From 883b2a394e7cb1bf39317f6c49e764619ecfdeca Mon Sep 17 00:00:00 2001
From: Joey Hafner <jafner425@gmail.com>
Date: Mon, 21 Nov 2022 14:56:00 -0800
Subject: [PATCH] #67 Try Traefik middleware for Nextcloud Per:
 https://www.smarthomebeginner.com/traefik-docker-nextcloud/

---
 .../config/nextcloud/docker-compose.yml       |  1 +
 .../config/traefik/config/middlewares.yaml    | 25 ++++++++++++++++++-
 2 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/homelab/server/config/nextcloud/docker-compose.yml b/homelab/server/config/nextcloud/docker-compose.yml
index d248240d..1f59e7b5 100644
--- a/homelab/server/config/nextcloud/docker-compose.yml
+++ b/homelab/server/config/nextcloud/docker-compose.yml
@@ -16,6 +16,7 @@ services:
     labels:
       - traefik.http.routers.nextcloud.rule=Host(`nextcloud.jafner.net`)
       - traefik.http.routers.nextcloud.tls.certresolver=lets-encrypt
+      - traefik.http.routers.nextcloud.middlewares=nextcloud@file
       #- traefik.http.services.nextcloud.loadbalancer.server.scheme=https
       #- traefik.http.services.nextcloud.loadbalancer.server.port=443
     networks:
diff --git a/homelab/server/config/traefik/config/middlewares.yaml b/homelab/server/config/traefik/config/middlewares.yaml
index 548b2a03..9f2da6cf 100644
--- a/homelab/server/config/traefik/config/middlewares.yaml
+++ b/homelab/server/config/traefik/config/middlewares.yaml
@@ -51,4 +51,27 @@ http:
         address: http://forwardauth:4181
         trustForwardHeader: true
         authResponseHeaders:
-          - X-Forwarded-User
\ No newline at end of file
+          - X-Forwarded-User
+    nextcloud-middlewares-secure-headers:
+      headers:
+        accessControlMaxAge: 100
+        sslRedirect: true
+        stsSeconds: 63072000
+        stsIncludeSubdomains: true
+        stsPreload: true
+        forceSTSHeader: true
+        customFrameOptionsValue: "SAMEORIGIN" #CSP takes care of this but may be needed for organizr.
+        contentTypeNosniff: true
+        browserXssFilter: true
+        sslForceHost: true 
+        sslHost: "nextcloud.jafner.net"
+        referrerPolicy: "no-referrer"
+        #contentSecurityPolicy: "frame-ancestors '*.example.com:*';object-src 'none';script-src 'none';"
+        featurePolicy: "camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';"
+        customResponseHeaders:
+          X-Robots-Tag: "none"
+          server: ""
+      redirectRegex:
+        permanent: true
+        regex: "https://(.*)/.well-known/(card|cal)dav"
+        replacement: "https://${1}/remote.php/dav/"