owncloud will only let users access it from the PRIMARY_HOSTNAME (due to its trusted_domains option being set statically), so only include /cloud in the nginx configuration for PRIMARY_HOSTNAME

conf/nginx-primaryonly.conf

@@ -0,0 +1,41 @@
+	# ownCloud configuration.
+	rewrite ^/cloud$ /cloud/ redirect;
+	rewrite ^/cloud/$ /cloud/index.php;
+	rewrite ^(/cloud/core/doc/[^\/]+/)$ $1/index.html;
+	location /cloud/ {
+		alias /usr/local/lib/owncloud/;
+		location ~ ^/(data|config|\.ht|db_structure\.xml|README) {
+			deny all;
+	 	}
+	}
+	location ~ ^(/cloud)(/[^/]+\.php)(/.*)?$ {
+		# note: ~ has precendence over a regular location block
+		include fastcgi_params;
+		fastcgi_param SCRIPT_FILENAME /usr/local/lib/owncloud/$2;
+		fastcgi_param SCRIPT_NAME $1$2;
+		fastcgi_param PATH_INFO $3;
+		fastcgi_param MOD_X_ACCEL_REDIRECT_ENABLED on;
+		fastcgi_read_timeout 630;
+		fastcgi_pass php-fpm;
+		error_page 403 /cloud/core/templates/403.php;
+		error_page 404 /cloud/core/templates/404.php;
+		client_max_body_size 1G;
+		fastcgi_buffers 64 4K;
+	}
+	location ^~ /cloud/data {
+		# In order to support MOD_X_ACCEL_REDIRECT_ENABLED, we need to expose
+		# the data directory but only allow 'internal' redirects within nginx
+		# so that this is not exposed to the world.
+		internal;
+		alias $STORAGE_ROOT/owncloud;
+	}
+	location ~ ^/((caldav|carddav|webdav).*)$ {
+		# Z-Push doesn't like getting a redirect, and a plain rewrite didn't work either.
+		# Properly proxying like this seems to work fine.
+		proxy_pass https://$HOSTNAME/cloud/remote.php/$1;
+	}
+	rewrite ^/.well-known/host-meta /cloud/public.php?service=host-meta last;
+	rewrite ^/.well-known/host-meta.json /cloud/public.php?service=host-meta-json last;
+	rewrite ^/.well-known/carddav /cloud/remote.php/carddav/ redirect;
+	rewrite ^/.well-known/caldav /cloud/remote.php/caldav/ redirect;
+

conf/nginx.conf

@@ -31,12 +31,10 @@ server {
 		index index.php;
 		alias /usr/local/lib/roundcubemail/;
 	}
-
 	location ~ /mail/config/.* {
 		# A ~-style location is needed to give this precedence over the next block.
 		return 403;
 	}
-
 	location ~ /mail/.*\.php {
 		# note: ~ has precendence over a regular location block
 		include fastcgi_params;
@@ -47,51 +45,6 @@ server {
 		client_max_body_size 20M;
 	}
 
-	# ownCloud configuration.
-	rewrite ^/cloud$ /cloud/ redirect;
-	rewrite ^/cloud/$ /cloud/index.php;
-	rewrite ^(/cloud/core/doc/[^\/]+/)$ $1/index.html;
-	location /cloud/ {
-		alias /usr/local/lib/owncloud/;
-		location ~ ^/(data|config|\.ht|db_structure\.xml|README) {
-			deny all;
-	 	}
-	}
-
-	location ~ ^(/cloud)(/[^/]+\.php)(/.*)?$ {
-		# note: ~ has precendence over a regular location block
-		include fastcgi_params;
-		fastcgi_param SCRIPT_FILENAME /usr/local/lib/owncloud/$2;
-		fastcgi_param SCRIPT_NAME $1$2;
-		fastcgi_param PATH_INFO $3;
-		fastcgi_param MOD_X_ACCEL_REDIRECT_ENABLED on;
-		fastcgi_read_timeout 630;
-		fastcgi_pass php-fpm;
-		error_page 403 /cloud/core/templates/403.php;
-		error_page 404 /cloud/core/templates/404.php;
-		client_max_body_size 1G;
-		fastcgi_buffers 64 4K;
-	}
-	location ^~ /cloud/data {
-		# In order to support MOD_X_ACCEL_REDIRECT_ENABLED, we need to expose
-		# the data directory but only allow 'internal' redirects within nginx
-		# so that this is not exposed to the world.
-		internal;
-		alias $STORAGE_ROOT/owncloud;
-	}
-
-
-	location ~ ^/((caldav|carddav|webdav).*)$ {
-		# Z-Push doesn't like getting a redirect, and a plain rewrite didn't work either.
-		# Properly proxying like this seems to work fine.
-		proxy_pass https://$HOSTNAME/cloud/remote.php/$1;
-	}
-
-	rewrite ^/.well-known/host-meta /cloud/public.php?service=host-meta last;
-	rewrite ^/.well-known/host-meta.json /cloud/public.php?service=host-meta-json last;
-	rewrite ^/.well-known/carddav /cloud/remote.php/carddav/ redirect;
-	rewrite ^/.well-known/caldav /cloud/remote.php/caldav/ redirect;
-
 	# Webfinger configuration.
 	location = /.well-known/webfinger {
 		include fastcgi_params;