1
0
mirror of https://github.com/Mailu/Mailu.git synced 2024-12-14 10:53:30 +02:00
Mailu/nginx/conf/nginx.conf

172 lines
3.7 KiB
Nginx Configuration File
Raw Normal View History

2017-09-24 13:09:12 +02:00
# Basic configuration
user nginx;
2017-09-24 14:01:03 +02:00
worker_processes 4;
2017-09-24 13:09:12 +02:00
error_log /dev/stderr info;
pid /var/run/nginx.pid;
load_module "modules/ngx_mail_module.so";
events {
worker_connections 1024;
}
http {
# Standard HTTP configuration with slight hardening
include /etc/nginx/mime.types;
default_type application/octet-stream;
access_log /dev/stdout;
sendfile on;
keepalive_timeout 65;
server_tokens off;
absolute_redirect off;
2017-09-24 13:09:12 +02:00
# Main HTTP server
2017-09-24 13:09:12 +02:00
server {
# Always listen over HTTP
2017-09-24 13:09:12 +02:00
listen 80;
2017-10-21 19:50:49 +02:00
listen [::]:80;
2017-09-24 13:09:12 +02:00
# Only enable HTTPS if TLS is enabled with no error
{% if TLS and not TLS_ERROR %}
2017-09-24 14:01:03 +02:00
listen 443 ssl;
2017-10-21 19:50:49 +02:00
listen [::]:443 ssl;
2017-09-24 18:43:14 +02:00
include /etc/nginx/tls.conf;
ssl_session_cache shared:SSLHTTP:50m;
2017-09-24 14:01:03 +02:00
add_header Strict-Transport-Security max-age=15768000;
if ($scheme = http) {
return 301 https://$host$request_uri;
}
{% endif %}
# In any case, enable the proxy for certbot if the flavor is letsencrypt
{% if TLS_FLAVOR == 'letsencrypt' %}
location ^~ /.well-known/acme-challenge/ {
proxy_pass http://localhost:8000;
}
{% endif %}
# If TLS is failing, prevent access to anything except certbot
{% if TLS_ERROR %}
location / {
2017-10-21 15:54:09 +02:00
return 403;
}
{% else %}
# Actual logic
2017-09-24 14:01:03 +02:00
{% if WEBMAIL != 'none' %}
2017-09-24 13:09:12 +02:00
location / {
return 301 $scheme://$host/webmail/;
}
location {{ WEB_WEBMAIL }} {
rewrite ^{{ WEB_WEBMAIL }}/(.*) /$1 break;
2017-09-24 13:09:12 +02:00
proxy_pass http://webmail;
}
2017-09-24 14:01:03 +02:00
{% endif %}
2017-09-24 13:09:12 +02:00
2017-09-24 14:01:03 +02:00
{% if ADMIN == 'true' %}
location {{ WEB_ADMIN }} {
return 301 {{ WEB_ADMIN }}/ui;
}
location ~ {{ WEB_ADMIN }}/(ui|static) {
rewrite ^{{ WEB_ADMIN }}/(.*) /$1 break;
proxy_set_header X-Forwarded-Prefix {{ WEB_ADMIN }};
2017-09-24 13:09:12 +02:00
proxy_pass http://admin;
}
2017-09-24 14:01:03 +02:00
{% endif %}
2017-09-24 13:09:12 +02:00
2017-09-24 14:01:03 +02:00
{% if WEBDAV != 'none' %}
2017-09-24 13:09:12 +02:00
location /webdav {
rewrite ^/webdav/(.*) /$1 break;
2017-09-24 13:09:12 +02:00
proxy_pass http://webdav:5232;
}
2017-09-24 14:01:03 +02:00
{% endif %}
{% endif %}
2017-09-24 13:09:12 +02:00
}
# Forwarding authentication server
server {
listen 127.0.0.1:8000;
location /internal {
proxy_pass http://admin;
}
}
2017-09-24 13:09:12 +02:00
}
mail {
server_name {{ HOSTNAMES.split(",")[0] }};
auth_http http://127.0.0.1:8000/internal/nginx;
2017-09-24 13:09:12 +02:00
proxy_pass_error_message on;
2017-09-24 18:43:14 +02:00
{% if TLS and not TLS_ERROR %}
include /etc/nginx/tls.conf;
ssl_session_cache shared:SSLMAIL:50m;
{% endif %}
# Default SMTP server for the webmail (no encryption, but authentication)
server {
listen 10025;
protocol smtp;
smtp_auth plain;
}
# Default IMAP server for the webmail (no encryption, but authentication)
server {
listen 10143;
protocol imap;
smtp_auth plain;
}
# SMTP is always enabled, to avoid losing emails when TLS is failing
2017-09-24 13:09:12 +02:00
server {
listen 25;
2017-10-21 19:50:49 +02:00
listen [::]:25;
{% if TLS and not TLS_ERROR %}
2017-09-24 18:43:14 +02:00
starttls on;
{% endif %}
2017-09-24 13:09:12 +02:00
protocol smtp;
2017-09-24 18:43:14 +02:00
smtp_auth none;
2017-09-24 13:09:12 +02:00
}
# All other protocols are disabled if TLS is failing
2017-09-24 18:43:14 +02:00
{% if not TLS_ERROR %}
2017-09-24 13:09:12 +02:00
server {
listen 143;
2017-10-21 19:50:49 +02:00
listen [::]:143;
2017-09-24 18:43:14 +02:00
{% if TLS %}
starttls only;
{% endif %}
protocol imap;
imap_auth plain;
}
server {
listen 587;
listen [::]:587;
{% if TLS %}
starttls only;
{% endif %}
2017-09-24 18:43:14 +02:00
protocol smtp;
smtp_auth plain;
}
{% if TLS %}
2017-09-24 18:43:14 +02:00
server {
listen 465 ssl;
listen [::]:465 ssl;
2017-09-24 18:43:14 +02:00
protocol smtp;
smtp_auth plain;
}
server {
listen 993 ssl;
2017-10-21 19:50:49 +02:00
listen [::]:993 ssl;
2017-09-24 13:09:12 +02:00
protocol imap;
imap_auth plain;
}
2017-09-24 18:43:14 +02:00
{% endif %}
{% endif %}
2017-09-24 13:09:12 +02:00
}