# Derived from:
# - Apache: https://github.com/nextcloud/server/blob/master/.htaccess
# - Nginx:  https://github.com/nextcloud/documentation/blob/master/admin_manual/installation/nginx-subdir.conf.sample

# Redirect webfinger and nodeinfo requests to Nextcloud endpoint:
url.redirect += (
	"^/.well-known/webfinger" => "/nextcloud/index.php/.well-known/webfinger",
	"^/.well-known/nodeinfo" => "/nextcloud/index.php/.well-known/nodeinfo"
)

$HTTP["url"] =~ "^/nextcloud($|/)" {
	# Hardening
	# - Directories
	$HTTP["url"] =~ "^/nextcloud/(build|tests|config|lib|3rdparty|templates|data)($|/)" { url.access-deny = ("") }
	# - Files
	$HTTP["url"] =~ "^/nextcloud/(\.|autotest|occ|issue|indie|db_|console)" { url.access-deny = ("") }
	# - Directory listing
	dir-listing.activate = "disable"
	# - Security and cache control headers for static resources
	$HTTP["url"] =~ "\.(css|js|mjs|svg|gif|png|jpg|ico|wasm|tflite|map|woff2?)$" {
		setenv.add-response-header += (
			"Referrer-Policy" => "no-referrer",
			"X-Content-Type-Options" => "nosniff",
			"X-Download-Options" => "noopen",
			"X-Frame-Options" => "SAMEORIGIN",
			"X-Permitted-Cross-Domain-Policies" => "none",
			"X-Robots-Tag" => "noindex, nofollow",
			"X-XSS-Protection" => "1; mode=block",
			"Cache-Control" => "public, max-age=15778463",
		)
	}
	# Rewrites
	url.rewrite-once += (
		"^/nextcloud/remote/(.*)" => "/nextcloud/remote.php/$1",
		"^/nextcloud/ocm-provider($|/\?.*)" => "/nextcloud/index.php$1"
	)
	url.rewrite-if-not-file += (
		"^/nextcloud/((core/ajax/update|cron|public|remote|status|ocs/v[12]|richdocumentscode(_arm64)?/proxy)\.php|ocs-provider/|updater/)" => "",
		"^/nextcloud(.*)" => "/nextcloud/index.php$1"
	)
}