|
|
|
# Basic configuration
|
|
|
|
user nginx;
|
|
|
|
worker_processes 1;
|
|
|
|
error_log /dev/stderr info;
|
|
|
|
pid /var/run/nginx.pid;
|
|
|
|
include /etc/nginx/modules/devel_kit.conf;
|
|
|
|
include /etc/nginx/modules/http_lua.conf;
|
|
|
|
|
|
|
|
events {
|
|
|
|
worker_connections 1024;
|
|
|
|
}
|
|
|
|
|
|
|
|
# Environment variables used in the configuration
|
|
|
|
env WEBMAIL;
|
|
|
|
env WEBDAV;
|
|
|
|
env EXPOSE_ADMIN;
|
|
|
|
|
|
|
|
http {
|
|
|
|
# Standard HTTP configuration with slight hardening
|
|
|
|
include /etc/nginx/mime.types;
|
|
|
|
default_type application/octet-stream;
|
|
|
|
access_log /dev/stdout;
|
|
|
|
sendfile on;
|
|
|
|
keepalive_timeout 65;
|
|
|
|
server_tokens off;
|
|
|
|
|
|
|
|
server {
|
|
|
|
listen 80;
|
|
|
|
listen 443 ssl;
|
|
|
|
|
|
|
|
# TLS configuration hardened according to:
|
|
|
|
# https://bettercrypto.org/static/applied-crypto-hardening.pdf
|
|
|
|
ssl_protocols TLSv1.1 TLSv1.2;
|
|
|
|
# ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA';
|
|
|
|
ssl_ciphers 'EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS';
|
|
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
ssl_session_timeout 5m;
|
|
|
|
ssl_session_cache shared:SSL:50m;
|
|
|
|
ssl_certificate /certs/cert.pem;
|
|
|
|
ssl_certificate_key /certs/key.pem;
|
|
|
|
|
|
|
|
add_header Strict-Transport-Security max-age=15768000;
|
|
|
|
|
|
|
|
if ($scheme = http) {
|
|
|
|
return 301 https://$host$request_uri;
|
|
|
|
}
|
|
|
|
|
|
|
|
# Load Lua variables
|
|
|
|
set_by_lua $webmail 'return os.getenv("WEBMAIL")';
|
|
|
|
set_by_lua $webdav 'return os.getenv("WEBDAV")';
|
|
|
|
set_by_lua $expose_admin 'return os.getenv("EXPOSE_ADMIN")';
|
|
|
|
|
|
|
|
include http.d/*.conf;
|
|
|
|
# Actual logic
|
|
|
|
|
|
|
|
location / {
|
|
|
|
if ($webmail != none) {
|
|
|
|
return 301 $scheme://$host/webmail/;
|
|
|
|
}
|
|
|
|
|
|
|
|
if ($webmail = none) {
|
|
|
|
return 403;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
location /webmail {
|
|
|
|
if ($webmail != none) {
|
|
|
|
proxy_pass http://webmail;
|
|
|
|
}
|
|
|
|
|
|
|
|
if ($webmail = none) {
|
|
|
|
return 403;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
location /admin {
|
|
|
|
if ($expose_admin = yes) {
|
|
|
|
proxy_pass http://admin;
|
|
|
|
}
|
|
|
|
|
|
|
|
if ($expose_admin != yes) {
|
|
|
|
return 403;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
location /webdav {
|
|
|
|
if ($webdav != none) {
|
|
|
|
proxy_pass http://webdav:5232;
|
|
|
|
}
|
|
|
|
|
|
|
|
if ($webdav = none) {
|
|
|
|
return 403;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
location /.well-known/acme-challenge {
|
|
|
|
proxy_pass http://admin:8081;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
include extra.d/*.conf;
|