<VirtualHost *:80>
Include /etc/apache2/{{ apache_conf_dir }}/global-redirect.conf
{% if nextcloud.protocol|default("https") == "https" and groups.proxyserver is not defined %}
ServerAdmin {{ apache_server_admin }}
ServerName {{ nextcloud.domain }}
ServerAlias {{ nextcloud.domain }}{% for alias in nextcloud.aliases|default([]) %} {{ alias }}{% endfor %}
Include /etc/apache2/{{ apache_conf_dir }}/redirect-ssl.conf
Include /etc/apache2/{{ apache_conf_dir }}/letsencrypt-redirect.conf
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
LogLevel warn
{% if apache_version|default('2.4') == '2.4' %}
ErrorLogFormat "[%{u}t] [%l] [pid %P] [client\ %{X-Forwarded-For}i] %M% ,\ referer:\ %{Referer}i"
{% endif %}
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
ErrorLog {{ apacheLogDir }}/{{ nextcloud.domain }}-error.log
CustomLog {{ apacheLogDir }}/{{ nextcloud.domain }}-access.log combined env=!forwarded
CustomLog {{ apacheLogDir }}/{{ nextcloud.domain }}-access.log proxy env=forwarded
</VirtualHost>
<VirtualHost *:443>
Include /etc/apache2/{{ apache_conf_dir }}/global-redirect.conf
{% endif %}
ServerAdmin {{ apache_server_admin }}
ServerName {{ nextcloud.domain }}
ServerAlias {{ nextcloud.domain }}{% for alias in nextcloud.aliases|default([]) %} {{ alias }}{% endfor %}
Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
Header set Referrer-Policy "no-referrer"
{% for header in nextcloud.headers|default([]) %}
Header set {{ header }}
{% endfor %}
{% if nextcloud.protocol|default("https") == "https" and groups.proxyserver is defined %}
SetEnv HTTP_X_FORWARDED_HOST {{ nextcloud.domain }}
SetEnv HTTPS on
SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0
{% endif %}
{% if nextcloud.jail is defined and not php_fpm_socket|default(false) %}
<LocationMatch "/fpm-status">
Include /etc/apache2/{{ apache_conf_dir }}/global-deny.conf
ProxyPass fcgi://127.0.0.1:{{ nextcloud.jail.port }}
</LocationMatch>
<FilesMatch \.php$>
SetHandler "proxy:fcgi://127.0.0.1:{{ nextcloud.jail.port }}"
</FilesMatch>
{% endif %}
DocumentRoot {{ webRoot }}
<Directory {{ webRoot }}/>
Options +ExecCGI +Indexes +FollowSymLinks +MultiViews
AllowOverride All
{% if nextcloud.apache_auth is defined and nextcloud.apache_auth.active|default(true) %}
AuthType {{ nextcloud.apache_auth.type }}
AuthName "{{ nextcloud.apache_auth.name }}"
AuthUserFile {{ dataRoot }}/passwords/{{ nextcloud.apache_auth.user }}
Require user {{ nextcloud.apache_auth.user }}
{% else %}
{% if apache_version|default('2.4') == '2.2' %}
Order allow,deny
allow from all
{% else %}
Include /etc/apache2/{{ apache_conf_dir }}/global-deny.conf
{% endif %}
{% endif %}
</Directory>
<Directory {{ webRoot }}/.git/>
Require all denied
</Directory>
{% if nextcloud.spreed is defined %}
<Location /webrtc>
ProxyPass http://127.0.0.1:8080/webrtc
ProxyPassReverse /webrtc
</Location>
<Location /webrtc/ws>
ProxyPass ws://127.0.0.1:8080/webrtc/ws
</Location>
ProxyVia On
ProxyPreserveHost On
RequestHeader set X-Forwarded-Proto 'https' env=HTTPS
{% endif %}
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
LogLevel warn
{% if apache_version|default('2.4') == '2.4' %}
ErrorLogFormat "[%{u}t] [%l] [pid %P] [client\ %{X-Forwarded-For}i] %M% ,\ referer:\ %{Referer}i"
{% endif %}
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
ErrorLog {{ apacheLogDir }}/{{ nextcloud.domain }}-error.log
CustomLog {{ apacheLogDir }}/{{ nextcloud.domain }}-access.log combined env=!forwarded
CustomLog {{ apacheLogDir }}/{{ nextcloud.domain }}-access.log proxy env=forwarded
<IfModule mod_expires.c>
ExpiresActive {% if apache_cache.active %}On{% else %}Off{% endif %}
ExpiresDefault {{ apache_cache.default }}
{% for type in apache_cache.bytype %}
ExpiresByType {{ type.type }} {{ type.default }}
{% endfor %}
</IfModule>
SetEnvIf X-Forwarded-Proto https HTTPS=on
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
{% if nextcloud.protocol|default("https") == "https" and groups.proxyserver is not defined %}
Include /etc/apache2/{{ apache_conf_dir }}/options-ssl-apache.conf
{% if nextcloud.letsencrypt|default(true) %}
SSLCertificateFile /etc/letsencrypt/live/{{ nextcloud.domain }}/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/{{ nextcloud.domain }}/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/{{ nextcloud.domain }}/chain.pem
{% else %}
{% for certs in apache_certificates|default([]) %}
{% if certs.domain == nextcloud.domain %}
{% for cert in certs.certs %}
{{cert.type}} /etc/ssl/private/{{cert.file}}
{% endfor %}
{% for alias in certs.aliases|default([]) %}
</VirtualHost>
<VirtualHost *:443>
Include /etc/apache2/{{ apache_conf_dir }}/global-redirect.conf
ServerName {{ alias }}
Redirect 301 / https://{{ certs.domain }}/
SSLEngine on
{% for cert in certs.certs %}
{{cert.type}} /etc/ssl/private/{{cert.file}}
{% endfor %}
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
LogLevel warn
{% if apache_version|default('2.4') == '2.4' %}
ErrorLogFormat "[%{u}t] [%l] [pid %P] [client\ %{X-Forwarded-For}i] %M% ,\ referer:\ %{Referer}i"
{% endif %}
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
ErrorLog {{ apacheLogDir }}/{{ certs.domain }}-error.log
CustomLog {{ apacheLogDir }}/{{ certs.domain }}-access.log combined env=!forwarded
CustomLog {{ apacheLogDir }}/{{ certs.domain }}-access.log proxy env=forwarded
{% endfor %}
{% endif %}
{% endfor %}
{% endif %}
{% endif %}
</VirtualHost>