:17:01 DietPi CRON[22827]: pam_unix(cron:session): session closed for user root
Jan 08 13:20:01 DietPi CRON[22871]: pam_unix(cron:session): session opened for user www-data(uid=33) by (uid=0)
Jan 08 13:20:01 DietPi CRON[22872]: (www-data) CMD (php /var/www/nextcloud/cron.php)
Jan 08 13:20:07 DietPi CRON[22871]: pam_unix(cron:session): session closed for user www-data
Jan 08 13:25:01 DietPi CRON[22979]: pam_unix(cron:session): session opened for user www-data(uid=33) by (uid=0)
Jan 08 13:25:01 DietPi CRON[22980]: (www-data) CMD (php /var/www/nextcloud/cron.php)
Jan 08 13:25:08 DietPi CRON[22979]: pam_unix(cron:session): session closed for user www-data
Jan 08 13:28:52 DietPi dhclient[537]: DHCPREQUEST for 192.168.2.5 on eth0 to 192.168.2.1 port 67
Jan 08 13:28:52 DietPi dhclient[537]: DHCPACK of 192.168.2.5 from 192.168.2.1
Jan 08 13:28:53 DietPi dhclient[537]: bound to 192.168.2.5 – renewal in 1400 seconds.
Jan 08 13:30:01 DietPi CRON[23100]: pam_unix(cron:session): session opened for user www-data(uid=33) by (uid=0)
Jan 08 13:30:01 DietPi CRON[23101]: (www-data) CMD (php /var/www/nextcloud/cron.php)
Jan 08 13:30:12 DietPi CRON[23100]: pam_unix(cron:session): session closed for user www-data
Jan 08 13:30:18 DietPi systemd[1]: Stopping A high performance web server and a reverse proxy server…
░░ Subject: A stop job for unit nginx.service has begun execution
░░ Defined-By: systemd
░░ Support: Debian -- User Support
░░
░░ A stop job for unit nginx.service has begun execution.
░░
░░ The job identifier is 7068.
Jan 08 13:30:18 DietPi systemd[1]: nginx.service: Succeeded.
░░ Subject: Unit succeeded
░░ Defined-By: systemd
░░ Support: Debian -- User Support
░░
░░ The unit nginx.service has successfully entered the ‘dead’ state.
Jan 08 13:30:18 DietPi systemd[1]: Stopped A high performance web server and a reverse proxy server.
░░ Subject: A stop job for unit nginx.service has finished
░░ Defined-By: systemd
░░ Support: Debian -- User Support
░░
░░ A stop job for unit nginx.service has finished.
░░
░░ The job identifier is 7068 and the job result is done.
Jan 08 13:30:18 DietPi systemd[1]: nginx.service: Consumed 31.117s CPU time.
░░ Subject: Resources consumed by unit runtime
░░ Defined-By: systemd
░░ Support: Debian -- User Support
░░
░░ The unit nginx.service completed and consumed the indicated resources.
Jan 08 13:30:18 DietPi systemd[1]: Starting A high performance web server and a reverse proxy server…
░░ Subject: A start job for unit nginx.service has begun execution
░░ Defined-By: systemd
░░ Support: Debian -- User Support
░░
░░ A start job for unit nginx.service has begun execution.
░░
░░ The job identifier is 7068.
Jan 08 13:30:18 DietPi nginx[23109]: nginx: [emerg] duplicate location “/” in /etc/nginx/sites-enabled/default:11
Jan 08 13:30:18 DietPi nginx[23109]: nginx: configuration file /etc/nginx/nginx.conf test failed
Jan 08 13:30:18 DietPi systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAILURE
░░ Subject: Unit process exited
░░ Defined-By: systemd
░░ Support: Debian -- User Support
░░
░░ An ExecStartPre= process belonging to unit nginx.service has exited.
░░
░░ The process’ exit code is ‘exited’ and its exit status is 1.
Jan 08 13:30:18 DietPi systemd[1]: nginx.service: Failed with result ‘exit-code’.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: Debian -- User Support
░░
░░ The unit nginx.service has entered the ‘failed’ state with result ‘exit-code’.
Jan 08 13:30:18 DietPi systemd[1]: Failed to start A high performance web server and a reverse proxy server.
░░ Subject: A start job for unit nginx.service has failed
░░ Defined-By: systemd
░░ Support: Debian -- User Support
░░
░░ A start job for unit nginx.service has finished with a failure.
░░
░░ The job identifier is 7068 and the job result is failed.
root@DietPi:~#
With the following NC is working
/etc/nginx/sites-dietpi/dietpi-nextcloud.conf
Based on: documentation/admin_manual/installation/nginx-subdir.conf.sample at master · nextcloud/documentation · GitHub
Redirect webfinger and nodeinfo requests to Nextcloud endpoint
location /.well-known/webfinger { return 301 /nextcloud/index.php$request_uri; }
location /.well-known/nodeinfo { return 301 /nextcloud/index.php$request_uri; }location ^~ /nextcloud {
# Omit Nginx version on error response server_tokens off; # Set max upload size client_max_body_size 1048576M; fastcgi_buffers 64 4K; # Enable gzip but do not remove ETag headers gzip on; gzip_vary on; gzip_comp_level 4; gzip_min_length 256; gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml app> # HTTP response headers borrowed from Nextcloud `.htaccess` add_header Strict-Transport-Security "max-age=15768000; includeSubDomains" always; add_header Referrer-Policy "no-referrer" always; add_header X-Content-Type-Options "nosniff" always; add_header X-Download-Options "noopen" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Permitted-Cross-Domain-Policies "none" always; add_header X-Robots-Tag "none" always; add_header X-XSS-Protection "1; mode=block" always; # Remove X-Powered-By, which is an information leak fastcgi_hide_header X-Powered-By; # Specify how to handle directories -- specifying `/nextcloud/index.php$request_uri` # here as the fallback means that Nginx always exhibits the desired behaviour # when a client requests a path that corresponds to a directory that exists # on the server. In particular, if that directory contains an index.php file, # that file is correctly served; if it doesn't, then the request is passed to # the front-end controller. This consistent behaviour means that we don't need # to specify custom rules for certain paths (e.g. images and other assets, # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus # `try_files $uri $uri/ /nextcloud/index.php$request_uri` # always provides the desired behaviour. index index.php index.html /nextcloud/index.php$request_uri; # Rule borrowed from `.htaccess` to handle Microsoft DAV clients location = /nextcloud { if ( $http_user_agent ~ ^DavClnt ) { return 302 /nextcloud/remote.php/webdav/$is_args$args; } } # Rules borrowed from `.htaccess` to hide certain paths from clients location ~ ^/nextcloud/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; } location ~ ^/nextcloud/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; } # Ensure this block, which passes PHP files to the PHP process, is above the blocks # which handle static assets (as seen below). If this block is not declared first, # then Nginx will encounter an infinite rewriting loop when it prepends # `/nextcloud/index.php` to the URI, resulting in a HTTP 500 error response. location ~ \.php(?:$|/) { fastcgi_split_path_info ^(.+?\.php)(/.*|)$; set $path_info $fastcgi_path_info; try_files $fastcgi_script_name =404; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param HTTPS $https; fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice fastcgi_param front_controller_active true; # Enable pretty URLs without /index.php/ fastcgi_pass php; fastcgi_intercept_errors on; fastcgi_request_buffering off; fastcgi_max_temp_file_size 0; # Allow downloads > 1 GiB: https://github.com/nextcloud/documentation/pull/7979 } location ~ \.(?:css|js|svg|gif|png|jpg|ico|wasm|tflite|map)$ { try_files $uri /nextcloud/index.php$request_uri; expires 6M; # Cache-Control policy borrowed from `.htaccess` access_log off; # Optional: Don't log access to assets } location ~ \.woff2?$ { try_files $uri /nextcloud/index.php$request_uri; expires 7d; # Cache-Control policy borrowed from `.htaccess` access_log off; # Optional: Don't log access to assets } # Rule borrowed from `.htaccess` location /nextcloud/remote { return 301 /nextcloud/remote.php$request_uri; } location /nextcloud { try_files $uri $uri/ /nextcloud/index.php$request_uri; }}
But having these warnings
There are some warnings regarding your setup.
- Your web server is not properly set up to resolve “/.well-known/webfinger”. Further information can be found in the documentation
.
- Your web server is not properly set up to resolve “/.well-known/nodeinfo”. Further information can be found in the documentation
You did not remove the default location block from default configuration file as I stated above. Therefore you have a duplicate root directory configured.
Strange, probably forgot to save the file after editing
Edited default , saved it, edited the config file with your version , restart NC
we are getting there
There are some warnings regarding your setup.
The “Strict-Transport-Security” HTTP header is not set to at least “15552000” seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips
‘default’ contains
add_header Strict-Transport-Security “max-age=31536000” always; # managed by Certbot
and is missing the 'includeSubDomains" 'option
‘config’ contains
#add_header Strict-Transport-Security “max-age=15768000; includeSubDomains” always;
Brute-force protection
The information on the DietPi website can be updated
The separate app “Brute-force settings” is no longer needed with Nextcloud 25, because it’s already included. The “Brute-force IP Whitelist settings” can be found under “Administration Settings” → “Security”.
lhttps://help.nextcloud.com/t/nextcloud-25-0-1-is-there-bruteforce-app-is-not-compatible/149693
App is now released alongside with Nextcloud core, thus this page is deprecated.
any idea how to fix this as it is enabled in the ‘default’ file?
can the DietPi Wiki be updated with the above info?
Just remove the # and it will be overwrite the default config.