Merge branch 'master' of github.com:Mailu/Mailu

7 years ago · 14f30b300f
parent e26c6f7a6e dab8b03a8d
commit 14f30b300f
10 changed files with 124 additions and 3 deletions
--- a/.env.dist
+++ b/.env.dist
@ -36,7 +36,7 @@ COMPOSE_PROJECT_NAME=mailu
 # Optional features
 ###################################

-# Choose which frontend Web server to run if any (value: nginx, none)
+# Choose which frontend Web server to run if any (value: nginx, nginx-no-https, none)
 FRONTEND=none

 # Choose which webmail to run if any (values: roundcube, rainloop, none)
@ -69,6 +69,13 @@ RELAYHOST=
 # Fetchmail delay
 FETCHMAIL_DELAY=600

+###################################
+# Nginx settings
+###################################
+
+# SSL DHPARAM Bits
+NGINX_SSL_DHPARAM_BITS=2048
+
 ###################################
 # Developers
 ###################################
--- a/AUTHORS.md
+++ b/AUTHORS.md
@ -10,3 +10,4 @@ Other contributors:

 - Angedestenebres - Tests on development version & Current version
 - Stefan Auditor - German translation on POEditor.com
+ - [Carlos Bernárdez](https://github.com/jkarlosb) - [[Contributions in Mailu]](https://github.com/Mailu/Mailu/commits?author=jkarlosb)
--- a/nginx-no-https/Dockerfile
+++ b/nginx-no-https/Dockerfile
@ -0,0 +1,9 @@
+FROM nginx:alpine
+
+RUN apk add --no-cache nginx-lua openssl
+
+COPY nginx.conf.default /etc/nginx/nginx.conf.default
+
+COPY start.sh /start.sh
+
+CMD ["/start.sh"]
--- a/nginx-no-https/README.md
+++ b/nginx-no-https/README.md
@ -0,0 +1,14 @@
+Mailu NGINX container
+=====================
+
+NGINX is a popular and highly efficient webserver and reverse proxy server
+commonly used to power high performance websites. In the Mailu stack it is
+used as the HTTP frontend tunneling requests to the public web services
+provided by other containers.
+
+Resources
+---------
+
+ * [Report issues](https://github.com/Mailu/Mailu/issues) and
+    [send Pull Requests](https://github.com/Mailu/Mailu/pulls)
+    in the [main Mailu repository](https://github.com/Mailu/Mailu)
--- a/nginx-no-https/nginx.conf.default
+++ b/nginx-no-https/nginx.conf.default
@ -0,0 +1,79 @@
+#  Basic configuration
+user nginx;
+worker_processes  1;
+error_log /dev/stderr info;
+pid /var/run/nginx.pid;
+
+events {
+    worker_connections  1024;
+}
+
+# Environment variables used in the configuration
+env WEBMAIL;
+env WEBDAV;
+env EXPOSE_ADMIN;
+
+http {
+    # Standard HTTP configuration with slight hardening
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+    access_log /dev/stdout;
+    sendfile on;
+    keepalive_timeout  65;
+    server_tokens off;
+
+    server {
+      listen 80;
+
+      # Load Lua variables
+      set_by_lua $webmail 'return os.getenv("WEBMAIL")';
+      set_by_lua $webdav 'return os.getenv("WEBDAV")';
+      set_by_lua $expose_admin 'return os.getenv("EXPOSE_ADMIN")';
+
+      # Actual logic
+
+      location / {
+        if ($webmail != none) {
+          return 301 $scheme://$host/webmail/;
+        }
+
+        if ($webmail = none) {
+          return 403;
+        }
+      }
+
+      location /webmail {
+        if ($webmail != none) {
+          proxy_pass http://webmail;
+        }
+
+        if ($webmail = none) {
+          return 403;
+        }
+      }
+
+      location /admin {
+        if ($expose_admin = yes) {
+          proxy_pass http://admin;
+        }
+
+        if ($expose_admin != yes) {
+          return 403;
+        }
+      }
+
+      location /webdav {
+        if ($webdav != none) {
+          proxy_pass http://webdav:5232;
+        }
+
+        if ($webdav = none) {
+          return 403;
+        }
+      }
+
+      location /.well-known/acme-challenge {
+        proxy_pass http://admin:8081;
+      }
+    }
+}
--- a/nginx-no-https/start.sh
+++ b/nginx-no-https/start.sh
@ -0,0 +1,5 @@
+#!/bin/sh
+
+cp /etc/nginx/nginx.conf.default /etc/nginx/nginx.conf
+
+nginx -g 'daemon off;'
--- a/nginx/nginx.conf.default
+++ b/nginx/nginx.conf.default
@ -35,6 +35,7 @@ http {
      ssl_session_cache shared:SSL:50m;
      ssl_certificate /certs/cert.pem;
      ssl_certificate_key /certs/key.pem;
+      ssl_dhparam /etc/nginx/dhparam.pem;

      add_header Strict-Transport-Security max-age=15768000;

--- a/nginx/nginx.conf.fallback
+++ b/nginx/nginx.conf.fallback
@ -30,6 +30,7 @@ http {
      ssl_session_cache shared:SSL:50m;
      ssl_certificate /tmp/snakeoil.pem;
      ssl_certificate_key /tmp/snakeoil.pem;
+      ssl_dhparam /etc/nginx/dhparam.pem;

      add_header Strict-Transport-Security max-age=15768000;

--- a/nginx/start.sh
+++ b/nginx/start.sh
@ -1,6 +1,6 @@
 #!/bin/sh

-if [ -z ENABLE_CERTBOT ] || [ -f /certs/cert.pem ]
+if [ -z $ENABLE_CERTBOT ] || [ -f /certs/cert.pem ]
 then
  cp /etc/nginx/nginx.conf.default /etc/nginx/nginx.conf
 else
@ -8,4 +8,8 @@ else
  cp /etc/nginx/nginx.conf.fallback /etc/nginx/nginx.conf
 fi

+if [ ! -r /etc/nginx/dhparam.pem ]; then
+  openssl dhparam -out /etc/nginx/dhparam.pem $NGINX_SSL_DHPARAM_BITS
+fi
+
 nginx -g 'daemon off;'
--- a/radicale/Dockerfile
+++ b/radicale/Dockerfile
@ -1,7 +1,7 @@
 FROM alpine:edge

 RUN echo "@testing http://nl.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories \
- && apk add --no-cache radicale@testing
+ && apk add --no-cache radicale@testing py-dulwich@testing

 COPY radicale.conf /radicale.conf