We recommend serving Nextcloud on a subdomain like cloud.example.com, so that the login page can be accessed at https://cloud.example.com. This approach is simple and clear. However, if for whatever reason you want to serve Nextcloud on a subdirectory like example.com/nextcloud, so that the login page can be accessed at https://example.com/nextcloud, you can find below the necessary configuration.
It is assumed that the Nextcloud root directory is /var/www/nextcloud. This means that all Nextcloud files are stored in the /var/www/nextcloud directory. The server blocks configuration file, /etc/nginx/sites-enabled/0-conf, should have the following content:
server {
listen 80;
listen [::]:80;
server_name example.com www.example.com;
server_tokens off;
return 301 https://example.com$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name www.example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
server_tokens off;
return 301 https://example.com$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name example.com;
root /var/www;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_session_timeout 4h;
ssl_session_cache shared:SSL:40m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_stapling on;
ssl_stapling_verify on;
# Prevent Nginx HTTP Server Detection
server_tokens off;
location = /robots.txt {
allow all;
}
location ^~ /.well-known {
location = /.well-known/carddav { return 301 /remote.php/dav/; }
location = /.well-known/caldav { return 301 /remote.php/dav/; }
location /.well-known/acme-challenge { root /var/www; try_files $uri $uri/ =404; }
location /.well-known/pki-validation { try_files $uri $uri/ =404; }
# Let Nextcloud's API for `/.well-known` URIs handle all other
# requests by passing them to the front-end controller.
return 301 /nextcloud/index.php$request_uri;
}
location ^~ /nextcloud {
# Set max upload size
client_max_body_size 512M;
fastcgi_buffers 64 4K;
# Enable gzip but do not remove ETag headers
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
# HTTP response headers
add_header Strict-Transport-Security "max-age=63072000" always;
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "noindex, nofollow";
add_header X-XSS-Protection "1; mode=block" always;
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
# Add .mjs as a file extension for javascript
include /etc/nginx/mime.types;
types { text/javascript js mjs; }
index index.php /nextcloud/index.php$request_uri;
# Hide certain paths from clients
location ~ ^/nextcloud/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; }
location ~ ^/nextcloud/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; }
# Ensure this block, which passes PHP files to the PHP process, is above the blocks
# which handle static assets (as seen below). If this block is not declared first,
# then Nginx will encounter an infinite rewriting loop when it prepends
# `/nextcloud/index.php` to the URI, resulting in a HTTP 500 error response.
location ~ \.php(?:$|/) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
try_files $fastcgi_script_name =404;
include /etc/nginx/fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true;
fastcgi_param front_controller_active true; # Enable pretty urls
fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
fastcgi_max_temp_file_size 0;
}
location ~ \.(?:css|js|svg|gif|png|jpg|jpeg|ico|ttf|wasm|tflite|map|woff|woff2)$ {
try_files $uri /nextcloud/index.php$request_uri;
add_header Cache-Control "public, max-age=15778463";
access_log off;
location ~ \.wasm$ {
default_type application/wasm;
}
}
location /nextcloud/remote {
return 301 /nextcloud/remote.php$request_uri;
}
location /nextcloud {
try_files $uri $uri/ /nextcloud/index.php$request_uri;
}
# Ths is needed by SIP Trip Phone
location /nextcloud/apps/sip_trip_phone/phone {
try_files $uri /index.php;
}
# Ths is also needed by SIP Trip Phone
location /nextcloud/apps/sip_trip_phone/lib {
# prevents 502 bad gateway error
proxy_buffers 8 32k;
proxy_buffer_size 64k;
# If SIP Trip Phone is connected directly to Telnyx,
# the following line shoiuld be replaced with:
# proxy_pass http://sip.telnyx.com:7443;
proxy_pass http://0.0.0.0:8088/ws;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# enables WS support
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
access_log /var/log/sites/example.com/access.log;
error_log /var/log/nginx/example.com.error.log notice;
}Replace example.com with your domain. (Instead of example.com you can use www.example.com in a similar way. In that case the redirections should be changed accordingly.) If you use SSL certificates different from the ones from Let’s Encrypt, you should adjust the paths to the corresponding certificate files accordingly. If your PHP version is different from 8.2, change the version number on the fastcgi_pass line from above.
Edit/add the following two lines in the /var/www/nextcloud/config/config.php file:
'overwrite.cli.url' => 'https://example.com/nextcloud',
'htaccess.RewriteBase' => '/nextcloud',Please note that if you connect SIP Trip Phone to the SIP provider via Asterisk, inside the location /apps/sip_trip_phone/lib { block, the proxy_pass parameter should be as shown above: proxy_pass http://0.0.0.0:8088/ws; If you connect SIP Trip Phone to Telnyx directly, the proxy_pass parameter should be: proxy_pass http://sip.telnyx.com:7443;, where http://sip.telnyx.com:7443 is the URL and port provided by Telnyx for direct WebRTC connections.
Before restarting Nginx, check if the access log directory, /var/log/sites/example.com, exists and if not, create it.
