From 4ef607d350aa6f19f07ebe2fb0b8e3951248649f Mon Sep 17 00:00:00 2001
From: MichaIng <micha@dietpi.com>
Date: Fri, 26 Jan 2024 17:03:17 +0100
Subject: [PATCH] nginx: fix response headers for assets

Nginx resets all response headers in a location block, if it contains any "add_header" directive. When setting the "Cache-Control" header for static assets, this was originally worked around by using the "expires" directive instead. https://github.com/nextcloud/documentation/pull/8083 however added the "immutable" flag for assets with "v=" query parameter and broke all other response headers for assets that way.

This commit fixes this by re-adding all reponse headers explicitly for those assets. Originally those doubled code was removed thanks to using "expires", but I see no way to have both: the "immutable" flag as well as avoiding doubled headers via "expires" directive.

Additionally, this commit avoids the trailing comma and space in the Cache-Control header for assets without "v=" query parameter, and adds sets the wasm MIME type in a cleaner/more consistent way together with js/mjs, and rephrases the broken comment sentence.

Signed-off-by: MichaIng <micha@dietpi.com>
---
 .../installation/nginx-root.conf.sample       | 21 +++++++++++--------
 .../installation/nginx-subdir.conf.sample     | 20 +++++++++++-------
 2 files changed, 24 insertions(+), 17 deletions(-)

diff --git a/admin_manual/installation/nginx-root.conf.sample b/admin_manual/installation/nginx-root.conf.sample
index 27ddd9dd6..3a9e8ec2e 100644
--- a/admin_manual/installation/nginx-root.conf.sample
+++ b/admin_manual/installation/nginx-root.conf.sample
@@ -6,10 +6,9 @@ upstream php-handler {
 # Set the `immutable` cache control options only for assets with a cache busting `v` argument
 map $arg_v $asset_immutable {
     "" "";
-    default "immutable";
+    default ", immutable";
 }
 
-
 server {
     listen 80;
     listen [::]:80;
@@ -79,13 +78,14 @@ server {
     # Remove X-Powered-By, which is an information leak
     fastcgi_hide_header X-Powered-By;
 
-    # Add .mjs as a file extension for javascript
+    # Set .mjs and .wasm MIME types
     # Either include it in the default mime.types list
-    # or include you can include that list explicitly and add the file extension
+    # and include that list explicitly or add the file extension
     # only for Nextcloud like below:
     include mime.types;
     types {
         text/javascript js mjs;
+	application/wasm wasm;
     }
 
     # Specify how to handle directories -- specifying `/index.php$request_uri`
@@ -167,12 +167,15 @@ server {
     # Serve static files
     location ~ \.(?:css|js|mjs|svg|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ {
         try_files $uri /index.php$request_uri;
-        add_header Cache-Control "public, max-age=15778463, $asset_immutable";
+        # HTTP response headers borrowed from Nextcloud `.htaccess`
+        add_header Cache-Control                     "public, max-age=15778463$asset_immutable";
+        add_header Referrer-Policy                   "no-referrer"       always;
+        add_header X-Content-Type-Options            "nosniff"           always;
+        add_header X-Frame-Options                   "SAMEORIGIN"        always;
+        add_header X-Permitted-Cross-Domain-Policies "none"              always;
+        add_header X-Robots-Tag                      "noindex, nofollow" always;
+        add_header X-XSS-Protection                  "1; mode=block"     always;
         access_log off;     # Optional: Don't log access to assets
-
-        location ~ \.wasm$ {
-            default_type application/wasm;
-        }
     }
 
     location ~ \.woff2?$ {
diff --git a/admin_manual/installation/nginx-subdir.conf.sample b/admin_manual/installation/nginx-subdir.conf.sample
index d98ae0559..97f8707fa 100644
--- a/admin_manual/installation/nginx-subdir.conf.sample
+++ b/admin_manual/installation/nginx-subdir.conf.sample
@@ -6,7 +6,7 @@ upstream php-handler {
 # Set the `immutable` cache control options only for assets with a cache busting `v` argument
 map $arg_v $asset_immutable {
     "" "";
-    default "immutable";
+    default ", immutable";
 }
 
 server {
@@ -39,13 +39,14 @@ server {
     # Prevent nginx HTTP Server Detection
     server_tokens off;
 
-    # Add .mjs as a file extension for javascript
+    # Set .mjs and .wasm MIME types
     # Either include it in the default mime.types list
-    # or include you can include that list explicitly and add the file extension
+    # and include that list explicitly or add the file extension
     # only for Nextcloud like below:
     include mime.types;
     types {
         text/javascript js mjs;
+	application/wasm wasm;
     }
 
     location = /robots.txt {
@@ -165,12 +166,15 @@ server {
         # Serve static files
         location ~ \.(?:css|js|mjs|svg|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ {
             try_files $uri /nextcloud/index.php$request_uri;
-            add_header Cache-Control "public, max-age=15778463, $asset_immutable";
+            # HTTP response headers borrowed from Nextcloud `.htaccess`
+            add_header Cache-Control                     "public, max-age=15778463$asset_immutable";
+            add_header Referrer-Policy                   "no-referrer"       always;
+            add_header X-Content-Type-Options            "nosniff"           always;
+            add_header X-Frame-Options                   "SAMEORIGIN"        always;
+            add_header X-Permitted-Cross-Domain-Policies "none"              always;
+            add_header X-Robots-Tag                      "noindex, nofollow" always;
+            add_header X-XSS-Protection                  "1; mode=block"     always;
             access_log off;     # Optional: Don't log access to assets
-
-            location ~ \.wasm$ {
-                default_type application/wasm;
-            }
         }
 
         location ~ \.woff2?$ {