Merge pull request #358 from SunMar/master

Adding options for when using reverse proxy (real ip header / from and mail-letsencrypt)
master
kaiyou 7 years ago committed by GitHub
commit 7c2b4be954
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

@ -20,6 +20,14 @@ http {
absolute_redirect off;
resolver {{ RESOLVER }} valid=30s;
{% if REAL_IP_HEADER %}
real_ip_header {{ REAL_IP_HEADER }};
{% endif %}
{% if REAL_IP_FROM %}{% for from_ip in REAL_IP_FROM.split(',') %}
set_real_ip_from {{ from_ip }};
{% endfor %}{% endif %}
# Header maps
map $http_x_forwarded_proto $proxy_x_forwarded_proto {
default $http_x_forwarded_proto;
@ -45,17 +53,23 @@ http {
include /etc/nginx/tls.conf;
ssl_session_cache shared:SSLHTTP:50m;
add_header Strict-Transport-Security max-age=15768000;
add_header Strict-Transport-Security 'max-age=31536000';
{% if not TLS_FLAVOR == "mail" %}
if ($scheme = http) {
{% if not TLS_FLAVOR in [ 'mail', 'mail-letsencrypt' ] %}
if ($proxy_x_forwarded_proto = http) {
return 301 https://$host$request_uri;
}
{% endif %}
{% endif %}
add_header X-Frame-Options 'DENY';
add_header X-Content-Type-Options 'nosniff';
add_header X-Permitted-Cross-Domain-Policies 'none';
add_header X-XSS-Protection '1; mode=block';
add_header Referrer-Policy 'same-origin';
# In any case, enable the proxy for certbot if the flavor is letsencrypt
{% if TLS_FLAVOR == 'letsencrypt' %}
{% if TLS_FLAVOR in [ 'letsencrypt', 'mail-letsencrypt' ] %}
location ^~ /.well-known/acme-challenge/ {
proxy_pass http://127.0.0.1:8008;
}

@ -16,9 +16,11 @@ with open("/etc/resolv.conf") as handle:
# TLS configuration
args["TLS"] = {
"cert": ("/certs/cert.pem", "/certs/key.pem"),
"mail": ("/certs/cert.pem", "/certs/key.pem"),
"letsencrypt": ("/certs/letsencrypt/live/mailu/fullchain.pem",
"/certs/letsencrypt/live/mailu/privkey.pem"),
"mail": ("/certs/cert.pem", "/certs/key.pem"),
"mail-letsencrypt": ("/certs/letsencrypt/live/mailu/fullchain.pem",
"/certs/letsencrypt/live/mailu/privkey.pem"),
"notls": None
}[args["TLS_FLAVOR"]]
@ -26,7 +28,6 @@ if args["TLS"] and not all(os.path.exists(file_path) for file_path in args["TLS"
print("Missing cert or key file, disabling TLS")
args["TLS_ERROR"] = "yes"
# Build final configuration paths
convert("/conf/tls.conf", "/etc/nginx/tls.conf", args)
convert("/conf/proxy.conf", "/etc/nginx/proxy.conf", args)

@ -7,7 +7,7 @@ import subprocess
if os.path.exists("/var/log/nginx.pid"):
os.remove("/var/log/nginx.pid")
if os.environ["TLS_FLAVOR"] == "letsencrypt":
if os.environ["TLS_FLAVOR"] in [ "letsencrypt","mail-letsencrypt" ]:
subprocess.Popen(["/letsencrypt.py"])
subprocess.call(["/config.py"])

@ -30,7 +30,7 @@ HOSTNAMES=mail.mailu.io,alternative.mailu.io,yetanother.mailu.io
# Postmaster local part (will append the main mail domain)
POSTMASTER=admin
# Choose how secure connections will behave (value: letsencrypt, cert, notls, mail)
# Choose how secure connections will behave (value: letsencrypt, cert, notls, mail, mail-letsencrypt)
TLS_FLAVOR=cert
# Authentication rate limit (per source IP address)
@ -113,3 +113,9 @@ COMPOSE_PROJECT_NAME=mailu
# Default password scheme used for newly created accounts and changed passwords
# (value: SHA512-CRYPT, SHA256-CRYPT, MD5-CRYPT, CRYPT)
PASSWORD_SCHEME=SHA512-CRYPT
# Header to take the real ip from
REAL_IP_HEADER=
# IPs for nginx set_real_ip_from (CIDR list separated by commas)
REAL_IP_FROM=

@ -52,6 +52,8 @@ values:
- ``letsencrypt`` will use the Letsencrypt! CA to generate automatic ceriticates;
- ``mail`` is similar to ``cert`` except that TLS will only be served for
emails (IMAP and SMTP), not HTTP (use it behind reverse proxies);
- ``mail-letsencrypt`` is similar to ``letsencrypt`` except that TLS will only be served for
emails (IMAP and SMTP), not HTTP (use it behind reverse proxies);
- ``notls`` will disable TLS, this is not recommended except for testing.
Enable optional features
@ -93,6 +95,12 @@ setting. The configuration option must be one of the following:
Make sure that you have at least 1GB or memory for ClamAV to load its signature
database.
If you run Mailu behind a reverse proxy you can use ``REAL_IP_HEADER`` and
``REAL_IP_FROM`` to set the values of respective the Nginx directives
``real_ip_header`` and ``set_real_ip_from``. The ``REAL_IP_FROM`` configuration
option is a comma-separated list of IPs (or CIDRs) of which for each a
``set_real_ip_from`` directive is added in the Nginx configuration file.
Finish setting up TLS
---------------------

Loading…
Cancel
Save