diff --git a/.env.dist b/.env.dist index c29bbbac..1a1f3b67 100644 --- a/.env.dist +++ b/.env.dist @@ -36,7 +36,7 @@ COMPOSE_PROJECT_NAME=mailu # Optional features ################################### -# Choose which frontend Web server to run if any (value: nginx, none) +# Choose which frontend Web server to run if any (value: nginx, nginx-no-https, none) FRONTEND=none # Choose which webmail to run if any (values: roundcube, rainloop, none) @@ -69,6 +69,13 @@ RELAYHOST= # Fetchmail delay FETCHMAIL_DELAY=600 +################################### +# Nginx settings +################################### + +# SSL DHPARAM Bits +NGINX_SSL_DHPARAM_BITS=2048 + ################################### # Developers ################################### diff --git a/AUTHORS.md b/AUTHORS.md index a15a6478..c9f33e76 100644 --- a/AUTHORS.md +++ b/AUTHORS.md @@ -10,3 +10,4 @@ Other contributors: - Angedestenebres - Tests on development version & Current version - Stefan Auditor - German translation on POEditor.com + - [Carlos Bernárdez](https://github.com/jkarlosb) - [[Contributions in Mailu]](https://github.com/Mailu/Mailu/commits?author=jkarlosb) diff --git a/nginx-no-https/Dockerfile b/nginx-no-https/Dockerfile new file mode 100644 index 00000000..ee5355fe --- /dev/null +++ b/nginx-no-https/Dockerfile @@ -0,0 +1,9 @@ +FROM nginx:alpine + +RUN apk add --no-cache nginx-lua openssl + +COPY nginx.conf.default /etc/nginx/nginx.conf.default + +COPY start.sh /start.sh + +CMD ["/start.sh"] diff --git a/nginx-no-https/README.md b/nginx-no-https/README.md new file mode 100644 index 00000000..2a89f3b1 --- /dev/null +++ b/nginx-no-https/README.md @@ -0,0 +1,14 @@ +Mailu NGINX container +===================== + +NGINX is a popular and highly efficient webserver and reverse proxy server +commonly used to power high performance websites. In the Mailu stack it is +used as the HTTP frontend tunneling requests to the public web services +provided by other containers. + +Resources +--------- + + * [Report issues](https://github.com/Mailu/Mailu/issues) and + [send Pull Requests](https://github.com/Mailu/Mailu/pulls) + in the [main Mailu repository](https://github.com/Mailu/Mailu) \ No newline at end of file diff --git a/nginx-no-https/nginx.conf.default b/nginx-no-https/nginx.conf.default new file mode 100644 index 00000000..b1f6c816 --- /dev/null +++ b/nginx-no-https/nginx.conf.default @@ -0,0 +1,79 @@ +# Basic configuration +user nginx; +worker_processes 1; +error_log /dev/stderr info; +pid /var/run/nginx.pid; + +events { + worker_connections 1024; +} + +# Environment variables used in the configuration +env WEBMAIL; +env WEBDAV; +env EXPOSE_ADMIN; + +http { + # Standard HTTP configuration with slight hardening + include /etc/nginx/mime.types; + default_type application/octet-stream; + access_log /dev/stdout; + sendfile on; + keepalive_timeout 65; + server_tokens off; + + server { + listen 80; + + # Load Lua variables + set_by_lua $webmail 'return os.getenv("WEBMAIL")'; + set_by_lua $webdav 'return os.getenv("WEBDAV")'; + set_by_lua $expose_admin 'return os.getenv("EXPOSE_ADMIN")'; + + # Actual logic + + location / { + if ($webmail != none) { + return 301 $scheme://$host/webmail/; + } + + if ($webmail = none) { + return 403; + } + } + + location /webmail { + if ($webmail != none) { + proxy_pass http://webmail; + } + + if ($webmail = none) { + return 403; + } + } + + location /admin { + if ($expose_admin = yes) { + proxy_pass http://admin; + } + + if ($expose_admin != yes) { + return 403; + } + } + + location /webdav { + if ($webdav != none) { + proxy_pass http://webdav:5232; + } + + if ($webdav = none) { + return 403; + } + } + + location /.well-known/acme-challenge { + proxy_pass http://admin:8081; + } + } +} diff --git a/nginx-no-https/start.sh b/nginx-no-https/start.sh new file mode 100755 index 00000000..e4bc34d3 --- /dev/null +++ b/nginx-no-https/start.sh @@ -0,0 +1,5 @@ +#!/bin/sh + +cp /etc/nginx/nginx.conf.default /etc/nginx/nginx.conf + +nginx -g 'daemon off;' diff --git a/nginx/nginx.conf.default b/nginx/nginx.conf.default index 0d57ca50..b7ed5179 100644 --- a/nginx/nginx.conf.default +++ b/nginx/nginx.conf.default @@ -35,6 +35,7 @@ http { ssl_session_cache shared:SSL:50m; ssl_certificate /certs/cert.pem; ssl_certificate_key /certs/key.pem; + ssl_dhparam /etc/nginx/dhparam.pem; add_header Strict-Transport-Security max-age=15768000; diff --git a/nginx/nginx.conf.fallback b/nginx/nginx.conf.fallback index bf5cd869..9a63a3c9 100644 --- a/nginx/nginx.conf.fallback +++ b/nginx/nginx.conf.fallback @@ -30,6 +30,7 @@ http { ssl_session_cache shared:SSL:50m; ssl_certificate /tmp/snakeoil.pem; ssl_certificate_key /tmp/snakeoil.pem; + ssl_dhparam /etc/nginx/dhparam.pem; add_header Strict-Transport-Security max-age=15768000; diff --git a/nginx/start.sh b/nginx/start.sh index a0f7718b..b1c868ce 100755 --- a/nginx/start.sh +++ b/nginx/start.sh @@ -1,6 +1,6 @@ #!/bin/sh -if [ -z ENABLE_CERTBOT ] || [ -f /certs/cert.pem ] +if [ -z $ENABLE_CERTBOT ] || [ -f /certs/cert.pem ] then cp /etc/nginx/nginx.conf.default /etc/nginx/nginx.conf else @@ -8,4 +8,8 @@ else cp /etc/nginx/nginx.conf.fallback /etc/nginx/nginx.conf fi +if [ ! -r /etc/nginx/dhparam.pem ]; then + openssl dhparam -out /etc/nginx/dhparam.pem $NGINX_SSL_DHPARAM_BITS +fi + nginx -g 'daemon off;' diff --git a/radicale/Dockerfile b/radicale/Dockerfile index b42548e6..dce888b5 100644 --- a/radicale/Dockerfile +++ b/radicale/Dockerfile @@ -1,7 +1,7 @@ FROM alpine:edge RUN echo "@testing http://nl.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories \ - && apk add --no-cache radicale@testing + && apk add --no-cache radicale@testing py-dulwich@testing COPY radicale.conf /radicale.conf