Adding options for mail-letsencrypt

master
SunMar 7 years ago
parent 34d88144b2
commit 6ec0fe7036

@ -20,6 +20,14 @@ http {
absolute_redirect off; absolute_redirect off;
resolver {{ RESOLVER }} valid=30s; resolver {{ RESOLVER }} valid=30s;
{% if REAL_IP_HEADER %}
real_ip_header {{ REAL_IP_HEADER }};
{% endif %}
{% if REAL_IP_FROM %}{% for from_ip in REAL_IP_FROM.split(',') %}
set_real_ip_from {{ from_ip }};
{% endfor %}{% endif %}
# Header maps # Header maps
map $http_x_forwarded_proto $proxy_x_forwarded_proto { map $http_x_forwarded_proto $proxy_x_forwarded_proto {
default $http_x_forwarded_proto; default $http_x_forwarded_proto;
@ -45,17 +53,23 @@ http {
include /etc/nginx/tls.conf; include /etc/nginx/tls.conf;
ssl_session_cache shared:SSLHTTP:50m; ssl_session_cache shared:SSLHTTP:50m;
add_header Strict-Transport-Security max-age=15768000; add_header Strict-Transport-Security 'max-age=31536000';
{% if not TLS_FLAVOR == "mail" %} {% if not TLS_FLAVOR in [ 'mail', 'mail-letsencrypt' ] %}
if ($scheme = http) { if ($proxy_x_forwarded_proto = http) {
return 301 https://$host$request_uri; return 301 https://$host$request_uri;
} }
{% endif %} {% endif %}
{% endif %} {% endif %}
add_header X-Frame-Options 'DENY';
add_header X-Content-Type-Options 'nosniff';
add_header X-Permitted-Cross-Domain-Policies 'none';
add_header X-XSS-Protection '1; mode=block';
add_header Referrer-Policy 'same-origin';
# In any case, enable the proxy for certbot if the flavor is letsencrypt # In any case, enable the proxy for certbot if the flavor is letsencrypt
{% if TLS_FLAVOR == 'letsencrypt' %} {% if TLS_FLAVOR in [ 'letsencrypt', 'mail-letsencrypt' ] %}
location ^~ /.well-known/acme-challenge/ { location ^~ /.well-known/acme-challenge/ {
proxy_pass http://127.0.0.1:8008; proxy_pass http://127.0.0.1:8008;
} }

@ -16,9 +16,11 @@ with open("/etc/resolv.conf") as handle:
# TLS configuration # TLS configuration
args["TLS"] = { args["TLS"] = {
"cert": ("/certs/cert.pem", "/certs/key.pem"), "cert": ("/certs/cert.pem", "/certs/key.pem"),
"mail": ("/certs/cert.pem", "/certs/key.pem"),
"letsencrypt": ("/certs/letsencrypt/live/mailu/fullchain.pem", "letsencrypt": ("/certs/letsencrypt/live/mailu/fullchain.pem",
"/certs/letsencrypt/live/mailu/privkey.pem"), "/certs/letsencrypt/live/mailu/privkey.pem"),
"mail": ("/certs/cert.pem", "/certs/key.pem"),
"mail-letsencrypt": ("/certs/letsencrypt/live/mailu/fullchain.pem",
"/certs/letsencrypt/live/mailu/privkey.pem"),
"notls": None "notls": None
}[args["TLS_FLAVOR"]] }[args["TLS_FLAVOR"]]
@ -26,7 +28,6 @@ if args["TLS"] and not all(os.path.exists(file_path) for file_path in args["TLS"
print("Missing cert or key file, disabling TLS") print("Missing cert or key file, disabling TLS")
args["TLS_ERROR"] = "yes" args["TLS_ERROR"] = "yes"
# Build final configuration paths # Build final configuration paths
convert("/conf/tls.conf", "/etc/nginx/tls.conf", args) convert("/conf/tls.conf", "/etc/nginx/tls.conf", args)
convert("/conf/proxy.conf", "/etc/nginx/proxy.conf", args) convert("/conf/proxy.conf", "/etc/nginx/proxy.conf", args)

@ -7,7 +7,7 @@ import subprocess
if os.path.exists("/var/log/nginx.pid"): if os.path.exists("/var/log/nginx.pid"):
os.remove("/var/log/nginx.pid") os.remove("/var/log/nginx.pid")
if os.environ["TLS_FLAVOR"] == "letsencrypt": if os.environ["TLS_FLAVOR"] in [ "letsencrypt","mail-letsencrypt" ]:
subprocess.Popen(["/letsencrypt.py"]) subprocess.Popen(["/letsencrypt.py"])
subprocess.call(["/config.py"]) subprocess.call(["/config.py"])

@ -30,7 +30,7 @@ HOSTNAMES=mail.mailu.io,alternative.mailu.io,yetanother.mailu.io
# Postmaster local part (will append the main mail domain) # Postmaster local part (will append the main mail domain)
POSTMASTER=admin POSTMASTER=admin
# Choose how secure connections will behave (value: letsencrypt, cert, notls, mail) # Choose how secure connections will behave (value: letsencrypt, cert, notls, mail, mail-letsencrypt)
TLS_FLAVOR=cert TLS_FLAVOR=cert
# Authentication rate limit (per source IP address) # Authentication rate limit (per source IP address)
@ -113,3 +113,9 @@ COMPOSE_PROJECT_NAME=mailu
# Default password scheme used for newly created accounts and changed passwords # Default password scheme used for newly created accounts and changed passwords
# (value: SHA512-CRYPT, SHA256-CRYPT, MD5-CRYPT, CRYPT) # (value: SHA512-CRYPT, SHA256-CRYPT, MD5-CRYPT, CRYPT)
PASSWORD_SCHEME=SHA512-CRYPT PASSWORD_SCHEME=SHA512-CRYPT
# Header to take the real ip from
REAL_IP_HEADER=
# IPs for nginx set_real_ip_from (CIDR list separated by commas)
REAL_IP_FROM=

@ -52,6 +52,8 @@ values:
- ``letsencrypt`` will use the Letsencrypt! CA to generate automatic ceriticates; - ``letsencrypt`` will use the Letsencrypt! CA to generate automatic ceriticates;
- ``mail`` is similar to ``cert`` except that TLS will only be served for - ``mail`` is similar to ``cert`` except that TLS will only be served for
emails (IMAP and SMTP), not HTTP (use it behind reverse proxies); emails (IMAP and SMTP), not HTTP (use it behind reverse proxies);
- ``mail-letsencrypt`` is similar to ``letsencrypt`` except that TLS will only be served for
emails (IMAP and SMTP), not HTTP (use it behind reverse proxies);
- ``notls`` will disable TLS, this is not recommended except for testing. - ``notls`` will disable TLS, this is not recommended except for testing.
Enable optional features Enable optional features
@ -93,6 +95,12 @@ setting. The configuration option must be one of the following:
Make sure that you have at least 1GB or memory for ClamAV to load its signature Make sure that you have at least 1GB or memory for ClamAV to load its signature
database. database.
If you run Mailu behind a reverse proxy you can use ``REAL_IP_HEADER`` and
``REAL_IP_FROM`` to set the values of respective the Nginx directives
``real_ip_header`` and ``set_real_ip_from``. The ``REAL_IP_FROM`` configuration
option is a comma-separated list of IPs (or CIDRs) of which for each a
``set_real_ip_from`` directive is added in the Nginx configuration file.
Finish setting up TLS Finish setting up TLS
--------------------- ---------------------

Loading…
Cancel
Save