mirror of
https://github.com/mailcow/mailcow-dockerized.git
synced 2025-01-10 04:18:10 +02:00
277 lines
8.7 KiB
Django/Jinja
277 lines
8.7 KiB
Django/Jinja
include /etc/nginx/mime.types;
|
|
charset utf-8;
|
|
override_charset on;
|
|
|
|
server_tokens off;
|
|
|
|
ssl_protocols TLSv1.2 TLSv1.3;
|
|
ssl_prefer_server_ciphers on;
|
|
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
|
|
ssl_ecdh_curve X25519:X448:secp384r1:secp256k1;
|
|
ssl_session_cache shared:SSL:50m;
|
|
ssl_session_timeout 1d;
|
|
ssl_session_tickets off;
|
|
|
|
add_header Strict-Transport-Security "max-age=15768000;";
|
|
add_header X-Content-Type-Options nosniff;
|
|
add_header X-XSS-Protection "1; mode=block";
|
|
add_header X-Robots-Tag none;
|
|
add_header X-Download-Options noopen;
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
|
add_header X-Permitted-Cross-Domain-Policies none;
|
|
add_header Referrer-Policy strict-origin;
|
|
|
|
index index.php index.html;
|
|
|
|
client_max_body_size 0;
|
|
|
|
gzip on;
|
|
gzip_disable "msie6";
|
|
|
|
gzip_vary on;
|
|
gzip_proxied off;
|
|
gzip_comp_level 6;
|
|
gzip_buffers 16 8k;
|
|
gzip_http_version 1.1;
|
|
gzip_min_length 256;
|
|
gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript application/vnd.ms-fontobject application/x-font-ttf font/opentype image/svg+xml image/x-icon;
|
|
|
|
location ~ ^/(fonts|js|css|img)/ {
|
|
expires max;
|
|
add_header Cache-Control public;
|
|
}
|
|
|
|
error_log /var/log/nginx/error.log;
|
|
access_log /var/log/nginx/access.log;
|
|
fastcgi_hide_header X-Powered-By;
|
|
absolute_redirect off;
|
|
root /web;
|
|
|
|
# If behind reverse proxy, forwards the correct IP
|
|
set_real_ip_from 10.0.0.0/8;
|
|
set_real_ip_from 172.16.0.0/12;
|
|
set_real_ip_from 192.168.0.0/16;
|
|
set_real_ip_from fc00::/7;
|
|
{% if not TRUSTED_NETWORK %}
|
|
real_ip_header X-Forwarded-For;
|
|
{% else %}
|
|
set_real_ip_from {{ TRUSTED_NETWORK }};
|
|
real_ip_header proxy_protocol;
|
|
{% endif %}
|
|
real_ip_recursive on;
|
|
|
|
|
|
location @strip-ext {
|
|
rewrite ^(.*)$ $1.php last;
|
|
}
|
|
|
|
location ^~ /inc/lib/ {
|
|
deny all;
|
|
return 403;
|
|
}
|
|
|
|
location ^~ /.well-known/acme-challenge/ {
|
|
allow all;
|
|
default_type "text/plain";
|
|
}
|
|
|
|
rewrite ^/.well-known/caldav$ /SOGo/dav/ permanent;
|
|
rewrite ^/.well-known/carddav$ /SOGo/dav/ permanent;
|
|
|
|
|
|
location / {
|
|
try_files $uri $uri/ @strip-ext;
|
|
}
|
|
|
|
location /qhandler {
|
|
rewrite ^/qhandler/(.*)/(.*) /qhandler.php?action=$1&hash=$2;
|
|
}
|
|
|
|
location /edit {
|
|
rewrite ^/edit/(.*)/(.*) /edit.php?$1=$2;
|
|
}
|
|
|
|
location ~ ^/api/v1/(.*)$ {
|
|
try_files $uri $uri/ /json_api.php?query=$1&$args;
|
|
}
|
|
|
|
location ~ ^/cache/(.*)$ {
|
|
try_files $uri $uri/ /resource.php?file=$1;
|
|
}
|
|
|
|
location ~ \.php$ {
|
|
try_files $uri =404;
|
|
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
|
fastcgi_pass {{ PHPFPMHOST }}:9002;
|
|
fastcgi_index index.php;
|
|
include /etc/nginx/fastcgi_params;
|
|
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
|
fastcgi_param PATH_INFO $fastcgi_path_info;
|
|
fastcgi_read_timeout 3600;
|
|
fastcgi_send_timeout 3600;
|
|
}
|
|
|
|
location ~* ^/Autodiscover/Autodiscover.xml {
|
|
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
|
fastcgi_pass {{ PHPFPMHOST }}:9002;
|
|
include /etc/nginx/fastcgi_params;
|
|
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
|
try_files /autodiscover.php =404;
|
|
}
|
|
|
|
location ~* ^/Autodiscover/Autodiscover.json {
|
|
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
|
fastcgi_pass {{ PHPFPMHOST }}:9002;
|
|
include /etc/nginx/fastcgi_params;
|
|
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
|
try_files /autodiscover-json.php =404;
|
|
}
|
|
|
|
location ~ /(?:m|M)ail/(?:c|C)onfig-v1.1.xml {
|
|
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
|
fastcgi_pass {{ PHPFPMHOST }}:9002;
|
|
include /etc/nginx/fastcgi_params;
|
|
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
|
try_files /autoconfig.php =404;
|
|
}
|
|
|
|
{% if not SKIP_RSPAMD %}
|
|
location /rspamd/ {
|
|
proxy_pass http://{{ RSPAMDHOST }}:11334/;
|
|
proxy_set_header Host $http_host;
|
|
proxy_set_header X-Forwarded-For {% if not NGINX_USE_PROXY_PROTOCOL %}$proxy_add_x_forwarded_for{% else %}$proxy_protocol_addr{%endif%};
|
|
proxy_set_header X-Real-IP {% if not NGINX_USE_PROXY_PROTOCOL %}$remote_addr{% else %}$proxy_protocol_addr{%endif%};
|
|
proxy_redirect off;
|
|
proxy_intercept_errors on;
|
|
error_page 401 /_rspamderror.php;
|
|
}
|
|
{% endif %}
|
|
|
|
{% if not SKIP_SOGO %}
|
|
location ^~ /principals {
|
|
return 301 /SOGo/dav;
|
|
}
|
|
|
|
location /sogo-auth-verify {
|
|
internal;
|
|
proxy_set_header X-Original-URI $request_uri;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header Host $http_host;
|
|
proxy_set_header Content-Length "";
|
|
proxy_pass http://127.0.0.1:65510/sogo-auth;
|
|
proxy_pass_request_body off;
|
|
}
|
|
|
|
location ^~ /Microsoft-Server-ActiveSync {
|
|
auth_request /sogo-auth-verify;
|
|
auth_request_set $user $upstream_http_x_user;
|
|
auth_request_set $auth $upstream_http_x_auth;
|
|
auth_request_set $auth_type $upstream_http_x_auth_type;
|
|
proxy_set_header x-webobjects-remote-user "$user";
|
|
proxy_set_header Authorization "$auth";
|
|
proxy_set_header x-webobjects-auth-type "$auth_type";
|
|
|
|
proxy_pass http://{{ SOGOHOST }}:20000/SOGo/Microsoft-Server-ActiveSync;
|
|
|
|
proxy_set_header X-Forwarded-For {% if not NGINX_USE_PROXY_PROTOCOL %}$proxy_add_x_forwarded_for{% else %}$proxy_protocol_addr{%endif%};
|
|
proxy_set_header X-Real-IP {% if not NGINX_USE_PROXY_PROTOCOL %}$remote_addr{% else %}$proxy_protocol_addr{%endif%};
|
|
proxy_connect_timeout 75;
|
|
proxy_send_timeout 3600;
|
|
proxy_read_timeout 3600;
|
|
proxy_buffer_size 128k;
|
|
proxy_buffers 64 512k;
|
|
proxy_busy_buffers_size 512k;
|
|
proxy_set_header Host $http_host;
|
|
client_body_buffer_size 512k;
|
|
client_max_body_size 0;
|
|
}
|
|
|
|
location ^~ /SOGo {
|
|
location ~* ^/SOGo/so/.*\.(xml|js|html|xhtml)$ {
|
|
auth_request /sogo-auth-verify;
|
|
auth_request_set $user $upstream_http_x_user;
|
|
auth_request_set $auth $upstream_http_x_auth;
|
|
auth_request_set $auth_type $upstream_http_x_auth_type;
|
|
proxy_set_header x-webobjects-remote-user "$user";
|
|
proxy_set_header Authorization "$auth";
|
|
proxy_set_header x-webobjects-auth-type "$auth_type";
|
|
|
|
proxy_pass http://{{ SOGOHOST }}:20000;
|
|
|
|
proxy_set_header X-Forwarded-For {% if not NGINX_USE_PROXY_PROTOCOL %}$proxy_add_x_forwarded_for{% else %}$proxy_protocol_addr{%endif%};
|
|
proxy_set_header X-Real-IP {% if not NGINX_USE_PROXY_PROTOCOL %}$remote_addr{% else %}$proxy_protocol_addr{%endif%};
|
|
proxy_set_header Host $http_host;
|
|
proxy_set_header x-webobjects-server-protocol HTTP/1.0;
|
|
proxy_set_header x-webobjects-remote-host $remote_addr;
|
|
proxy_set_header x-webobjects-server-name $server_name;
|
|
proxy_set_header x-webobjects-server-url $client_req_scheme://$http_host;
|
|
proxy_set_header x-webobjects-server-port $server_port;
|
|
proxy_hide_header Content-Type;
|
|
add_header Content-Type text/plain;
|
|
break;
|
|
}
|
|
auth_request /sogo-auth-verify;
|
|
auth_request_set $user $upstream_http_x_user;
|
|
auth_request_set $auth $upstream_http_x_auth;
|
|
auth_request_set $auth_type $upstream_http_x_auth_type;
|
|
proxy_set_header x-webobjects-remote-user "$user";
|
|
proxy_set_header Authorization "$auth";
|
|
proxy_set_header x-webobjects-auth-type "$auth_type";
|
|
|
|
proxy_pass http://{{ SOGOHOST }}:20000;
|
|
|
|
proxy_set_header X-Forwarded-For {% if not NGINX_USE_PROXY_PROTOCOL %}$proxy_add_x_forwarded_for{% else %}$proxy_protocol_addr{%endif%};
|
|
proxy_set_header X-Real-IP {% if not NGINX_USE_PROXY_PROTOCOL %}$remote_addr{% else %}$proxy_protocol_addr{%endif%};
|
|
proxy_set_header Host $http_host;
|
|
proxy_set_header x-webobjects-server-protocol HTTP/1.0;
|
|
proxy_set_header x-webobjects-remote-host $remote_addr;
|
|
proxy_set_header x-webobjects-server-name $server_name;
|
|
proxy_set_header x-webobjects-server-url $client_req_scheme://$http_host;
|
|
proxy_set_header x-webobjects-server-port $server_port;
|
|
proxy_buffer_size 128k;
|
|
proxy_buffers 64 512k;
|
|
proxy_busy_buffers_size 512k;
|
|
proxy_send_timeout 3600;
|
|
proxy_read_timeout 3600;
|
|
client_body_buffer_size 128k;
|
|
client_max_body_size 0;
|
|
break;
|
|
}
|
|
|
|
location ~* /sogo$ {
|
|
return 301 $client_req_scheme://$http_host/SOGo;
|
|
}
|
|
|
|
location /SOGo.woa/WebServerResources/ {
|
|
alias /usr/lib/GNUstep/SOGo/WebServerResources/;
|
|
}
|
|
|
|
location /.woa/WebServerResources/ {
|
|
alias /usr/lib/GNUstep/SOGo/WebServerResources/;
|
|
}
|
|
|
|
location /SOGo/WebServerResources/ {
|
|
alias /usr/lib/GNUstep/SOGo/WebServerResources/;
|
|
}
|
|
|
|
location (^/SOGo/so/ControlPanel/Products/[^/]*UI/Resources/.*\.(jpg|png|gif|css|js)$) {
|
|
alias /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2;
|
|
}
|
|
{% endif %}
|
|
|
|
|
|
include /etc/nginx/conf.d/site.*.custom;
|
|
|
|
error_page 502 @awaitingupstream;
|
|
|
|
location @awaitingupstream {
|
|
rewrite ^(.*)$ /_status.502.html break;
|
|
}
|
|
|
|
location ~* \.php$ {
|
|
return 404;
|
|
}
|
|
location ~* \.twig$ {
|
|
return 404;
|
|
}
|