From 577706dbbe0c307c2045d0ca6608dd349f70f652 Mon Sep 17 00:00:00 2001 From: Markus Hauschild Date: Wed, 29 Sep 2021 17:27:13 +0200 Subject: [PATCH] nextcloud: adjust for debian bullseye, backport php settings --- roles/nextcloud/files/opcache.ini | 1 + roles/nextcloud/files/www.conf | 133 +++++++++++++++-------- roles/nextcloud/handlers/main.yml | 4 +- roles/nextcloud/tasks/main.yml | 80 +++++++------- roles/nextcloud/templates/vhost.j2 | 167 ++++++++++++++++------------- 5 files changed, 228 insertions(+), 157 deletions(-) diff --git a/roles/nextcloud/files/opcache.ini b/roles/nextcloud/files/opcache.ini index e1a60bb..98e7dec 100644 --- a/roles/nextcloud/files/opcache.ini +++ b/roles/nextcloud/files/opcache.ini @@ -9,3 +9,4 @@ opcache.max_accelerated_files=10000 opcache.memory_consumption=128 opcache.save_comments=1 opcache.revalidate_freq=1 +opcache.jit_buffer_size=100M diff --git a/roles/nextcloud/files/www.conf b/roles/nextcloud/files/www.conf index 2dfecab..0a78e4d 100644 --- a/roles/nextcloud/files/www.conf +++ b/roles/nextcloud/files/www.conf @@ -1,5 +1,5 @@ ; Start a new pool named 'www'. -; the variable $pool can we used in any directive and will be replaced by the +; the variable $pool can be used in any directive and will be replaced by the ; pool name ('www' here) [www] @@ -29,21 +29,20 @@ group = www-data ; a specific port; ; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on ; a specific port; -; 'port' - to listen on a TCP socket to all IPv4 addresses on a -; specific port; -; '[::]:port' - to listen on a TCP socket to all addresses +; 'port' - to listen on a TCP socket to all addresses ; (IPv6 and IPv4-mapped) on a specific port; ; '/path/to/unix/socket' - to listen on a unix socket. ; Note: This value is mandatory. -listen = /var/run/php-fpm.sock +listen = /run/php/php-fpm.sock ; Set listen(2) backlog. -; Default Value: 65535 (-1 on FreeBSD and OpenBSD) -;listen.backlog = 65535 +; Default Value: 511 (-1 on FreeBSD and OpenBSD) +;listen.backlog = 511 ; Set permissions for unix socket, if one is used. In Linux, read/write ; permissions must be set in order to allow connections from a web server. Many -; BSD-derived systems allow connections regardless of permissions. +; BSD-derived systems allow connections regardless of permissions. The owner +; and group can be specified either by name or by their numeric IDs. ; Default Values: user and group are set as the running user ; mode is set to 0660 listen.owner = www-data @@ -54,7 +53,7 @@ listen.group = www-data ; When set, listen.owner and listen.group are ignored ;listen.acl_users = ;listen.acl_groups = - + ; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect. ; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original ; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address @@ -71,6 +70,12 @@ listen.group = www-data ; Default Value: no set ; process.priority = -19 +; Set the process dumpable flag (PR_SET_DUMPABLE prctl) even if the process user +; or group is different than the master process user. It allows to create process +; core dump and ptrace the process for the pool user. +; Default Value: no +; process.dumpable = yes + ; Choose how the process manager will control the number of child processes. ; Possible Values: ; static - a fixed number (pm.max_children) of child processes; @@ -106,28 +111,28 @@ pm = dynamic ; forget to tweak pm.* to fit your needs. ; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand' ; Note: This value is mandatory. -pm.max_children = 5 +pm.max_children = 80 ; The number of child processes created on startup. ; Note: Used only when pm is set to 'dynamic' -; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2 -pm.start_servers = 2 +; Default Value: (min_spare_servers + max_spare_servers) / 2 +pm.start_servers = 10 ; The desired minimum number of idle server processes. ; Note: Used only when pm is set to 'dynamic' ; Note: Mandatory when pm is set to 'dynamic' -pm.min_spare_servers = 1 +pm.min_spare_servers = 10 ; The desired maximum number of idle server processes. ; Note: Used only when pm is set to 'dynamic' ; Note: Mandatory when pm is set to 'dynamic' -pm.max_spare_servers = 3 +pm.max_spare_servers = 15 ; The number of seconds after which an idle process will be killed. ; Note: Used only when pm is set to 'ondemand' ; Default Value: 10s ;pm.process_idle_timeout = 10s; - + ; The number of requests each child process should execute before respawning. ; This can be useful to work around memory leaks in 3rd party libraries. For ; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS. @@ -135,7 +140,7 @@ pm.max_spare_servers = 3 ;pm.max_requests = 500 ; The URI to view the FPM status page. If this value is not set, no URI will be -; recognized as a status page. It shows the following informations: +; recognized as a status page. It shows the following information: ; pool - the name of the pool; ; process manager - static, dynamic or ondemand; ; start time - the date and time FPM has started; @@ -180,7 +185,7 @@ pm.max_spare_servers = 3 ; ; By default the status page only outputs short status. Passing 'full' in the ; query string will also return status for each pool process. -; Example: +; Example: ; http://www.foo.bar/status?full ; http://www.foo.bar/status?json&full ; http://www.foo.bar/status?html&full @@ -225,14 +230,30 @@ pm.max_spare_servers = 3 ; last request memory: 0 ; ; Note: There is a real-time FPM status monitoring sample web page available -; It's available in: /usr/share/php/7.0/fpm/status.html +; It's available in: /usr/share/php/8.0/fpm/status.html ; ; Note: The value must start with a leading slash (/). The value can be ; anything, but it may not be a good idea to use the .php extension or it ; may conflict with a real PHP file. -; Default Value: not set +; Default Value: not set ;pm.status_path = /status - + +; The address on which to accept FastCGI status request. This creates a new +; invisible pool that can handle requests independently. This is useful +; if the main pool is busy with long running requests because it is still possible +; to get the status before finishing the long running requests. +; +; Valid syntaxes are: +; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on +; a specific port; +; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on +; a specific port; +; 'port' - to listen on a TCP socket to all addresses +; (IPv6 and IPv4-mapped) on a specific port; +; '/path/to/unix/socket' - to listen on a unix socket. +; Default Value: value of the listen option +;pm.status_listen = 127.0.0.1:9001 + ; The ping URI to call the monitoring page of FPM. If this value is not set, no ; URI will be recognized as a ping page. This could be used to test from outside ; that FPM is alive and responding, or to @@ -265,13 +286,13 @@ pm.max_spare_servers = 3 ; %d: time taken to serve the request ; it can accept the following format: ; - %{seconds}d (default) -; - %{miliseconds}d +; - %{milliseconds}d ; - %{mili}d ; - %{microseconds}d ; - %{micro}d ; %e: an environment variable (same as $_ENV or $_SERVER) ; it must be associated with embraces to specify the name of the env -; variable. Some exemples: +; variable. Some examples: ; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e ; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e ; %f: script filename @@ -293,7 +314,7 @@ pm.max_spare_servers = 3 ; - .... ; %p: PID of the child that serviced the request ; %P: PID of the parent of the child that serviced the request -; %q: the query string +; %q: the query string ; %Q: the '?' character if query string exists ; %r: the request URI (without the query string, see %q and %Q) ; %R: remote IP address @@ -301,64 +322,87 @@ pm.max_spare_servers = 3 ; %t: server time the request was received ; it can accept a strftime(3) format: ; %d/%b/%Y:%H:%M:%S %z (default) +; The strftime(3) format must be encapsuled in a %{}t tag +; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t ; %T: time the log has been written (the request has finished) ; it can accept a strftime(3) format: ; %d/%b/%Y:%H:%M:%S %z (default) +; The strftime(3) format must be encapsuled in a %{}t tag +; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t ; %u: remote user ; ; Default: "%R - %u %t \"%m %r\" %s" ;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%" - + ; The log file for slow requests ; Default Value: not set ; Note: slowlog is mandatory if request_slowlog_timeout is set ;slowlog = log/$pool.log.slow - + ; The timeout for serving a single request after which a PHP backtrace will be ; dumped to the 'slowlog' file. A value of '0s' means 'off'. ; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) ; Default Value: 0 ;request_slowlog_timeout = 0 - + +; Depth of slow log stack trace. +; Default Value: 20 +;request_slowlog_trace_depth = 20 + ; The timeout for serving a single request after which the worker process will ; be killed. This option should be used when the 'max_execution_time' ini option ; does not stop script execution for some reason. A value of '0' means 'off'. ; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) ; Default Value: 0 ;request_terminate_timeout = 0 - + +; The timeout set by 'request_terminate_timeout' ini option is not engaged after +; application calls 'fastcgi_finish_request' or when application has finished and +; shutdown functions are being called (registered via register_shutdown_function). +; This option will enable timeout limit to be applied unconditionally +; even in such cases. +; Default Value: no +;request_terminate_timeout_track_finished = no + ; Set open file descriptor rlimit. ; Default Value: system defined value ;rlimit_files = 1024 - + ; Set max core size rlimit. ; Possible Values: 'unlimited' or an integer greater or equal to 0 ; Default Value: system defined value ;rlimit_core = 0 - + ; Chroot to this directory at the start. This value must be defined as an ; absolute path. When this value is not set, chroot is not used. ; Note: you can prefix with '$prefix' to chroot to the pool prefix or one ; of its subdirectories. If the pool prefix is not set, the global prefix ; will be used instead. -; Note: chrooting is a great security feature and should be used whenever +; Note: chrooting is a great security feature and should be used whenever ; possible. However, all PHP paths will be relative to the chroot ; (error_log, sessions.save_path, ...). ; Default Value: not set -;chroot = - +;chroot = + ; Chdir to this directory at the start. ; Note: relative path can be used. ; Default Value: current directory or / when chroot -chdir = / - +;chdir = /var/www + ; Redirect worker stdout and stderr into main error log. If not set, stdout and ; stderr will be redirected to /dev/null according to FastCGI specs. -; Note: on highloaded environement, this can cause some delay in the page +; Note: on highloaded environment, this can cause some delay in the page ; process time (several ms). ; Default Value: no ;catch_workers_output = yes +; Decorate worker output with prefix and suffix containing information about +; the child that writes to the log and if stdout or stderr is used as well as +; log level and time. This options is used only if catch_workers_output is yes. +; Settings to "no" will output data as written to the stdout or stderr. +; Default value: yes +;decorate_workers_output = no + ; Clear environment in FPM workers ; Prevents arbitrary environment variables from reaching FPM worker processes ; by clearing the environment in workers before env vars specified in this @@ -371,25 +415,26 @@ chdir = / ; Limits the extensions of the main script FPM will allow to parse. This can ; prevent configuration mistakes on the web server side. You should only limit ; FPM to .php extensions to prevent malicious users to use other extensions to -; exectute php code. +; execute php code. ; Note: set an empty value to allow all extensions. ; Default Value: .php -;security.limit_extensions = .php .php3 .php4 .php5 - +;security.limit_extensions = .php .php3 .php4 .php5 .php7 + ; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from ; the current environment. ; Default Value: clean env -env[HOSTNAME] = $HOSTNAME +;env[HOSTNAME] = $HOSTNAME +;env[PATH] = /usr/local/bin:/usr/bin:/bin +;env[TMP] = /tmp +;env[TMPDIR] = /tmp +;env[TEMP] = /tmp env[PATH] = /usr/local/bin:/usr/bin:/bin -env[TMP] = /tmp -env[TMPDIR] = /tmp -env[TEMP] = /tmp ; Additional php.ini defines, specific to this pool of workers. These settings ; overwrite the values previously defined in the php.ini. The directives are the ; same as the PHP SAPI: ; php_value/php_flag - you can set classic ini defines which can -; be overwritten from PHP call 'ini_set'. +; be overwritten from PHP call 'ini_set'. ; php_admin_value/php_admin_flag - these directives won't be overwritten by ; PHP call 'ini_set' ; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no. @@ -409,3 +454,5 @@ env[TEMP] = /tmp ;php_admin_value[error_log] = /var/log/fpm-php.www.log ;php_admin_flag[log_errors] = on ;php_admin_value[memory_limit] = 32M +php_admin_value[memory_limit] = 512M + diff --git a/roles/nextcloud/handlers/main.yml b/roles/nextcloud/handlers/main.yml index 5f74ea9..a24f652 100644 --- a/roles/nextcloud/handlers/main.yml +++ b/roles/nextcloud/handlers/main.yml @@ -3,5 +3,5 @@ - name: Restart nginx service: name=nginx state=restarted -- name: Restart php7.4-fpm - service: name=php7.4-fpm state=restarted +- name: Restart php8.0-fpm + service: name=php8.0-fpm state=restarted diff --git a/roles/nextcloud/tasks/main.yml b/roles/nextcloud/tasks/main.yml index 6d9af21..dcf36ce 100644 --- a/roles/nextcloud/tasks/main.yml +++ b/roles/nextcloud/tasks/main.yml @@ -4,47 +4,53 @@ apt_key: url="https://packages.sury.org/php/apt.gpg" - name: Enable sury php repository - apt_repository: repo="deb https://packages.sury.org/php/ stretch main" + apt_repository: repo="deb https://packages.sury.org/php/ {{ ansible_distribution_release }} main" + +- name: Enable collaboraoffice apt-key + apt_key: url="https://collaboraoffice.com/downloads/gpg/collaboraonline-release-keyring.gpg" + +- name: Enable collaboraoffice repository + apt_repository: repo="deb https://www.collaboraoffice.com/repos/CollaboraOnline/CODE-debian11 ./" - name: Install packages apt: name: - php-redis - - php7.4 - - php7.4-bcmath - - php7.4-bz2 - - php7.4-cli - - php7.4-common - - php7.4-curl - - php7.4-dev - - php7.4-fpm - - php7.4-gd - - php7.4-gmp - - php7.4-imap - - php7.4-intl - - php7.4-json - - php7.4-ldap - - php7.4-mbstring - - php7.4-mysql - - php7.4-opcache - - php7.4-pgsql - - php7.4-readline - - php7.4-soap - - php7.4-sqlite3 - - php7.4-tidy - - php7.4-xml - - php7.4-xmlrpc - - php7.4-zip + - php8.0 + - php8.0-apcu + - php8.0-bcmath + - php8.0-bz2 + - php8.0-cli + - php8.0-common + - php8.0-curl + - php8.0-dev + - php8.0-fpm + - php8.0-gd + - php8.0-gmp + - php8.0-imap + - php8.0-intl + - php8.0-ldap + - php8.0-mbstring + - php8.0-mysql + - php8.0-opcache + - php8.0-pgsql + - php8.0-readline + - php8.0-soap + - php8.0-sqlite3 + - php8.0-tidy + - php8.0-xml + - php8.0-xmlrpc + - php8.0-zip - postgresql - python3-psycopg2 - name: Configure PostgreSQL database - postgresql_db: name={{ owncloud_dbname }} + postgresql_db: name={{ nextcloud_dbname }} become: true become_user: postgres - name: Configure PostgreSQL user - postgresql_user: db={{ owncloud_dbname }} name={{ owncloud_dbuser }} password={{ owncloud_dbpass }} priv=ALL state=present + postgresql_user: db={{ nextcloud_dbname }} name={{ nextcloud_dbuser }} password={{ nextcloud_dbpass }} priv=ALL state=present become: true become_user: postgres @@ -63,22 +69,20 @@ template: src=vhost.j2 dest=/etc/nginx/sites-available/nextcloud notify: Restart nginx -# FIXME currently PHP handled out of ansible -#- name: Configure php7.4-fpm -# copy: src=www.conf dest=/etc/php/7.4/fpm/pool.d/www.conf -# notify: Restart php7.4-fpm +- name: Configure php8.0-fpm + copy: src=www.conf dest=/etc/php/8.0/fpm/pool.d/www.conf + notify: Restart php8.0-fpm -# FIXME currently PHP handled out of ansible -#- name: Configure php7.4 opcache -# copy: src=opcache.ini dest=/etc/php/7.4/mods-available/opcache.ini -# notify: Restart php7.4-fpm +- name: Configure php8.0 opcache + copy: src=opcache.ini dest=/etc/php/8.0/mods-available/opcache.ini + notify: Restart php8.0-fpm - name: Enable vhost file: src=/etc/nginx/sites-available/nextcloud dest=/etc/nginx/sites-enabled/nextcloud state=link notify: Restart nginx -- name: Start php7.4-fpm - service: name=php7.4-fpm state=started enabled=yes +- name: Start php8.0-fpm + service: name=php8.0-fpm state=started enabled=yes - name: Start PostgreSQL service: name=postgresql state=started enabled=yes diff --git a/roles/nextcloud/templates/vhost.j2 b/roles/nextcloud/templates/vhost.j2 index 35602c9..b8387fa 100644 --- a/roles/nextcloud/templates/vhost.j2 +++ b/roles/nextcloud/templates/vhost.j2 @@ -1,3 +1,7 @@ +upstream php-handler { + server unix:/run/php/php-fpm.sock; +} + server { listen 80; listen [::]:80; @@ -23,10 +27,13 @@ server { ssl_certificate_key /etc/nginx/ssl/{{ nextcloud_domain }}.key; ssl_certificate /etc/nginx/ssl/{{ nextcloud_domain }}.crt; + # TODO enable anonymized in global config + #access_log /var/log/nginx/access.log anonymized; + # Add headers to serve security related headers add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; add_header X-Content-Type-Options nosniff; - #add_header X-Frame-Options "SAMEORIGIN"; + add_header X-Frame-Options "SAMEORIGIN"; add_header X-XSS-Protection "1; mode=block"; add_header X-Robots-Tag none; add_header X-Download-Options noopen; @@ -42,9 +49,52 @@ server { client_max_body_size 1G; fastcgi_buffers 64 4K; - index index.php; - error_page 403 /core/templates/403.php; - error_page 404 /core/templates/404.php; + index index.php index.html /index.php$request_uri; + + + location ^~ /loleaflet { + proxy_pass http://localhost:9980; + proxy_set_header Host $http_host; + } + + location ^~ /hosting/discovery { + proxy_pass http://localhost:9980; + proxy_set_header Host $http_host; + } + + location ^~ /hosting/capabilities { + proxy_pass http://localhost:9980; + proxy_set_header Host $http_host; + } + + location ~ ^/lool/(.*)/ws$ { + proxy_pass http://localhost:9980; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Host $http_host; + proxy_read_timeout 36000s; + } + + location ~ ^/lool { + proxy_pass http://localhost:9980; + proxy_set_header Host $http_host; + } + + location ^~ /lool/adminws { + proxy_pass http://localhost:9980; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Host $http_host; + proxy_read_timeout 36000s; + } + + + # Rule borrowed from `.htaccess` to handle Microsoft DAV clients + location = / { + if ( $http_user_agent ~ ^DavClnt ) { + return 302 /remote.php/webdav/$is_args$args; + } + } location = /robots.txt { allow all; @@ -52,96 +102,65 @@ server { access_log off; } - location = /.well-known/carddav { - return 301 $scheme://$host/remote.php/dav; - } - location = /.well-known/caldav { - return 301 $scheme://$host/remote.php/dav; + # Make a regex exception for `/.well-known` so that clients can still + # access it despite the existence of the regex rule + # `location ~ /(\.|autotest|...)` which would otherwise handle requests + # for `/.well-known`. + location ^~ /.well-known { + # The following 6 rules are borrowed from `.htaccess` + + location = /.well-known/carddav { return 301 /remote.php/dav/; } + location = /.well-known/caldav { return 301 /remote.php/dav/; } + # Anything else is dynamically handled by Nextcloud + location ^~ /.well-known { return 301 /index.php$uri; } + + try_files $uri $uri/ =404; } + # Rules borrowed from `.htaccess` to hide certain paths from clients + location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; } + location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; } - location / { - rewrite ^ /index.php$request_uri; - } + # Ensure this block, which passes PHP files to the PHP process, is above the blocks + # which handle static assets (as seen below). If this block is not declared first, + # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php` + # to the URI, resulting in a HTTP 500 error response. + location ~ \.php(?:$|/) { + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + set $path_info $fastcgi_path_info; - location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ { - deny all; - } + try_files $fastcgi_script_name =404; - location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) { - deny all; - } - - location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|ocm-provider\/.+)\.php(?:$|\/) { - fastcgi_split_path_info ^(.+?\.php)(\/.*|)$; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param PATH_INFO $fastcgi_path_info; - fastcgi_pass unix:/run/php/php-fpm.sock; + fastcgi_param PATH_INFO $path_info; fastcgi_param HTTPS on; - #Avoid sending the security headers twice - fastcgi_param modHeadersAvailable true; - fastcgi_param front_controller_active true; + + fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice + fastcgi_param front_controller_active true; # Enable pretty urls + fastcgi_pass php-handler; + fastcgi_intercept_errors on; fastcgi_request_buffering off; } - location ~ ^\/(?:updater|ocs-provider|ocm-provider)(?:$|\/) { - try_files $uri/ =404; - index index.php; - } - - # Adding the cache control header for js and css files - # Make sure it is BELOW the PHP block - location ~ \.(?:css|js|woff2?|svg|gif)$ { + location ~ \.(?:css|js|svg|gif)$ { try_files $uri /index.php$request_uri; - add_header Cache-Control "public, max-age=15778463"; - # Add headers to serve security related headers (It is intended to - # have those duplicated to the ones above) - # Before enabling Strict-Transport-Security headers please read into - # this topic first. - # add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; - # - # WARNING: Only add the preload option once you read about - # the consequences in https://hstspreload.org/. This option - # will add the domain to a hardcoded list that is shipped - # in all major browsers and getting removed from this list - # could take several months. - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Robots-Tag none; - add_header X-Download-Options noopen; - add_header X-Permitted-Cross-Domain-Policies none; - add_header Referrer-Policy no-referrer; - # Optional: Don't log access to assets - access_log off; + expires 6M; # Cache-Control policy borrowed from `.htaccess` + access_log off; # Optional: Don't log access to assets } - location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ { + location ~ \.woff2?$ { try_files $uri /index.php$request_uri; - # Optional: Don't log access to other assets - access_log off; + expires 7d; # Cache-Control policy borrowed from `.htaccess` + access_log off; # Optional: Don't log access to assets } - # collabora static files - location ^~ /loleaflet { - proxy_pass http://localhost:9980; - proxy_set_header Host $http_host; + + location / { + try_files $uri $uri/ /index.php$request_uri; } - # collabora WOPI discovery URL - location ^~ /hosting/discovery { - proxy_pass http://localhost:9980; - proxy_set_header Host $http_host; - } - - # collabora websockets, download, presentation and image upload - location ^~ /lool { - proxy_pass http://localhost:9980; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_set_header Host $http_host; - } # collabora static files location /drawio {