From 60900e534e3360db515f0fe5f347b291d60ce3e3 Mon Sep 17 00:00:00 2001
From: Timo Wilken
Date: Tue, 27 Aug 2024 16:30:45 +0200
Subject: Fix response headers for Nextcloud assets

https://github.com/nextcloud/documentation/commit/4ef607d350aa6f19f07ebe2fb0b8e3951248649f
---
 tw/services/nextcloud.scm | 37 ++++++++++++++++++++++++-------------
 1 file changed, 24 insertions(+), 13 deletions(-)

(limited to 'tw/services')

diff --git a/tw/services/nextcloud.scm b/tw/services/nextcloud.scm
index 0a78fcaf..e9a99b5e 100644
--- a/tw/services/nextcloud.scm
+++ b/tw/services/nextcloud.scm
@@ -158,6 +158,19 @@ opcache.revalidate_freq=120
         (with-exception-handler (cut cleanup #:rethrow <>) main)
         (cleanup))))
 
+(define nextcloud-default-headers
+  ;; HTTP response headers borrowed from Nextcloud `.htaccess`
+  (map (match-lambda
+         ((hdr . value)
+          `("add_header " ,hdr " \"" ,value "\" always;")))
+       '(("Referrer-Policy" . "no-referrer")
+         ("Strict-Transport-Security" . "max-age=15552000")
+         ("X-Content-Type-Options" . "nosniff")
+         ("X-Frame-Options" . "SAMEORIGIN")
+         ("X-Permitted-Cross-Domain-Policies" . "none")
+         ("X-Robots-Tag" . "noindex, nofollow")
+         ("X-XSS-Protection" . "1; mode=block"))))
+
 (define-public %nextcloud-services
   (list (simple-service 'nextcloud-https-server nginx-service-type
           ;; https://docs.nextcloud.com/server/latest/admin_manual/installation/nginx.html
@@ -192,17 +205,7 @@ opcache.revalidate_freq=120
                      "image/x-icon text/cache-manifest text/css text/plain text/vcard text/vtt "
                      "text/vnd.rim.location.xloc text/x-component text/x-cross-domain-policy;")
 
-                    ;; HTTP response headers borrowed from Nextcloud `.htaccess`
-                    ,@(map (match-lambda
-                             ((hdr . value)
-                              `("add_header " ,hdr " \"" ,value "\" always;")))
-                           '(("Referrer-Policy" . "no-referrer")
-                             ("Strict-Transport-Security" . "max-age=15552000")
-                             ("X-Content-Type-Options" . "nosniff")
-                             ("X-Frame-Options" . "SAMEORIGIN")
-                             ("X-Permitted-Cross-Domain-Policies" . "none")
-                             ("X-Robots-Tag" . "noindex, nofollow")
-                             ("X-XSS-Protection" . "1; mode=block")))
+                    ,@nextcloud-default-headers
 
                     ;; Remove X-Powered-By, which is an information leak
                     "fastcgi_hide_header X-Powered-By;"
@@ -270,8 +273,16 @@ opcache.revalidate_freq=120
 
                    (nginx-location-configuration
                     (uri "~ \\.(?:css|js|mjs|svg|gif|ico|png|jpg|png|webp|wasm|tflite|map|ogg|flac)$")
-                    (body '("try_files $uri /index.php$request_uri;"
-                            "add_header Cache-Control \"public, max-age=15778463, immutable\";")))
+                    (body `("try_files $uri /index.php$request_uri;"
+                            ;; The upstream configuration adds an "immutable"
+                            ;; to this header if the original request had a
+                            ;; ?v= flag, but then we would need to add a map{}
+                            ;; to the nginx-configuration's extra-content.
+                            "add_header Cache-Control \"public, max-age=15778463\";"
+                            ;; Nginx resets any headers in a response block,
+                            ;; if it contains even a single add_header line.
+                            ;; We need to re-add the default headers.
+                            ,@nextcloud-default-headers)))
                    (nginx-location-configuration
                     (uri "~ \\.woff2?$")
                     (body '("try_files $uri /index.php$request_uri;" "expires 7d;")))
-- 
cgit v1.2.3