Is this still true if the Nextcloud instance is unsecured (noSSL)?
Yes! Yes! Yes! I’ve learnt something new. The working V2 Caddyfile:
:80 {
root * /var/www/html
file_server
php_fastcgi app:9000
header {
# enable HSTS
# Strict-Transport-Security max-age=31536000;
}
redir /.well-known/carddav /remote.php/dav 301
redir /.well-known/caldav /remote.php/dav 301
# .htaccess / data / config / ... shouldn't be accessible from outside
@forbidden {
path /.htaccess
path /data/*
path /config/*
path /db_structure
path /.xml
path /README
path /3rdparty/*
path /lib/*
path /templates/*
path /occ
path /console.php
}
respond @forbidden 404
}