API tools faq
paste
Advertisement
mmoo9154

Untitled

mmoo9154
May 8th, 2018
222
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 9.90 KB | None | 0 0
raw download clone embed print report
  1. # configuration file /etc/nginx/nginx.conf:
  2. # Basic configuration
  3. user nginx;
  4. worker_processes auto;
  5. error_log /dev/stderr info;
  6. pid /var/run/nginx.pid;
  7. load_module "modules/ngx_mail_module.so";
  8.  
  9. events {
  10. worker_connections 1024;
  11. }
  12.  
  13. http {
  14. # Standard HTTP configuration with slight hardening
  15. include /etc/nginx/mime.types;
  16. default_type application/octet-stream;
  17. access_log /dev/stdout;
  18. sendfile on;
  19. keepalive_timeout 65;
  20. server_tokens off;
  21. absolute_redirect off;
  22. resolver 127.0.0.11 valid=30s;
  23.  
  24. # Header maps
  25. map $http_x_forwarded_proto $proxy_x_forwarded_proto {
  26. default $http_x_forwarded_proto;
  27. '' $scheme;
  28. }
  29.  
  30. # Main HTTP server
  31. server {
  32. # Variables for proxifying
  33. set $admin admin;
  34. set $antispam antispam:11334;
  35. set $webmail webmail;
  36. set $webdav webdav:5232;
  37.  
  38. # Always listen over HTTP
  39. listen 80;
  40. listen [::]:80;
  41.  
  42. # Only enable HTTPS if TLS is enabled with no error
  43.  
  44. listen 443 ssl;
  45. listen [::]:443 ssl;
  46.  
  47. include /etc/nginx/tls.conf;
  48. ssl_session_cache shared:SSLHTTP:50m;
  49. add_header Strict-Transport-Security max-age=15768000;
  50.  
  51.  
  52. if ($scheme = http) {
  53. return 301 https://$host$request_uri;
  54. }
  55.  
  56.  
  57.  
  58. # In any case, enable the proxy for certbot if the flavor is letsencrypt
  59.  
  60. location ^~ /.well-known/acme-challenge/ {
  61. proxy_pass http://127.0.0.1:8008;
  62. }
  63.  
  64.  
  65. # If TLS is failing, prevent access to anything except certbot
  66.  
  67.  
  68. # Actual logic
  69.  
  70. location / {
  71. return 301 /webmail;
  72. }
  73.  
  74. location /webmail {
  75. rewrite ^(/webmail)$ $1/ permanent;
  76. rewrite ^/webmail/(.*) /$1 break;
  77. include /etc/nginx/proxy.conf;
  78. client_max_body_size 30M;
  79. proxy_pass http://$webmail;
  80. }
  81.  
  82.  
  83.  
  84. location /admin {
  85. return 301 /admin/ui;
  86. }
  87.  
  88. location ~ /admin/(ui|static) {
  89. rewrite ^/admin/(.*) /$1 break;
  90. include /etc/nginx/proxy.conf;
  91. proxy_set_header X-Forwarded-Prefix /admin;
  92. proxy_pass http://$admin;
  93. }
  94.  
  95. location /admin/antispam {
  96. rewrite ^/admin/antispam/(.*) /$1 break;
  97. auth_request /internal/auth/admin;
  98. proxy_set_header X-Real-IP "";
  99. proxy_set_header X-Forwarded-For "";
  100. proxy_pass http://$antispam;
  101. }
  102.  
  103.  
  104.  
  105.  
  106.  
  107. location /internal {
  108. internal;
  109.  
  110. proxy_set_header Authorization $http_authorization;
  111. proxy_pass_header Authorization;
  112. proxy_pass http://$admin;
  113. proxy_pass_request_body off;
  114. proxy_set_header Content-Length "";
  115. }
  116. }
  117.  
  118. # Forwarding authentication server
  119. server {
  120. # Variables for proxifying
  121. set $admin admin;
  122.  
  123. listen 127.0.0.1:8000;
  124.  
  125. location / {
  126. proxy_pass http://$admin/internal$request_uri;
  127. }
  128. }
  129. }
  130.  
  131. mail {
  132. server_name rescopa.com;
  133. auth_http http://127.0.0.1:8000/auth/email;
  134. proxy_pass_error_message on;
  135.  
  136.  
  137. include /etc/nginx/tls.conf;
  138. ssl_session_cache shared:SSLMAIL:50m;
  139.  
  140.  
  141. # Default SMTP server for the webmail (no encryption, but authentication)
  142. server {
  143. listen 10025;
  144. protocol smtp;
  145. smtp_auth plain;
  146. }
  147.  
  148. # Default IMAP server for the webmail (no encryption, but authentication)
  149. server {
  150. listen 10143;
  151. protocol imap;
  152. smtp_auth plain;
  153. }
  154.  
  155. # SMTP is always enabled, to avoid losing emails when TLS is failing
  156. server {
  157. listen 25;
  158. listen [::]:25;
  159.  
  160. ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  161. ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
  162. starttls on;
  163.  
  164. protocol smtp;
  165. smtp_auth none;
  166. }
  167.  
  168. # All other protocols are disabled if TLS is failing
  169.  
  170. server {
  171. listen 143;
  172. listen [::]:143;
  173.  
  174. starttls only;
  175.  
  176. protocol imap;
  177. imap_auth plain;
  178. }
  179.  
  180. server {
  181. listen 110;
  182. listen [::]:110;
  183.  
  184. starttls only;
  185.  
  186. protocol pop3;
  187. pop3_auth plain;
  188. }
  189.  
  190. server {
  191. listen 587;
  192. listen [::]:587;
  193.  
  194. starttls only;
  195.  
  196. protocol smtp;
  197. smtp_auth plain;
  198. }
  199.  
  200.  
  201. server {
  202. listen 465 ssl;
  203. listen [::]:465 ssl;
  204. protocol smtp;
  205. smtp_auth plain;
  206. }
  207.  
  208. server {
  209. listen 993 ssl;
  210. listen [::]:993 ssl;
  211. protocol imap;
  212. imap_auth plain;
  213. }
  214.  
  215. server {
  216. listen 995 ssl;
  217. listen [::]:995 ssl;
  218. protocol pop3;
  219. pop3_auth plain;
  220. }
  221.  
  222.  
  223. }
  224. # configuration file /etc/nginx/mime.types:
  225.  
  226. types {
  227. text/html html htm shtml;
  228. text/css css;
  229. text/xml xml;
  230. image/gif gif;
  231. image/jpeg jpeg jpg;
  232. application/javascript js;
  233. application/atom+xml atom;
  234. application/rss+xml rss;
  235.  
  236. text/mathml mml;
  237. text/plain txt;
  238. text/vnd.sun.j2me.app-descriptor jad;
  239. text/vnd.wap.wml wml;
  240. text/x-component htc;
  241.  
  242. image/png png;
  243. image/tiff tif tiff;
  244. image/vnd.wap.wbmp wbmp;
  245. image/x-icon ico;
  246. image/x-jng jng;
  247. image/x-ms-bmp bmp;
  248. image/svg+xml svg svgz;
  249. image/webp webp;
  250.  
  251. application/font-woff woff;
  252. application/java-archive jar war ear;
  253. application/json json;
  254. application/mac-binhex40 hqx;
  255. application/msword doc;
  256. application/pdf pdf;
  257. application/postscript ps eps ai;
  258. application/rtf rtf;
  259. application/vnd.apple.mpegurl m3u8;
  260. application/vnd.ms-excel xls;
  261. application/vnd.ms-fontobject eot;
  262. application/vnd.ms-powerpoint ppt;
  263. application/vnd.wap.wmlc wmlc;
  264. application/vnd.google-earth.kml+xml kml;
  265. application/vnd.google-earth.kmz kmz;
  266. application/x-7z-compressed 7z;
  267. application/x-cocoa cco;
  268. application/x-java-archive-diff jardiff;
  269. application/x-java-jnlp-file jnlp;
  270. application/x-makeself run;
  271. application/x-perl pl pm;
  272. application/x-pilot prc pdb;
  273. application/x-rar-compressed rar;
  274. application/x-redhat-package-manager rpm;
  275. application/x-sea sea;
  276. application/x-shockwave-flash swf;
  277. application/x-stuffit sit;
  278. application/x-tcl tcl tk;
  279. application/x-x509-ca-cert der pem crt;
  280. application/x-xpinstall xpi;
  281. application/xhtml+xml xhtml;
  282. application/xspf+xml xspf;
  283. application/zip zip;
  284.  
  285. application/octet-stream bin exe dll;
  286. application/octet-stream deb;
  287. application/octet-stream dmg;
  288. application/octet-stream iso img;
  289. application/octet-stream msi msp msm;
  290.  
  291. application/vnd.openxmlformats-officedocument.wordprocessingml.document docx;
  292. application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx;
  293. application/vnd.openxmlformats-officedocument.presentationml.presentation pptx;
  294.  
  295. audio/midi mid midi kar;
  296. audio/mpeg mp3;
  297. audio/ogg ogg;
  298. audio/x-m4a m4a;
  299. audio/x-realaudio ra;
  300.  
  301. video/3gpp 3gpp 3gp;
  302. video/mp2t ts;
  303. video/mp4 mp4;
  304. video/mpeg mpeg mpg;
  305. video/quicktime mov;
  306. video/webm webm;
  307. video/x-flv flv;
  308. video/x-m4v m4v;
  309. video/x-mng mng;
  310. video/x-ms-asf asx asf;
  311. video/x-ms-wmv wmv;
  312. video/x-msvideo avi;
  313. }
  314.  
  315. # configuration file /etc/nginx/tls.conf:
  316. ssl_protocols TLSv1.1 TLSv1.2;
  317. ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384';
  318. ssl_prefer_server_ciphers on;
  319. ssl_session_timeout 10m;
  320. ssl_certificate /certs/letsencrypt/live/mailu/fullchain.pem;
  321. ssl_certificate_key /certs/letsencrypt/live/mailu/privkey.pem;
  322. ssl_dhparam /certs/dhparam.pem;
  323. # configuration file /etc/nginx/proxy.conf:
  324. # Default proxy setup
  325. proxy_set_header Host $host;
  326. proxy_set_header X-Real-IP $remote_addr;
  327. proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  328. proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!