Enable https and --preload on the admin to improve letsencrypt support

admin/start.sh

@@ -1,4 +1,4 @@
 #!/bin/sh
 
 python manage.py db upgrade
-gunicorn -w 4 -b 0.0.0.0:80 --access-logfile - --error-logfile - mailu:app
+gunicorn -w 4 -b 0.0.0.0:80 --access-logfile - --error-logfile - --preload mailu:app

nginx/Dockerfile

@@ -1,8 +1,8 @@
 FROM nginx:alpine
 
-RUN apk add --update nginx-lua && rm -rf /var/cache/apk/*
+RUN apk add --update nginx-lua openssl && rm -rf /var/cache/apk/*
 
-COPY nginx.conf /etc/nginx/nginx.conf
+COPY nginx.conf.default /etc/nginx/nginx.conf.default
 COPY nginx.conf.fallback /etc/nginx/nginx.conf.fallback
 
 COPY start.sh /start.sh

nginx/nginx.conf.fallback

@@ -19,6 +19,23 @@ http {
 
     server {
       listen 80;
+      listen 443 ssl;
+
+      # TLS configuration hardened according to:
+      # https://bettercrypto.org/static/applied-crypto-hardening.pdf
+      ssl_protocols TLSv1.1 TLSv1.2;
+      ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA';
+      ssl_prefer_server_ciphers on;
+      ssl_session_timeout 5m;
+      ssl_session_cache shared:SSL:50m;
+      ssl_certificate /tmp/snakeoil.pem;
+      ssl_certificate_key /tmp/snakeoil.pem;
+
+      add_header Strict-Transport-Security max-age=15768000;
+
+      if ($scheme = http) {
+        return 301 https://$host$request_uri;
+      }
 
       location /.well-known/acme-challenge {
         proxy_pass http://admin:8081;

nginx/start.sh

@@ -1,6 +1,11 @@
 #!/bin/sh
 
-if [[ ! -z ENABLE_CERTBOT && ! -f /certs/cert.pem ]]; then
+if [[ -z ENABLE_CERTBOT || -f /certs/cert.pem ]]
+then
+  cp /etc/nginx/nginx.conf.default /etc/nginx/nginx.conf
+else
+  openssl req -newkey rsa:2048 -x509 -keyout /tmp/snakeoil.pem -out /tmp/snakeoil.pem -days 365 -nodes -subj "/C=NA/ST=None/
+L=None/O=None/CN=$DOMAIN"
   cp /etc/nginx/nginx.conf.fallback /etc/nginx/nginx.conf
 fi