@francislavoie, your solution is working, thank you !
This is my current Caddyfile V2 :
mydomain.com {
root * /usr/local/www/nextcloud
file_server
log {
output file /var/log/nextcloud_access.log
format single_field common_log
}
tls {
ca https://acme-v02.api.letsencrypt.org/directory
}
php_fastcgi 127.0.0.1:9000
header {
Strict-Transport-Security "max-age=15768000;"
X-Content-Type-Options "nosniff"
X-XSS-Protection "1; mode=block"
X-Robots-Tag "none"
X-Download-Options "noopen"
X-Permitted-Cross-Domain-Policies "none"
X-Frame-Options "SAMEORIGIN"
Referrer-Policy "no-referrer"
}
header /core/fonts {
Cache-Control "max-age=604800"
}
@phpFiles {
path_regexp phpfile ^/(remote|public|cron|core/ajax/update|status|ocs/v1|ocs/v2)\.php
}
rewrite @phpFiles {http.regexp.phpfile.0}
redir /.well-known/cardav /remote.php/dav 301
redir /.well-known/caldav /remote.php/dav 301
# .htaccess / data / config / ... shouldn't be accessible from outside
@forbidden {
path /.htaccess
path /data/*
path /config/*
path /db_structure
path /.xml
path /README
path /3rdparty/*
path /lib/*
path /templates/*
path /occ
path /console.php
}
respond @forbidden 404
}