Adding options for mail-letsencrypt

core/nginx/conf/nginx.conf

@@ -20,6 +20,14 @@ http {
     absolute_redirect off;
     resolver {{ RESOLVER }} valid=30s;
 
+    {% if REAL_IP_HEADER %}
+    real_ip_header {{ REAL_IP_HEADER }};
+    {% endif %}
+
+    {% if REAL_IP_FROM %}{% for from_ip in REAL_IP_FROM.split(',') %}
+    set_real_ip_from {{ from_ip }};
+    {% endfor %}{% endif %}
+
     # Header maps
     map $http_x_forwarded_proto $proxy_x_forwarded_proto {
       default $http_x_forwarded_proto;
@@ -45,17 +53,23 @@ http {
 
       include /etc/nginx/tls.conf;
       ssl_session_cache shared:SSLHTTP:50m;
-      add_header Strict-Transport-Security max-age=15768000;
+      add_header Strict-Transport-Security 'max-age=31536000';
 
-      {% if not TLS_FLAVOR == "mail" %}
-      if ($scheme = http) {
+      {% if not TLS_FLAVOR in [ 'mail', 'mail-letsencrypt' ] %}
+      if ($proxy_x_forwarded_proto = http) {
         return 301 https://$host$request_uri;
       }
       {% endif %}
       {% endif %}
 
+      add_header X-Frame-Options 'DENY';
+      add_header X-Content-Type-Options 'nosniff';
+      add_header X-Permitted-Cross-Domain-Policies 'none';
+      add_header X-XSS-Protection '1; mode=block';
+      add_header Referrer-Policy 'same-origin';
+
       # In any case, enable the proxy for certbot if the flavor is letsencrypt
-      {% if TLS_FLAVOR == 'letsencrypt' %}
+      {% if TLS_FLAVOR in [ 'letsencrypt', 'mail-letsencrypt' ] %}
       location ^~ /.well-known/acme-challenge/ {
           proxy_pass http://127.0.0.1:8008;
       }