1
0
mirror of https://github.com/Mailu/Mailu.git synced 2024-12-16 10:59:53 +02:00
Mailu/nginx/nginx.conf

97 lines
2.2 KiB
Nginx Configuration File
Raw Normal View History

# Basic configuration
user nginx;
worker_processes 1;
error_log /dev/stderr info;
2016-02-21 20:48:40 +02:00
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
# Environment variables used in the configuration
env WEBMAIL;
2016-11-30 15:02:36 +02:00
env WEBDAV;
env EXPOSE_ADMIN;
http {
# Standard HTTP configuration with slight hardening
2016-02-21 20:48:40 +02:00
include /etc/nginx/mime.types;
default_type application/octet-stream;
access_log /dev/stdout;
sendfile on;
keepalive_timeout 65;
server_tokens off;
server {
listen 80;
2016-02-20 22:55:22 +02:00
listen 443 ssl;
# TLS configuration hardened according to:
# https://bettercrypto.org/static/applied-crypto-hardening.pdf
2016-02-20 22:55:22 +02:00
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA';
2016-02-20 22:55:22 +02:00
ssl_prefer_server_ciphers on;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_certificate /certs/cert.pem;
ssl_certificate_key /certs/key.pem;
2016-02-20 22:55:22 +02:00
add_header Strict-Transport-Security max-age=15768000;
2016-02-20 22:55:22 +02:00
if ($scheme = http) {
return 301 https://$host$request_uri;
}
# Load Lua variables
set_by_lua $webmail 'return os.getenv("WEBMAIL")';
2016-11-30 15:02:36 +02:00
set_by_lua $webdav 'return os.getenv("WEBDAV")';
set_by_lua $expose_admin 'return os.getenv("EXPOSE_ADMIN")';
# Actual logic
location / {
if ($webmail != none) {
return 301 $scheme://$host/webmail/;
}
if ($webmail = none) {
return 403;
}
}
location /webmail {
if ($webmail != none) {
proxy_pass http://webmail;
}
if ($webmail = none) {
return 403;
}
2016-02-20 22:55:22 +02:00
}
location /admin {
if ($expose_admin = yes) {
proxy_pass http://admin;
}
if ($expose_admin != yes) {
return 403;
}
}
2016-11-30 15:02:36 +02:00
location /webdav {
if ($webdav != none) {
proxy_pass http://webdav:5232;
}
if ($webdav = none) {
return 403;
}
}
location /.well-known/acme-challenge {
proxy_pass http://admin:8081;
}
}
}