server {
  listen       443 ssl http2;
  server_name  cloud.example.com;

  ssl_certificate      ssl/cloud.example.com.crt;
  ssl_certificate_key  ssl/cloud.example.com.key;

  root /usr/share/webapps/nextcloud;
  client_max_body_size 1G;

  add_header Strict-Transport-Security max-age=15768000;
  add_header X-Robots-Tag "none";
  add_header X-Content-Type-Options "nosniff";
  add_header X-XSS-Protection "1; mode=block";
  add_header X-Download-Options noopen;
  add_header X-Permitted-Cross-Domain-Policies none;

  rewrite ^/.well-known/carddav  $scheme://$host/remote.php/dav/ permanent;
  rewrite ^/.well-known/caldav   $scheme://$host/remote.php/dav/ permanent;

  # The following 2 rules are only needed with webfinger
  rewrite ^/.well-known/host-meta /public.php?service=host-meta  last;
  rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;

  location ~ ^/(build|tests|config|lib|3rdparty|templates|data)/ {
    deny all;
  }
  location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
    deny all;
  }

  location ~ \.php(?:$|/) {
    include uwsgi_params;
    uwsgi_modifier1 14;
    uwsgi_pass unix:///run/nextcloud.sock;
  }

  error_page 403 /core/templates/403.php;
  error_page 404 /core/templates/404.php;
  index index.php;

  location / {
    try_files $uri $uri/ /index.php;
  }
}