agence66-nextcloud-docker/apache/nextcloud.conf

# Configuration pour reverse proxy Traefik
# Récupération de l'IP réelle du client via X-Forwarded-For
RemoteIPHeader X-Forwarded-For
RemoteIPTrustedProxy 172.16.0.0/12
RemoteIPTrustedProxy 10.0.0.0/8
RemoteIPTrustedProxy 192.168.0.0/16

# Activer la confiance des en-têtes X-Forwarded-Proto
SetEnvIf X-Forwarded-Proto "https" HTTPS=on

<Directory /var/www/html/>
    Options +FollowSymLinks
    AllowOverride All
    Require all granted

    <IfModule mod_dav.c>
        Dav off
    </IfModule>
</Directory>

# Headers de sécurité (si non gérés par Traefik)
<IfModule mod_headers.c>
    # HSTS sera géré par Traefik
    # Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"

    # Autres headers de sécurité
    Header always set Referrer-Policy "no-referrer-when-downgrade"
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set X-XSS-Protection "1; mode=block"
    Header always set X-Robots-Tag "noindex, nofollow"
</IfModule>

# Logs avec IP réelle (pas l'IP de Traefik)
<IfModule mod_remoteip.c>
    LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
</IfModule>