#67 Try Traefik middleware for Nextcloud

Per: https://www.smarthomebeginner.com/traefik-docker-nextcloud/

homelab/server/config/nextcloud/docker-compose.yml

@@ -16,6 +16,7 @@ services:
     labels:
       - traefik.http.routers.nextcloud.rule=Host(`nextcloud.jafner.net`)
       - traefik.http.routers.nextcloud.tls.certresolver=lets-encrypt
+      - traefik.http.routers.nextcloud.middlewares=nextcloud@file
       #- traefik.http.services.nextcloud.loadbalancer.server.scheme=https
       #- traefik.http.services.nextcloud.loadbalancer.server.port=443
     networks:

homelab/server/config/traefik/config/middlewares.yaml

@@ -51,4 +51,27 @@ http:
         address: http://forwardauth:4181
         trustForwardHeader: true
         authResponseHeaders:
-          - X-Forwarded-User
+          - X-Forwarded-User
+    nextcloud-middlewares-secure-headers:
+      headers:
+        accessControlMaxAge: 100
+        sslRedirect: true
+        stsSeconds: 63072000
+        stsIncludeSubdomains: true
+        stsPreload: true
+        forceSTSHeader: true
+        customFrameOptionsValue: "SAMEORIGIN" #CSP takes care of this but may be needed for organizr.
+        contentTypeNosniff: true
+        browserXssFilter: true
+        sslForceHost: true 
+        sslHost: "nextcloud.jafner.net"
+        referrerPolicy: "no-referrer"
+        #contentSecurityPolicy: "frame-ancestors '*.example.com:*';object-src 'none';script-src 'none';"
+        featurePolicy: "camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';"
+        customResponseHeaders:
+          X-Robots-Tag: "none"
+          server: ""
+      redirectRegex:
+        permanent: true
+        regex: "https://(.*)/.well-known/(card|cal)dav"
+        replacement: "https://${1}/remote.php/dav/"