DocumentRoot {{ http_webroot }}/nextcloud
RewriteEngine On
RewriteCond %{SERVER_NAME} ={{ ansible_fqdn }}
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
SSLEngine on
SSLOptions +StrictRequire
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common
ServerName {{ ansible_fqdn }}
ServerAdmin admin@{{ ansible_fqdn }}
DocumentRoot {{ http_webroot }}/nextcloud
SSLCertificateFile {{ ssl_path }}/{{ ansible_fqdn }}.crt
SSLCertificateKeyFile {{ ssl_path }}/{{ ansible_fqdn }}.key
Options +FollowSymlinks
AllowOverride All
Dav off
Require all denied
SetEnv HOME {{ http_webroot }}/nextcloud
SetEnv HTTP_HOME {{ http_webroot }}/nextcloud
# Fix zero file sizes
# See https://github.com/nextcloud/server/issues/3056#issuecomment-954209565
SetEnv proxy-sendcl 1
# See https://httpd.apache.org/docs/current/en/mod/core.html#limitrequestbody
LimitRequestBody 0
Header always set Strict-Transport-Security "max-age=15768000; preload"
#Header set Referrer-Policy "strict-origin-when-cross-origin"
#Header set X-Content-Type-Options "nosniff"
#Header always set X-Frame-Options "SAMEORIGIN"
{% if ssl_status is sameas true %}
SSLProtocol -all +TLSv1.3 +TLSv1.2
{% else %}
SSLProtocol -all +TLSv1.2
{% endif %}
SSLCipherSuite TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
SSLUseStapling off
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/var/run/ocsp(128000)
{% if web_status is sameas true %}
SSLOpenSSLConfCmd Curves X448:secp521r1:secp384r1:prime256v1
SSLOpenSSLConfCmd ECDHParameters secp384r1
SSLOpenSSLConfCmd DHParameters "{{ ssl_path }}/dhparams.pem"
{% endif %}
SSLRandomSeed startup file:/dev/urandom 1024
SSLRandomSeed connect file:/dev/urandom 1024