目次

04.Nginxの設定








rc.conf

/etc/rc.confまたは/etc/rc.conf.localに記述

php_fpm_enable="YES"
nginx_enable="YES"

/usr/local/etc/nginx/nginx.conf

nginx.conf
user www;
worker_processes auto;
worker_cpu_affinity auto;
worker_priority 0;
 
worker_rlimit_nofile 51200;
error_log /var/log/nginx/error.log;
 
events {
  worker_connections 1024;
  multi_accept        on;
  accept_mutex        on;
  accept_mutex_delay  100ms;  
}
 
http {
  include       mime.types;
  include       conf.d/options;
 
  default_type  application/octet-stream;
 
  access_log    /var/log/nginx/access.log main;
 
 
  # use unix socks
  # upstream php-handler {
  #   server 127.0.0.1:9000;
  # }
 
  # Set the `immutable` cache control options only for assets with a cache busting `v` argument
  map $arg_v $asset_immutable {
    "" "";
    default "immutable";
  }
 
  server {
    listen 80;
    # listen [::]:80;
    # server_name cloud.example.com;
 
    # Prevent nginx HTTP Server Detection
    server_tokens off;
 
    # Enforce HTTPS
    # return 301 https://$server_name$request_uri;
 
    # Path to the root of your installation
    #root /var/www/nextcloud;
    root /usr/local/www/nextcloud;
 
    # HTTP response headers borrowed from Nextcloud `.htaccess`
    add_header Referrer-Policy                   "no-referrer"       always;
    add_header X-Content-Type-Options            "nosniff"           always;
    add_header X-Download-Options                "noopen"            always;
    add_header X-Frame-Options                   "SAMEORIGIN"        always;
    add_header X-Permitted-Cross-Domain-Policies "none"              always;
    add_header X-Robots-Tag                      "noindex, nofollow" always;
    add_header X-XSS-Protection                  "1; mode=block"     always;
 
    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;
    types {
        text/javascript js mjs;
    }
    # Specify how to handle directories -- specifying `/index.php$request_uri`
    # here as the fallback means that Nginx always exhibits the desired behaviour
    # when a client requests a path that corresponds to a directory that exists
    # on the server. In particular, if that directory contains an index.php file,
    # that file is correctly served; if it doesn't, then the request is passed to
    # the front-end controller. This consistent behaviour means that we don't need
    # to specify custom rules for certain paths (e.g. images and other assets,
    # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
    # `try_files $uri $uri/ /index.php$request_uri`
    # always provides the desired behaviour.
    index index.php index.html /index.php$request_uri;
 
    # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
    location = / {
      if ( $http_user_agent ~ ^DavClnt ) {
        return 302 /remote.php/webdav/$is_args$args;
      }
    }  # End location
 
    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }  # End location
 
    # Make a regex exception for `/.well-known` so that clients can still
    # access it despite the existence of the regex rule
    # `location ~ /(\.|autotest|...)` which would otherwise handle requests
    # for `/.well-known`.
    location ^~ /.well-known {
        # The rules in this block are an adaptation of the rules
        # in `.htaccess` that concern `/.well-known`.
 
        location = /.well-known/carddav { return 301 /remote.php/dav/; }
        location = /.well-known/caldav  { return 301 /remote.php/dav/; }
 
        location /.well-known/acme-challenge    { try_files $uri $uri/ =404; }
        location /.well-known/pki-validation    { try_files $uri $uri/ =404; }
 
        # Let Nextcloud's API for `/.well-known` URIs handle all other
        # requests by passing them to the front-end controller.
        return 301 /index.php$request_uri;
    }  # End location
 
    # Rules borrowed from `.htaccess` to hide certain paths from clients
    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; }
 
    # Ensure this block, which passes PHP files to the PHP process, is above the blocks
    # which handle static assets (as seen below). If this block is not declared first,
    # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
    # to the URI, resulting in a HTTP 500 error response.
    # location ~ \.php(?:$|/) {
    #     # Required for legacy support
    #     rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
    #     fastcgi_split_path_info ^(.+?\.php)(/.*)$;
    #     set $path_info $fastcgi_path_info;
    #     try_files $fastcgi_script_name =404;
    #     include fastcgi_params;
    #     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    #     fastcgi_param PATH_INFO $path_info;
    #     fastcgi_param HTTPS on;
    #     fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
    #     fastcgi_param front_controller_active true;     # Enable pretty urls
    #     fastcgi_pass php-handler;
    #     fastcgi_intercept_errors on;
    #     fastcgi_request_buffering off;
    #     fastcgi_max_temp_file_size 0;
    # }  # End location
 
 
    location ~ \.php(?:$|/) { include conf.d/php-fpm; }
 
 
    # Serve static files
    location ~ \.(?:css|js|mjs|svg|gif|png|jpg|ico|wasm|tflite|map)$ {
        try_files $uri /index.php$request_uri;
        add_header Cache-Control "public, max-age=15778463, $asset_immutable";
        access_log off;     # Optional: Don't log access to assets
 
        location ~ \.wasm$ {
            default_type application/wasm;
        }
    }  # End location
 
    location ~ \.woff2?$ {
        try_files $uri /index.php$request_uri;
        expires 7d;         # Cache-Control policy borrowed from `.htaccess`
        access_log off;     # Optional: Don't log access to assets
    }  # End location
 
    # Rule borrowed from `.htaccess`
    location /remote {
        return 301 /remote.php$request_uri;
    }  # End location
 
    location / {
        try_files $uri $uri/ /index.php$request_uri;
    }  # End location
 
    error_page   500 502 503 504  /50x.html;
    location = /50x.html { root   /usr/local/www/nginx-dist; }
 
  }  # End server
}  # End http

/usr/local/etc/nginx/conf.d/options

options
charset                   utf-8;
client_body_buffer_size   512k;
# set max upload size and increase upload timeout:
# client_max_body_size      512M;
client_max_body_size      2G;        # for nextcloud
# client_body_timeout       5s;
client_body_timeout       300s;
client_header_timeout     5s;
fastcgi_buffers           64 4K;     # for nextcloud
gzip                      on;
gzip_comp_level           4;
gzip_disable              "MSIE [1-6]\.(?!.*SV1)";
gzip_http_version         1.1;
gzip_min_length           512;
#gzip_proxied              any;
gzip_proxied              expired no-cache no-store private no_last_modified no_etag auth;
gzip_types                application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
gzip_static               on;
#gzip_types                text/plain text/css text/javascript application/javascript text/xml application/xml application/xml+rss;
gzip_vary                 on;
ignore_invalid_headers    on;
keepalive_disable         none;
keepalive_requests        50;
keepalive_timeout         75s;
limit_req_zone            $binary_remote_addr  zone=gulag:1m   rate=60r/m;
log_format                main  '$remote_addr $host $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $ssl_cipher $request_time';
max_ranges                1;
msie_padding              off;
open_file_cache           max=1000 inactive=2h;
open_file_cache_errors    on;
open_file_cache_min_uses  1;
open_file_cache_valid     1h;
output_buffers            1 512;
postpone_output           1440;
read_ahead                512K;
recursive_error_pages     on;
reset_timedout_connection on;
send_timeout              15s;
sendfile                  on;
server_name_in_redirect   off;
server_tokens             off;
source_charset            utf-8;
tcp_nodelay               on;
tcp_nopush                off;

/usr/local/etc/nginx/conf.d/php-fpm

php-fpm
# Required for legacy support
rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
fastcgi_pass                 unix:/var/run/php-fpm.sock;
# fastcgi_split_path_info      ^(.+\.php)(.*)$;
fastcgi_split_path_info      ^(.+?\.php)(/.*)$;
set                          $path_info $fastcgi_path_info;
fastcgi_param                SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param                PATH_INFO $path_info;
try_files                    $uri = 404;
fastcgi_index                index.php;
fastcgi_intercept_errors     on;
fastcgi_ignore_client_abort  off;
fastcgi_connect_timeout      60;
fastcgi_send_timeout         180;
fastcgi_read_timeout         180;
fastcgi_buffer_size          128k;
fastcgi_buffers              4 256k;
fastcgi_busy_buffers_size    256k;
fastcgi_temp_file_write_size 256k;
#fastcgi_param               GEOIP_COUNTRY_CODE $geoip_country_code;
#fastcgi_param               GEOIP_COUNTRY_NAME $geoip_country_name;
# pkg default file
include                      fastcgi_params;
# for nextcloud
fastcgi_param                modHeadersAvailable     true;     # Avoid sending the security headers twice
fastcgi_param                front_controller_active true;     # Enable pretty urls
fastcgi_request_buffering    off;
fastcgi_max_temp_file_size   0;

設定チェック

 # service nginx configtest
 または
 # nginx -t