You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
174 lines
4.3 KiB
Nginx Configuration File
174 lines
4.3 KiB
Nginx Configuration File
7 years ago
|
# Basic configuration
|
||
|
user nginx;
|
||
7 years ago
|
worker_processes 4;
|
||
7 years ago
|
error_log /dev/stderr info;
|
||
|
pid /var/run/nginx.pid;
|
||
|
load_module "modules/ngx_mail_module.so";
|
||
|
|
||
|
events {
|
||
|
worker_connections 1024;
|
||
|
}
|
||
|
|
||
|
http {
|
||
|
# Standard HTTP configuration with slight hardening
|
||
|
include /etc/nginx/mime.types;
|
||
|
default_type application/octet-stream;
|
||
|
access_log /dev/stdout;
|
||
|
sendfile on;
|
||
|
keepalive_timeout 65;
|
||
|
server_tokens off;
|
||
7 years ago
|
absolute_redirect off;
|
||
7 years ago
|
|
||
7 years ago
|
# Main HTTP server
|
||
7 years ago
|
server {
|
||
7 years ago
|
# Always listen over HTTP
|
||
7 years ago
|
listen 80;
|
||
7 years ago
|
listen [::]:80;
|
||
7 years ago
|
|
||
7 years ago
|
# Only enable HTTPS if TLS is enabled with no error
|
||
7 years ago
|
{% if TLS and not TLS_ERROR %}
|
||
7 years ago
|
listen 443 ssl;
|
||
7 years ago
|
listen [::]:443 ssl;
|
||
7 years ago
|
|
||
7 years ago
|
include /etc/nginx/tls.conf;
|
||
|
ssl_session_cache shared:SSLHTTP:50m;
|
||
7 years ago
|
add_header Strict-Transport-Security max-age=15768000;
|
||
|
|
||
|
if ($scheme = http) {
|
||
|
return 301 https://$host$request_uri;
|
||
|
}
|
||
|
{% endif %}
|
||
|
|
||
7 years ago
|
# In any case, enable the proxy for certbot if the flavor is letsencrypt
|
||
7 years ago
|
{% if TLS_FLAVOR == 'letsencrypt' %}
|
||
|
location ^~ /.well-known/acme-challenge/ {
|
||
7 years ago
|
proxy_pass http://localhost:8008;
|
||
7 years ago
|
}
|
||
|
{% endif %}
|
||
|
|
||
7 years ago
|
# If TLS is failing, prevent access to anything except certbot
|
||
7 years ago
|
{% if TLS_ERROR %}
|
||
|
location / {
|
||
7 years ago
|
return 403;
|
||
7 years ago
|
}
|
||
|
{% else %}
|
||
7 years ago
|
|
||
|
# Actual logic
|
||
7 years ago
|
{% if WEBMAIL != 'none' %}
|
||
7 years ago
|
location / {
|
||
|
return 301 $scheme://$host/webmail/;
|
||
|
}
|
||
|
|
||
7 years ago
|
location {{ WEB_WEBMAIL }} {
|
||
|
rewrite ^{{ WEB_WEBMAIL }}/(.*) /$1 break;
|
||
7 years ago
|
proxy_pass http://webmail;
|
||
|
}
|
||
7 years ago
|
{% endif %}
|
||
7 years ago
|
|
||
7 years ago
|
{% if ADMIN == 'true' %}
|
||
7 years ago
|
location {{ WEB_ADMIN }} {
|
||
7 years ago
|
return 301 {{ WEB_ADMIN }}/ui;
|
||
7 years ago
|
}
|
||
7 years ago
|
location ~ {{ WEB_ADMIN }}/(ui|static) {
|
||
|
rewrite ^{{ WEB_ADMIN }}/(.*) /$1 break;
|
||
|
proxy_set_header X-Forwarded-Prefix {{ WEB_ADMIN }};
|
||
7 years ago
|
proxy_pass http://admin;
|
||
|
}
|
||
7 years ago
|
{% endif %}
|
||
7 years ago
|
|
||
7 years ago
|
{% if WEBDAV != 'none' %}
|
||
7 years ago
|
location /webdav {
|
||
7 years ago
|
rewrite ^/webdav/(.*) /$1 break;
|
||
7 years ago
|
proxy_pass http://webdav:5232;
|
||
|
}
|
||
7 years ago
|
{% endif %}
|
||
7 years ago
|
{% endif %}
|
||
7 years ago
|
}
|
||
7 years ago
|
|
||
|
# Forwarding authentication server
|
||
|
server {
|
||
|
listen 127.0.0.1:8000;
|
||
|
|
||
7 years ago
|
location / {
|
||
|
proxy_pass http://admin/internal/;
|
||
7 years ago
|
}
|
||
|
}
|
||
7 years ago
|
}
|
||
|
|
||
|
mail {
|
||
7 years ago
|
server_name {{ HOSTNAMES.split(",")[0] }};
|
||
7 years ago
|
auth_http http://127.0.0.1:8000/auth/email;
|
||
7 years ago
|
proxy_pass_error_message on;
|
||
|
|
||
7 years ago
|
{% if TLS and not TLS_ERROR %}
|
||
|
include /etc/nginx/tls.conf;
|
||
|
ssl_session_cache shared:SSLMAIL:50m;
|
||
|
{% endif %}
|
||
|
|
||
7 years ago
|
# Default SMTP server for the webmail (no encryption, but authentication)
|
||
|
server {
|
||
|
listen 10025;
|
||
|
protocol smtp;
|
||
|
smtp_auth plain;
|
||
|
}
|
||
|
|
||
|
# Default IMAP server for the webmail (no encryption, but authentication)
|
||
|
server {
|
||
|
listen 10143;
|
||
|
protocol imap;
|
||
|
smtp_auth plain;
|
||
|
}
|
||
|
|
||
|
# SMTP is always enabled, to avoid losing emails when TLS is failing
|
||
7 years ago
|
server {
|
||
|
listen 25;
|
||
7 years ago
|
listen [::]:25;
|
||
7 years ago
|
{% if TLS and not TLS_ERROR %}
|
||
7 years ago
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||
|
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
|
||
7 years ago
|
starttls on;
|
||
|
{% endif %}
|
||
7 years ago
|
protocol smtp;
|
||
7 years ago
|
smtp_auth none;
|
||
7 years ago
|
}
|
||
|
|
||
7 years ago
|
# All other protocols are disabled if TLS is failing
|
||
7 years ago
|
{% if not TLS_ERROR %}
|
||
7 years ago
|
server {
|
||
|
listen 143;
|
||
7 years ago
|
listen [::]:143;
|
||
7 years ago
|
{% if TLS %}
|
||
|
starttls only;
|
||
|
{% endif %}
|
||
|
protocol imap;
|
||
|
imap_auth plain;
|
||
|
}
|
||
|
|
||
|
server {
|
||
7 years ago
|
listen 587;
|
||
|
listen [::]:587;
|
||
|
{% if TLS %}
|
||
|
starttls only;
|
||
|
{% endif %}
|
||
7 years ago
|
protocol smtp;
|
||
|
smtp_auth plain;
|
||
|
}
|
||
|
|
||
7 years ago
|
{% if TLS %}
|
||
7 years ago
|
server {
|
||
7 years ago
|
listen 465 ssl;
|
||
|
listen [::]:465 ssl;
|
||
7 years ago
|
protocol smtp;
|
||
|
smtp_auth plain;
|
||
|
}
|
||
|
|
||
|
server {
|
||
|
listen 993 ssl;
|
||
7 years ago
|
listen [::]:993 ssl;
|
||
7 years ago
|
protocol imap;
|
||
|
imap_auth plain;
|
||
|
}
|
||
7 years ago
|
{% endif %}
|
||
|
{% endif %}
|
||
7 years ago
|
}
|