AIO/nginx/conf.d/nextcloud.conf

map $http_upgrade $connection_upgrade {
    default upgrade;
    '' close;
}

server {
    listen 443 ssl;      # for nginx v1.25.1+

    access_log /var/log/nginx/ns.grenu4.ru_access.log main;
    error_log /var/log/nginx/ns.grenu4.ru_error.log notice;

    http2 on;                                 # uncomment to enable HTTP/2        - supported on nginx v1.25.1+
    http3 on;                                 # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+
    quic_retry on;                            # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+
    add_header Alt-Svc 'h3=":443"; ma=86400'; # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+
    listen 443 quic reuseport;       # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+ - please remove "reuseport" if there is already another quic listener on port 443 with enabled reuseport
    # listen [::]:443 quic reuseport;  # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+ - please remove "reuseport" if there is already another quic listener on port 443 with enabled reuseport - keep comment to disable IPv6

    server_name ns.grenu4.ru;

    location / {
        proxy_pass http://127.0.0.1:11000$request_uri;

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Port $server_port;
        proxy_set_header X-Forwarded-Scheme $scheme;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Accept-Encoding "";
        # proxy_set_header Host $host;
    
        client_body_buffer_size 512k;
        proxy_read_timeout 86400s;
        client_max_body_size 0;

        # Websocket
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }

    ssl_certificate /etc/letsencrypt/live/ns.grenu4.ru/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/ns.grenu4.ru/privkey.pem;

    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
    ssl_session_tickets off;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
    ssl_prefer_server_ciphers on;

}

server {
    listen 18443 ssl;
    server_name ns.grenu4.ru;

    access_log /var/log/nginx/aio_ns.grenu4.ru_access.log main;
    error_log /var/log/nginx/aio_ns.grenu4.ru_error.log notice;

    ssl_certificate /etc/letsencrypt/live/ns.grenu4.ru/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/ns.grenu4.ru/privkey.pem;

    allow 77.91.87.36; # vpn
    allow 37.18.26.66; # mrakomaks kwork
    allow 212.124.20.138; # mrakomaks kwork
    deny all;

    proxy_read_timeout 300;
    proxy_connect_timeout 300;
    proxy_send_timeout 300;

    location / {
        proxy_pass https://127.0.0.1:18080;

    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header X-Forwarded-Protocol $scheme;
    }

}