Mailu/nginx/nginx.conf

#  Basic configuration
user nginx;
worker_processes  1;
error_log /dev/stderr info;
pid /var/run/nginx.pid;

events {
    worker_connections  1024;
}

# Environment variables used in the configuration
env WEBMAIL;

http {
    # Standard HTTP configuration with slight hardening
    include /etc/nginx/mime.types;
    default_type application/octet-stream;
    access_log /dev/stdout;
    sendfile on;
    keepalive_timeout  65;
    server_tokens off;

    server {
      listen 80;
      listen 443 ssl;

      # TLS configuration hardened according to:
      # https://bettercrypto.org/static/applied-crypto-hardening.pdf
      ssl_protocols TLSv1.1 TLSv1.2;
      ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA';
      ssl_prefer_server_ciphers on;
      ssl_session_timeout 5m;
      ssl_session_cache shared:SSL:50m;
      ssl_certificate /certs/cert.pem;
      ssl_certificate_key /certs/key.pem;

      add_header Strict-Transport-Security max-age=15768000;

      if ($scheme = http) {
    		return 301 https://$host$request_uri;
    	}

      # Load Lua variables
      set_by_lua $webmail 'return os.getenv("WEBMAIL")';

      # Actual logic

      location / {
        if ($webmail != none) {
          proxy_pass http://webmail;
        }

        return 403;
      }

      location /admin {
        proxy_pass http://admin;
      }
    }
}
Proxify to webmail only if enabled, related to #40 2016-09-10 11:45:34 +02:00			`# Basic configuration`
			`user nginx;`
Actually bind flask-admin to the mail servers 2016-02-20 21:11:59 +02:00			`worker_processes 1;`
Move to Docker Compose and multiple containers 2016-02-24 08:44:49 +02:00			`error_log /dev/stderr info;`
Store logs to /data/logs 2016-02-21 20:48:40 +02:00			`pid /var/run/nginx.pid;`
Actually bind flask-admin to the mail servers 2016-02-20 21:11:59 +02:00
			`events {`
			`worker_connections 1024;`
			`}`

Proxify to webmail only if enabled, related to #40 2016-09-10 11:45:34 +02:00			`# Environment variables used in the configuration`
			`env WEBMAIL;`

Actually bind flask-admin to the mail servers 2016-02-20 21:11:59 +02:00			`http {`
Proxify to webmail only if enabled, related to #40 2016-09-10 11:45:34 +02:00			`# Standard HTTP configuration with slight hardening`
Store logs to /data/logs 2016-02-21 20:48:40 +02:00			`include /etc/nginx/mime.types;`
			`default_type application/octet-stream;`
Move to Docker Compose and multiple containers 2016-02-24 08:44:49 +02:00			`access_log /dev/stdout;`
Actually bind flask-admin to the mail servers 2016-02-20 21:11:59 +02:00			`sendfile on;`
			`keepalive_timeout 65;`
			`server_tokens off;`

			`server {`
			`listen 80;`
Setup a roundcube Webmail 2016-02-20 22:55:22 +02:00			`listen 443 ssl;`

Apply the BetterCrypto nginx configuration, related to #45 2016-08-19 15:07:16 +02:00			`# TLS configuration hardened according to:`
			`# https://bettercrypto.org/static/applied-crypto-hardening.pdf`
Setup a roundcube Webmail 2016-02-20 22:55:22 +02:00			`ssl_protocols TLSv1.1 TLSv1.2;`
Apply the BetterCrypto nginx configuration, related to #45 2016-08-19 15:07:16 +02:00			`ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA';`
Setup a roundcube Webmail 2016-02-20 22:55:22 +02:00			`ssl_prefer_server_ciphers on;`
			`ssl_session_timeout 5m;`
			`ssl_session_cache shared:SSL:50m;`
Move to Docker Compose and multiple containers 2016-02-24 08:44:49 +02:00			`ssl_certificate /certs/cert.pem;`
			`ssl_certificate_key /certs/key.pem;`
Setup a roundcube Webmail 2016-02-20 22:55:22 +02:00
Apply the BetterCrypto nginx configuration, related to #45 2016-08-19 15:07:16 +02:00			`add_header Strict-Transport-Security max-age=15768000;`

Setup a roundcube Webmail 2016-02-20 22:55:22 +02:00			`if ($scheme = http) {`
			`return 301 https://$host$request_uri;`
			`}`

Proxify to webmail only if enabled, related to #40 2016-09-10 11:45:34 +02:00			`# Load Lua variables`
			`set_by_lua $webmail 'return os.getenv("WEBMAIL")';`

			`# Actual logic`

Move to Docker Compose and multiple containers 2016-02-24 08:44:49 +02:00			`location / {`
Proxify to webmail only if enabled, related to #40 2016-09-10 11:45:34 +02:00			`if ($webmail != none) {`
			`proxy_pass http://webmail;`
			`}`

			`return 403;`
Setup a roundcube Webmail 2016-02-20 22:55:22 +02:00			`}`
Actually bind flask-admin to the mail servers 2016-02-20 21:11:59 +02:00
			`location /admin {`
Use docker links for nginx to resolve properly 2016-04-24 16:27:35 +02:00			`proxy_pass http://admin;`
Actually bind flask-admin to the mail servers 2016-02-20 21:11:59 +02:00			`}`
			`}`
			`}`