DocumentRoot {{ http_webroot }}/nextcloud RewriteEngine On RewriteCond %{SERVER_NAME} ={{ ansible_fqdn }} RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] SSLEngine on SSLOptions +StrictRequire LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common ServerName {{ ansible_fqdn }} ServerAdmin admin@{{ ansible_fqdn }} DocumentRoot {{ http_webroot }}/nextcloud SSLCertificateFile {{ ssl_path }}/{{ ansible_fqdn }}.crt SSLCertificateKeyFile {{ ssl_path }}/{{ ansible_fqdn }}.key Options +FollowSymlinks AllowOverride All Dav off Require all denied SetEnv HOME {{ http_webroot }}/nextcloud SetEnv HTTP_HOME {{ http_webroot }}/nextcloud # Fix zero file sizes # See https://github.com/nextcloud/server/issues/3056#issuecomment-954209565 SetEnv proxy-sendcl 1 # See https://httpd.apache.org/docs/current/en/mod/core.html#limitrequestbody LimitRequestBody 0 Header always set Strict-Transport-Security "max-age=15768000; preload" #Header set Referrer-Policy "strict-origin-when-cross-origin" #Header set X-Content-Type-Options "nosniff" #Header always set X-Frame-Options "SAMEORIGIN" {% if ssl_status is sameas true %} SSLProtocol -all +TLSv1.3 +TLSv1.2 {% else %} SSLProtocol -all +TLSv1.2 {% endif %} SSLCipherSuite TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384 SSLHonorCipherOrder on SSLCompression off SSLSessionTickets off SSLUseStapling off SSLStaplingResponderTimeout 5 SSLStaplingReturnResponderErrors off SSLStaplingCache shmcb:/var/run/ocsp(128000) {% if web_status is sameas true %} SSLOpenSSLConfCmd Curves X448:secp521r1:secp384r1:prime256v1 SSLOpenSSLConfCmd ECDHParameters secp384r1 SSLOpenSSLConfCmd DHParameters "{{ ssl_path }}/dhparams.pem" {% endif %} SSLRandomSeed startup file:/dev/urandom 1024 SSLRandomSeed connect file:/dev/urandom 1024