# Basic configuration user nginx; worker_processes 1; error_log /dev/stderr info; pid /var/run/nginx.pid; events { worker_connections 1024; } # Environment variables used in the configuration env WEBMAIL; env WEBDAV; env EXPOSE_ADMIN; http { # Standard HTTP configuration with slight hardening include /etc/nginx/mime.types; default_type application/octet-stream; access_log /dev/stdout; sendfile on; keepalive_timeout 65; server_tokens off; server { listen 80; listen 443 ssl; # TLS configuration hardened according to: # https://bettercrypto.org/static/applied-crypto-hardening.pdf ssl_protocols TLSv1.1 TLSv1.2; ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA'; ssl_prefer_server_ciphers on; ssl_session_timeout 5m; ssl_session_cache shared:SSL:50m; ssl_certificate /certs/cert.pem; ssl_certificate_key /certs/key.pem; add_header Strict-Transport-Security max-age=15768000; if ($scheme = http) { return 301 https://$host$request_uri; } # Load Lua variables set_by_lua $webmail 'return os.getenv("WEBMAIL")'; set_by_lua $webdav 'return os.getenv("WEBDAV")'; set_by_lua $expose_admin 'return os.getenv("EXPOSE_ADMIN")'; # Actual logic location / { if ($webmail != none) { return 301 $scheme://$host/webmail/; } if ($webmail = none) { return 403; } } location /webmail { if ($webmail != none) { proxy_pass http://webmail; } if ($webmail = none) { return 403; } } location /admin { if ($expose_admin = yes) { proxy_pass http://admin; } if ($expose_admin != yes) { return 403; } } location /webdav { if ($webdav != none) { proxy_pass http://webdav:5232; } if ($webdav = none) { return 403; } } location /.well-known/acme-challenge { proxy_pass http://admin:8081; } } }