ansible/roles/owncloud/templates/vhost.j2

server {
	listen 80;
	listen [::]:80;

	server_name {{ owncloud_domain }};

	location /.well-known/acme-challenge {
		default_type "text/plain";
		alias /var/www/acme-challenge;
	}

	location / {
		return 301 https://{{ owncloud_domain }}$request_uri;
	}
}

server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;

	server_name {{ owncloud_domain }};

	ssl_certificate_key /etc/nginx/ssl/{{ owncloud_domain }}.key;
	ssl_certificate /etc/nginx/ssl/{{ owncloud_domain }}.crt;

	# Add headers to serve security related headers
	add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
	add_header X-Content-Type-Options nosniff;
	add_header X-Frame-Options "SAMEORIGIN";
	add_header X-XSS-Protection "1; mode=block";
	add_header X-Robots-Tag none;

	root /var/www/owncloud/;

	# set max upload size
	client_max_body_size 1G;
	fastcgi_buffers 64 4K;

	# Disable gzip to avoid the removal of the ETag header
	gzip off;

	index index.php;
	error_page 403 /core/templates/403.php;
	error_page 404 /core/templates/404.php;

	rewrite ^/.well-known/carddav /remote.php/dav/ permanent;
	rewrite ^/.well-known/caldav /remote.php/dav/ permanent;

	location ~ ^/(build|tests|config|lib|3rdparty|templates|data)/ {
		deny all;
	}

	location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
		deny all;
	}

	location / {
		rewrite ^/remote/(.*) /remote.php last;
		rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
		try_files $uri $uri/ =404;
	}

	location ~ \.php(?:$|/) {
		fastcgi_split_path_info ^(.+\.php)(/.+)$;
		include fastcgi_params;
		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
		fastcgi_param PATH_INFO $fastcgi_path_info;
		fastcgi_param HTTPS on;
		fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
		fastcgi_pass unix:/var/run/php5-fpm.sock;
		fastcgi_intercept_errors on;
	}
}