diff --git a/server/config/nextcloud/docker-compose.yml b/server/config/nextcloud/docker-compose.yml index d248240..1f59e7b 100644 --- a/server/config/nextcloud/docker-compose.yml +++ b/server/config/nextcloud/docker-compose.yml @@ -16,6 +16,7 @@ services: labels: - traefik.http.routers.nextcloud.rule=Host(`nextcloud.jafner.net`) - traefik.http.routers.nextcloud.tls.certresolver=lets-encrypt + - traefik.http.routers.nextcloud.middlewares=nextcloud@file #- traefik.http.services.nextcloud.loadbalancer.server.scheme=https #- traefik.http.services.nextcloud.loadbalancer.server.port=443 networks: diff --git a/server/config/traefik/config/middlewares.yaml b/server/config/traefik/config/middlewares.yaml index 548b2a0..9f2da6c 100644 --- a/server/config/traefik/config/middlewares.yaml +++ b/server/config/traefik/config/middlewares.yaml @@ -51,4 +51,27 @@ http: address: http://forwardauth:4181 trustForwardHeader: true authResponseHeaders: - - X-Forwarded-User \ No newline at end of file + - X-Forwarded-User + nextcloud-middlewares-secure-headers: + headers: + accessControlMaxAge: 100 + sslRedirect: true + stsSeconds: 63072000 + stsIncludeSubdomains: true + stsPreload: true + forceSTSHeader: true + customFrameOptionsValue: "SAMEORIGIN" #CSP takes care of this but may be needed for organizr. + contentTypeNosniff: true + browserXssFilter: true + sslForceHost: true + sslHost: "nextcloud.jafner.net" + referrerPolicy: "no-referrer" + #contentSecurityPolicy: "frame-ancestors '*.example.com:*';object-src 'none';script-src 'none';" + featurePolicy: "camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';" + customResponseHeaders: + X-Robots-Tag: "none" + server: "" + redirectRegex: + permanent: true + regex: "https://(.*)/.well-known/(card|cal)dav" + replacement: "https://${1}/remote.php/dav/"