From 94245d63daee0454c9ca00b9ef3ee60643f87be8 Mon Sep 17 00:00:00 2001 From: Carla Schroder Date: Wed, 25 May 2016 15:46:54 -0700 Subject: [PATCH] Restore Nginx pages to admin manual --- .../security_setup_warnings.rst | 3 +- .../deployment_recommendations.rst | 12 - admin_manual/installation/index.rst | 3 + admin_manual/installation/nginx_examples.rst | 325 ++++++++++++++++++ .../installation/nginx_owncloud_8x.rst | 256 ++++++++++++++ .../installation/nginx_owncloud_9x.rst | 289 ++++++++++++++++ .../installation/source_installation.rst | 3 +- .../issues/general_troubleshooting.rst | 3 +- 8 files changed, 876 insertions(+), 18 deletions(-) create mode 100644 admin_manual/installation/nginx_examples.rst create mode 100644 admin_manual/installation/nginx_owncloud_8x.rst create mode 100644 admin_manual/installation/nginx_owncloud_9x.rst diff --git a/admin_manual/configuration_server/security_setup_warnings.rst b/admin_manual/configuration_server/security_setup_warnings.rst index 3ca1ad215..8469f9e84 100644 --- a/admin_manual/configuration_server/security_setup_warnings.rst +++ b/admin_manual/configuration_server/security_setup_warnings.rst @@ -54,8 +54,7 @@ describe how to enable HTTPS on the Apache and Nginx Web servers. :ref:`use_https_label` -`NGINX configuration -`_ +:doc:`../installation/nginx_examples` The test with getenv(\"PATH\") only returns an empty response ------------------------------------------------------------- diff --git a/admin_manual/installation/deployment_recommendations.rst b/admin_manual/installation/deployment_recommendations.rst index b2fffc4e2..c8900c4fa 100644 --- a/admin_manual/installation/deployment_recommendations.rst +++ b/admin_manual/installation/deployment_recommendations.rst @@ -408,18 +408,6 @@ best option, as Nginx does not support all features necessary for enterprise deployments. Mod_php is recommended instead of PHP_FPM, because in scale-out deployments separate PHP pools are simply not necessary. - -.. comment: Nginx currently does not integrate with Shibboleth, which prevents - SSO. Nevertheless, the Shibboleth community seems to be investigating how to - integrate with Nginx. - -.. comment: Nginx stores uploaded files on disk before handing them to php-fpm - which is a performance problem with GB-sized files. There seems to be an - Nginx fork from China that handles that better. - -.. comment from carla: We shouldn't recommend forks unless they are proven, - well-supported and dependable. - Relational Database ^^^^^^^^^^^^^^^^^^^ diff --git a/admin_manual/installation/index.rst b/admin_manual/installation/index.rst index f571593d0..76d9bece4 100644 --- a/admin_manual/installation/index.rst +++ b/admin_manual/installation/index.rst @@ -17,3 +17,6 @@ Installation php_54_installation php_55_installation selinux_configuration + nginx_examples + nginx_owncloud_8x + nginx_owncloud_9x diff --git a/admin_manual/installation/nginx_examples.rst b/admin_manual/installation/nginx_examples.rst new file mode 100644 index 000000000..c93e030eb --- /dev/null +++ b/admin_manual/installation/nginx_examples.rst @@ -0,0 +1,325 @@ +============================ +Nginx Example Configurations +============================ + +This page covers example Nginx configurations to use with running an ownCloud +server. Note that Nginx is not officially supported, and this page is +community-maintained. (Thank you, contributors!) + + +- You need to insert the following code into **your Nginx configuration file.** +- The configuration assumes that ownCloud is installed in + ``/var/www/owncloud`` and that it is accessed via + ``http(s)://cloud.example.com``. +- Adjust **server_name**, **root**, **ssl_certificate** and + **ssl_certificate_key** to suit your needs. +- Make sure your SSL certificates are readable by the server (see `nginx HTTP + SSL Module documentation `_). +- ``add_header`` statements are only taken from the current level and are not + cascaded from or to a different level. All necessary ``add_header`` + statements must be defined in each level needed. For better readability it + is possible to move *common* add + header statements into a separate file and include that file wherever + necessary. However, each ``add_header`` statement must be written in a + single line to prevent connection problems with sync clients. + +Example Configurations +---------------------- + +- :doc:`nginx_owncloud_8x` +- :doc:`nginx_owncloud_9x` + +You can use ownCloud over plain http, but we strongly encourage you to use +SSL/TLS to encrypt all of your server traffic, and to protect user's logins and +data in transit. + +- Remove the server block containing the redirect +- Change **listen 443 ssl** to **listen 80;** +- Remove **ssl_certificate** and **ssl_certificate_key**. +- Remove **fastcgi_params HTTPS on;** + +Suppressing Log Messages +======================== + +If you're seeing meaningless messages in your logfile, for example `client +denied by server configuration: /var/www/data/htaccesstest.txt +`_, add this section to +your nginx configuration to suppress them:: + + location = /data/htaccesstest.txt { + allow all; + log_not_found off; + access_log off; + } + +JavaScript (.js) or CSS (.css) files not served properly +======================================================== + +A common issue with custom nginx configs is that JavaScript (.js) +or CSS (.css) files are not served properly leading to a 404 (File not found) +error on those files and a broken webinterface. + +This could be caused by the:: + + location ~* \.(?:css|js)$ { + +block shown above not located **below** the:: + + location ~ \.php(?:$|/) { + +block. Other custom configurations like caching JavaScript (.js) +or CSS (.css) files via gzip could also cause such issues. + +Performance Tuning +================== + +`nginx (<1.9.5) `_ +`nginx (+1.9.5) `_ + +To use http_v2 for nginx you have to check two things: + + 1.) be aware that this module is not built in by default due to a dependency + to the openssl version used on your system. It will be enabled with the + ``--with-http_v2_module`` configuration parameter during compilation. The + dependency should be checked automatically. You can check the presence of + http_v2 with ``nginx -V 2>&1 | grep http_v2 -o``. An example how to compile + nginx can be found in section "Configure nginx with the + ``nginx-cache-purge`` module" below. + + 2.) When you have used SPDY before, the nginx config has to be changed from + ``listen 443 ssl spdy;`` to ``listen 443 ssl http2;`` + +nginx: caching ownCloud gallery thumbnails +========================================== + +One of the optimizations for ownCloud when using nginx as the Web server is to +combine FastCGI caching with "Cache Purge", a `3rdparty nginx module +`_ that adds the ability to purge +content from `FastCGI`, `proxy`, `SCGI` and `uWSGI` caches. This mechanism +speeds up thumbnail presentation as it shifts requests to nginx and minimizes +php invocations which otherwise would take place for every thumbnail presented +every time. + +The following procedure is based on an Ubuntu 14.04 system. You may need to +adapt it according your OS type and release. + +.. note:: + Unlike Apache, nginx does not dynamically load modules. All modules needed + must be compiled into nginx. This is one of the reasons for nginx´s + performance. It is expected to have an already running nginx installation + with a working configuration set up as described in the ownCloud + documentation. + +nginx module check +================== + +As a first step, it is necessary to check if your nginx installation has the +``nginx cache purge`` module compiled in:: + + nginx -V 2>&1 | grep ngx_cache_purge -o + +If your output contains ``ngx_cache_purge``, you can continue with the +configuration, otherwise you need to manually compile nginx with the module +needed. + +Compile nginx with the ``nginx-cache-purge`` module +=================================================== + +1. **Preparation:** + +:: + + cd /opt + wget http://nginx.org/keys/nginx_signing.key + sudo apt-key add nginx_signing.key + sudo vi /etc/apt/sources.list.d/nginx.list + +Add the following lines (if different, replace ``{trusty}`` by your +distribution + +name):: + + deb http://nginx.org/packages/mainline/ubuntu/ trusty nginx + deb -src http://nginx.org/packages/mainline/ubuntu/ trusty nginx + +Then run ``sudo apt-get update`` + +.. note:: If you're not overly cautious and wish to install the latest and + greatest nginx packages and features, you may have to install nginx from its + mainline repository. From the nginx homepage: "In general, you should + deploy nginx from its mainline branch at all times." If you would like to + use standard nginx from the latest mainline branch but without compiling in + any additional modules, just run ``sudo apt-get install nginx``. + +2. **Download the nginx source from the ppa repository** + +:: + + cd /opt + sudo apt-get build-dep nginx + sudo apt-get source nginx + +3. **Download module(s) to be compiled in and configure compiler arguments** + +:: + + ls -la + +Please replace ``{release}`` with the release downloaded:: + + cd /opt/nginx-{release}/debian + +If folder "modules" is not present, do: + +:: + + sudo mkdir modules + cd modules + sudo git clone https://github.com/FRiCKLE/ngx_cache_purge.git + sudo vi /opt/nginx-{release}/debian/rules + +If not present, add the following line at the top under:: + + #export DH_VERBOSE=1: + MODULESDIR = $(CURDIR)/debian/modules + +And at the end of every ``configure`` command add:: + + --add-module=$(MODULESDIR)/ngx_cache_purge + +Don't forget to escape preceeding lines with a backslash ``\``. +The parameters may now look like:: + + --with-cc-opt="$(CFLAGS)" \ + --with-ld-opt="$(LDFLAGS)" \ + --with-ipv6 \ + --add-module=$(MODULESDIR)/ngx_cache_purge + +4. **Compile and install nginx** + +:: + + cd /opt/nginx-{release} + sudo dpkg-buildpackage -uc -b + ls -la /opt + sudo dpkg --install /opt/nginx_{release}~{distribution}_amd64.deb + +5. **Check if the compilation and installation of the ngx_cache_purge module + was successful** + +:: + + nginx -V 2>&1 | grep ngx_cache_purge -o + +It should now show: ``ngx_cache_purge`` + +Show nginx version including all features compiled and installed:: + + nginx -V 2>&1 | sed s/" --"/"\n\t--"/g + +6. **Mark nginx to be blocked from further updates via apt-get** + +:: + + sudo dpkg --get-selections | grep nginx + +For every nginx component listed run ``sudo apt-mark hold `` + +7. **Regular checks for nginx updates** + +Do a regular visit on the `nginx news page `_ and proceed +in case of updates with items 2 to 5. + +Configure nginx with the ``nginx-cache-purge`` module +===================================================== + +1. **Preparation** + Create a directory where nginx will save the cached thumbnails. Use any + path that fits to your environment. Replace ``{path}`` in this example with + your path created: + +:: + + sudo mkdir -p /usr/local/tmp/cache + +2. **Configuration** + +:: + + sudo vi /etc/nginx/sites-enabled/{your-ownCloud-nginx-config-file} + +Add at the *beginning*, but *outside* the ``server{}`` block:: + + # cache_purge + fastcgi_cache_path {path} levels=1:2 keys_zone=OWNCLOUD:100m inactive=60m; + map $request_uri $skip_cache { + default 1; + ~*/thumbnail.php 0; + ~*/apps/galleryplus/ 0; + ~*/apps/gallery/ 0; + } + +.. note:: Please adopt or delete any regex line in the ``map`` block according + your needs and the ownCloud version used. + As an alternative to mapping, you can use as many ``if`` statements in + your server block as necessary:: + + set $skip_cache 1; + if ($request_uri ~* "thumbnail.php") { set $skip_cache 0; } + if ($request_uri ~* "/apps/galleryplus/") { set $skip_cache 0; } + if ($request_uri ~* "/apps/gallery/") { set $skip_cache 0; } + +Add *inside* the ``server{}`` block, as an example of a configuration:: + + + # cache_purge (with $http_cookies we have unique keys for the user) + fastcgi_cache_key $http_cookie$request_method$host$request_uri; + fastcgi_cache_use_stale error timeout invalid_header http_500; + fastcgi_ignore_headers Cache-Control Expires Set-Cookie; + + location ~ \.php(?:$/) { + fastcgi_split_path_info ^(.+\.php)(/.+)$; + + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_param HTTPS on; + fastcgi_pass php-handler; + + # cache_purge + fastcgi_cache_bypass $skip_cache; + fastcgi_no_cache $skip_cache; + fastcgi_cache OWNCLOUD; + fastcgi_cache_valid 60m; + fastcgi_cache_methods GET HEAD; + } + +.. note:: Note regarding the ``fastcgi_pass`` parameter: + Use whatever fits your configuration. In the example above, an ``upstream`` + was defined in an nginx global configuration file. + This may look like:: + + upstream php-handler { + server unix:/var/run/php5-fpm.sock; + # or + # server 127.0.0.1:9000; + } + +3. **Test the configuration** + +:: + + sudo nginx -s reload + +* Open your browser and clear your cache. +* Logon to your ownCloud instance, open the gallery app, move thru your + folders and watch while the thumbnails are generated for the first time. +* You may also watch with eg. ``htop`` your system load while the + thumbnails are processed. +* Go to another app or logout and relogon. +* Open the gallery app again and browse to the folders you accessed before. + Your thumbnails should appear more or less immediately. +* ``htop`` will not show up additional load while processing, compared to + the high load before. diff --git a/admin_manual/installation/nginx_owncloud_8x.rst b/admin_manual/installation/nginx_owncloud_8x.rst new file mode 100644 index 000000000..bb8debcff --- /dev/null +++ b/admin_manual/installation/nginx_owncloud_8x.rst @@ -0,0 +1,256 @@ +================================================= +Nginx configuration for the ownCloud 8.x branches +================================================= + +ownCloud in the webroot of nginx +-------------------------------- + +The following configuration should be used when ownCloud is placed in the +webroot of your Nginx installation. Be careful about line breaks if you copy +the examples, as long lines may be broken for page formatting. + +:: + + upstream php-handler { + server 127.0.0.1:9000; + #server unix:/var/run/php5-fpm.sock; + } + + server { + listen 80; + server_name cloud.example.com; + # enforce https + return 301 https://$server_name$request_uri; + } + + server { + listen 443 ssl; + server_name cloud.example.com; + + ssl_certificate /etc/ssl/nginx/cloud.example.com.crt; + ssl_certificate_key /etc/ssl/nginx/cloud.example.com.key; + + # Add headers to serve security related headers + # Before enabling Strict-Transport-Security headers please read into this + # topic first. + # add_header Strict-Transport-Security "max-age=15768000; + # includeSubDomains; preload;"; + add_header X-Content-Type-Options nosniff; + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + + # Path to the root of your installation + root /var/www/owncloud/; + + # set max upload size + client_max_body_size 512M; + fastcgi_buffers 64 4K; + + # Disable gzip to avoid the removal of the ETag header + gzip off; + + # Uncomment if your server is build with the ngx_pagespeed module + # This module is currently not supported. + #pagespeed off; + + index index.php; + error_page 403 /core/templates/403.php; + error_page 404 /core/templates/404.php; + + rewrite ^/.well-known/carddav /remote.php/carddav/ permanent; + rewrite ^/.well-known/caldav /remote.php/caldav/ permanent; + + # The following 2 rules are only needed for the user_webfinger app. + # Uncomment it if you're planning to use this app. + #rewrite ^/.well-known/host-meta /public.php?service=host-meta last; + #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json + # last; + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + location ~ ^/(build|tests|config|lib|3rdparty|templates|data)/ { + deny all; + } + + location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { + deny all; + } + + location / { + + rewrite ^/remote/(.*) /remote.php last; + rewrite ^(/core/doc/[^\/]+/)$ $1/index.html; + + try_files $uri $uri/ =404; + } + + location ~ \.php(?:$|/) { + fastcgi_split_path_info ^(.+\.php)(/.+)$; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_param HTTPS on; + #Avoid sending the security headers twice + fastcgi_param modHeadersAvailable true; + fastcgi_pass php-handler; + fastcgi_intercept_errors on; + fastcgi_request_buffering off; + } + + # Adding the cache control header for js and css files + # Make sure it is BELOW the location ~ \.php(?:$|/) { block + location ~* \.(?:css|js)$ { + add_header Cache-Control "public, max-age=7200"; + # Add headers to serve security related headers (It is intended to + # have those duplicated to the ones above) + # Before enabling Strict-Transport-Security headers please read into + # this topic first. + # add_header Strict-Transport-Security "max-age=15768000; + # includeSubDomains; preload;"; + add_header X-Content-Type-Options nosniff; + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + # Optional: Don't log access to assets + access_log off; + } + + # Optional: Don't log access to other assets + location ~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$ { + access_log off; + } + } + +ownCloud in a subdir of nginx +------------------------------ + +The following config should be used when ownCloud is placed within a subdir of +your nginx installation. + +.. note:: This config is currently untested + +:: + + upstream php-handler { + server 127.0.0.1:9000; + #server unix:/var/run/php5-fpm.sock; + } + + server { + listen 80; + server_name example.com; + # enforce https + return 301 https://$server_name$request_uri; + } + + server { + listen 443 ssl; + server_name example.com; + + ssl_certificate /etc/ssl/nginx/cloud.example.com.crt; + ssl_certificate_key /etc/ssl/nginx/cloud.example.com.key; + + # Add headers to serve security related headers + # Before enabling Strict-Transport-Security headers please read into this + # topic first. + # add_header Strict-Transport-Security "max-age=15768000; + # includeSubDomains; preload;"; + add_header X-Content-Type-Options nosniff; + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + + # Path to the root of your website (one level above owncloud folder) + root /var/www; + + rewrite ^/.well-known/carddav /owncloud/remote.php/carddav/ redirect; + rewrite ^/.well-known/caldav /owncloud/remote.php/caldav/ redirect; + + # The following 2 rules are only needed for the user_webfinger app. + # Uncomment it if you're planning to use this app. + #rewrite ^/.well-known/host-meta /owncloud/public.php?service=host-meta + # last; + #rewrite ^/.well-known/host-meta.json + # /owncloud/public.php?service=host-meta-json last; + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + location ^~ /owncloud { + + # set max upload size + client_max_body_size 512M; + fastcgi_buffers 64 4K; + + # Disable gzip to avoid the removal of the ETag header + gzip off; + + # Uncomment if your server is build with the ngx_pagespeed module + # This module is currently not supported. + #pagespeed off; + + index index.php; + + error_page 403 /owncloud/core/templates/403.php; + error_page 404 /owncloud/core/templates/404.php; + + location ~ + ^/owncloud/(build|tests|config|lib|3rdparty|templates|data)/ { + deny all; + } + + location ~ ^/owncloud/(?:\.|autotest|occ|issue|indie|db_|console) { + deny all; + } + + rewrite ^/owncloud/remote/(.*) /owncloud/remote.php last; + rewrite ^/owncloud/core/doc/([^\/]+)(?:$|/) + /owncloud/core/doc/$1/index.html; + + try_files $uri $uri/ =404; + + location ~ \.php(?:$|/) { + fastcgi_split_path_info ^(.+\.php)(/.+)$; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_param HTTPS on; + #Avoid sending the security headers twice + fastcgi_param modHeadersAvailable true; + fastcgi_pass php-handler; + fastcgi_intercept_errors on; + fastcgi_request_buffering off; + } + + # Adding the cache control header for js and css files + # Make sure it is BELOW the location ~ \.php(?:$|/) { block + location ~* \.(?:css|js)$ { + add_header Cache-Control "public, max-age=7200"; + # Add headers to serve security related headers (It is intended + # to have those duplicated to the ones above) + # Before enabling Strict-Transport-Security headers please read + # into this topic first. + # add_header Strict-Transport-Security "max-age=15768000; + # includeSubDomains; preload;"; + add_header X-Content-Type-Options nosniff; + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + # Optional: Don't log access to assets + access_log off; + } + + # Optional: Don't log access to other assets + location ~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$ { + access_log off; + } + } + } diff --git a/admin_manual/installation/nginx_owncloud_9x.rst b/admin_manual/installation/nginx_owncloud_9x.rst new file mode 100644 index 000000000..b542256f0 --- /dev/null +++ b/admin_manual/installation/nginx_owncloud_9x.rst @@ -0,0 +1,289 @@ +================================================= +Nginx Configuration for the ownCloud 9.x Branches +================================================= + +The following configuration should be used when ownCloud is placed in the +webroot of your Nginx installation. Be careful about line breaks if you copy +the examples, as long lines may be broken for page formatting. + +Some environments might need a ``cgi.fix_pathinfo`` set to ``1`` in their +``php.ini``. + +Thanks to `@josh4trunks `_ for providing / +creating these configuration examples. + +ownCloud in the webroot of nginx +-------------------------------- + +The following config should be used when ownCloud is placed in the webroot of +your nginx installation. + +:: + + upstream php-handler { + server 127.0.0.1:9000; + #server unix:/var/run/php5-fpm.sock; + } + + server { + listen 80; + server_name cloud.example.com; + # enforce https + return 301 https://$server_name$request_uri; + } + + server { + listen 443 ssl; + server_name cloud.example.com; + + ssl_certificate /etc/ssl/nginx/cloud.example.com.crt; + ssl_certificate_key /etc/ssl/nginx/cloud.example.com.key; + + # Add headers to serve security related headers + # Before enabling Strict-Transport-Security headers please read into this + # topic first. + # add_header Strict-Transport-Security "max-age=15768000; + # includeSubDomains; preload;"; + add_header X-Content-Type-Options nosniff; + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + add_header X-Download-Options noopen; + add_header X-Permitted-Cross-Domain-Policies none; + + # Path to the root of your installation + root /var/www/owncloud/; + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + # The following 2 rules are only needed for the user_webfinger app. + # Uncomment it if you're planning to use this app. + #rewrite ^/.well-known/host-meta /public.php?service=host-meta last; + #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json + # last; + + location = /.well-known/carddav { return 301 + $scheme://$host/remote.php/dav; } + location = /.well-known/caldav { return 301 + $scheme://$host/remote.php/dav; } + + location /.well-known/acme-challenge { } + + # set max upload size + client_max_body_size 512M; + fastcgi_buffers 64 4K; + + # Disable gzip to avoid the removal of the ETag header + gzip off; + + # Uncomment if your server is build with the ngx_pagespeed module + # This module is currently not supported. + #pagespeed off; + + error_page 403 /core/templates/403.php; + error_page 404 /core/templates/404.php; + + location / { + rewrite ^ /index.php$uri; + } + + location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ { + deny all; + } + location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { + deny all; + } + + location ~ + ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater + /.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) { + include fastcgi_params; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_param HTTPS on; + #Avoid sending the security headers twice + fastcgi_param modHeadersAvailable true; + fastcgi_param front_controller_active true; + fastcgi_pass php-handler; + fastcgi_intercept_errors on; + fastcgi_request_buffering off; + } + + location ~ ^/(?:updater|ocs-provider)(?:$|/) { + try_files $uri/ =404; + index index.php; + } + + # Adding the cache control header for js and css files + # Make sure it is BELOW the PHP block + location ~* \.(?:css|js)$ { + try_files $uri /index.php$uri$is_args$args; + add_header Cache-Control "public, max-age=7200"; + # Add headers to serve security related headers (It is intended to + # have those duplicated to the ones above) + # Before enabling Strict-Transport-Security headers please read into + # this topic first. + # add_header Strict-Transport-Security "max-age=15768000; + # includeSubDomains; preload;"; + add_header X-Content-Type-Options nosniff; + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + add_header X-Download-Options noopen; + add_header X-Permitted-Cross-Domain-Policies none; + # Optional: Don't log access to assets + access_log off; + } + + location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ { + try_files $uri /index.php$uri$is_args$args; + # Optional: Don't log access to other assets + access_log off; + } + } + +ownCloud in a subdir of nginx +------------------------------ + +The following config should be used when ownCloud is placed within a subdir of +your nginx installation. + +:: + + upstream php-handler { + server 127.0.0.1:9000; + #server unix:/var/run/php5-fpm.sock; + } + + server { + listen 80; + server_name cloud.example.com; + # enforce https + return 301 https://$server_name$request_uri; + } + + server { + listen 443 ssl; + server_name cloud.example.com; + + ssl_certificate /etc/ssl/nginx/cloud.example.com.crt; + ssl_certificate_key /etc/ssl/nginx/cloud.example.com.key; + + # Add headers to serve security related headers + # Before enabling Strict-Transport-Security headers please read into this + # topic first. + #add_header Strict-Transport-Security "max-age=15768000; + # includeSubDomains; preload;"; + add_header X-Content-Type-Options nosniff; + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + add_header X-Download-Options noopen; + add_header X-Permitted-Cross-Domain-Policies none; + + # Path to the root of your installation + root /var/www/; + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + # The following 2 rules are only needed for the user_webfinger app. + # Uncomment it if you're planning to use this app. + # rewrite ^/.well-known/host-meta /owncloud/public.php?service=host-meta + # last; + #rewrite ^/.well-known/host-meta.json + # /owncloud/public.php?service=host-meta-json last; + + location = /.well-known/carddav { return 301 + $scheme://$host/owncloud/remote.php/dav; } + location = /.well-known/caldav { return 301 + $scheme://$host/owncloud/remote.php/dav; } + + location /.well-known/acme-challenge { } + + location ^~ /owncloud { + + # set max upload size + client_max_body_size 512M; + fastcgi_buffers 64 4K; + + # Disable gzip to avoid the removal of the ETag header + gzip off; + + # Uncomment if your server is build with the ngx_pagespeed module + # This module is currently not supported. + #pagespeed off; + + error_page 403 /owncloud/core/templates/403.php; + error_page 404 /owncloud/core/templates/404.php; + + location /owncloud { + rewrite ^ /owncloud/index.php$uri; + } + + location ~ + ^/owncloud/(?:build|tests|config|lib|3rdparty|templates|data)/ { + deny all; + } + location ~ ^/owncloud/(?:\.|autotest|occ|issue|indie|db_|console) { + deny all; + } + + location ~ + ^/owncloud/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]| + updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) { + include fastcgi_params; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_param HTTPS on; + #Avoid sending the security headers twice + fastcgi_param modHeadersAvailable true; + fastcgi_param front_controller_active true; + fastcgi_pass php-handler; + fastcgi_intercept_errors on; + fastcgi_request_buffering off; + } + + location ~ ^/owncloud/(?:updater|ocs-provider)(?:$|/) { + try_files $uri/ =404; + index index.php; + } + + # Adding the cache control header for js and css files + # Make sure it is BELOW the PHP block + location ~* \.(?:css|js)$ { + try_files $uri /owncloud/index.php$uri$is_args$args; + add_header Cache-Control "public, max-age=7200"; + # Add headers to serve security related headers (It is intended + # to have those duplicated to the ones above) + # Before enabling Strict-Transport-Security headers please read + # into this topic first. + # add_header Strict-Transport-Security "max-age=15768000; + # includeSubDomains; preload;"; + add_header X-Content-Type-Options nosniff; + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + add_header X-Download-Options noopen; + add_header X-Permitted-Cross-Domain-Policies none; + # Optional: Don't log access to assets + access_log off; + } + + location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ { + try_files $uri /owncloud/index.php$uri$is_args$args; + # Optional: Don't log access to other assets + access_log off; + } + } + } + \ No newline at end of file diff --git a/admin_manual/installation/source_installation.rst b/admin_manual/installation/source_installation.rst index 5762d98ba..b92e541c6 100644 --- a/admin_manual/installation/source_installation.rst +++ b/admin_manual/installation/source_installation.rst @@ -441,8 +441,7 @@ in the ``owncloud/.user.ini`` file. Other Web Servers ----------------- -`NGINX configuration -`_ +:doc:`nginx_examples` `Other HTTP servers diff --git a/admin_manual/issues/general_troubleshooting.rst b/admin_manual/issues/general_troubleshooting.rst index b4eab9eb4..539ce942c 100644 --- a/admin_manual/issues/general_troubleshooting.rst +++ b/admin_manual/issues/general_troubleshooting.rst @@ -265,8 +265,7 @@ and if running in a subfolder like ``owncloud``: For the first case the :file:`.htaccess` file shipped with ownCloud should do this work for your when running Apache. You only need to make sure that your Web server is using this file. When running NGINX please refer to -`NGINX configuration -`_ +:doc:`../installation/nginx_examples`. If your ownCloud instance is installed in a subfolder called ``owncloud`` and