Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # configuration file /etc/nginx/nginx.conf:
- # Basic configuration
- user nginx;
- worker_processes auto;
- error_log /dev/stderr info;
- pid /var/run/nginx.pid;
- load_module "modules/ngx_mail_module.so";
- events {
- worker_connections 1024;
- }
- http {
- # Standard HTTP configuration with slight hardening
- include /etc/nginx/mime.types;
- default_type application/octet-stream;
- access_log /dev/stdout;
- sendfile on;
- keepalive_timeout 65;
- server_tokens off;
- absolute_redirect off;
- resolver 127.0.0.11 valid=30s;
- # Header maps
- map $http_x_forwarded_proto $proxy_x_forwarded_proto {
- default $http_x_forwarded_proto;
- '' $scheme;
- }
- # Main HTTP server
- server {
- # Variables for proxifying
- set $admin admin;
- set $antispam antispam:11334;
- set $webmail webmail;
- set $webdav webdav:5232;
- # Always listen over HTTP
- listen 80;
- listen [::]:80;
- # Only enable HTTPS if TLS is enabled with no error
- listen 443 ssl;
- listen [::]:443 ssl;
- include /etc/nginx/tls.conf;
- ssl_session_cache shared:SSLHTTP:50m;
- add_header Strict-Transport-Security max-age=15768000;
- if ($scheme = http) {
- return 301 https://$host$request_uri;
- }
- # In any case, enable the proxy for certbot if the flavor is letsencrypt
- location ^~ /.well-known/acme-challenge/ {
- proxy_pass http://127.0.0.1:8008;
- }
- # If TLS is failing, prevent access to anything except certbot
- # Actual logic
- location / {
- return 301 /webmail;
- }
- location /webmail {
- rewrite ^(/webmail)$ $1/ permanent;
- rewrite ^/webmail/(.*) /$1 break;
- include /etc/nginx/proxy.conf;
- client_max_body_size 30M;
- proxy_pass http://$webmail;
- }
- location /admin {
- return 301 /admin/ui;
- }
- location ~ /admin/(ui|static) {
- rewrite ^/admin/(.*) /$1 break;
- include /etc/nginx/proxy.conf;
- proxy_set_header X-Forwarded-Prefix /admin;
- proxy_pass http://$admin;
- }
- location /admin/antispam {
- rewrite ^/admin/antispam/(.*) /$1 break;
- auth_request /internal/auth/admin;
- proxy_set_header X-Real-IP "";
- proxy_set_header X-Forwarded-For "";
- proxy_pass http://$antispam;
- }
- location /internal {
- internal;
- proxy_set_header Authorization $http_authorization;
- proxy_pass_header Authorization;
- proxy_pass http://$admin;
- proxy_pass_request_body off;
- proxy_set_header Content-Length "";
- }
- }
- # Forwarding authentication server
- server {
- # Variables for proxifying
- set $admin admin;
- listen 127.0.0.1:8000;
- location / {
- proxy_pass http://$admin/internal$request_uri;
- }
- }
- }
- mail {
- server_name rescopa.com;
- auth_http http://127.0.0.1:8000/auth/email;
- proxy_pass_error_message on;
- include /etc/nginx/tls.conf;
- ssl_session_cache shared:SSLMAIL:50m;
- # Default SMTP server for the webmail (no encryption, but authentication)
- server {
- listen 10025;
- protocol smtp;
- smtp_auth plain;
- }
- # Default IMAP server for the webmail (no encryption, but authentication)
- server {
- listen 10143;
- protocol imap;
- smtp_auth plain;
- }
- # SMTP is always enabled, to avoid losing emails when TLS is failing
- server {
- listen 25;
- listen [::]:25;
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
- ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
- starttls on;
- protocol smtp;
- smtp_auth none;
- }
- # All other protocols are disabled if TLS is failing
- server {
- listen 143;
- listen [::]:143;
- starttls only;
- protocol imap;
- imap_auth plain;
- }
- server {
- listen 110;
- listen [::]:110;
- starttls only;
- protocol pop3;
- pop3_auth plain;
- }
- server {
- listen 587;
- listen [::]:587;
- starttls only;
- protocol smtp;
- smtp_auth plain;
- }
- server {
- listen 465 ssl;
- listen [::]:465 ssl;
- protocol smtp;
- smtp_auth plain;
- }
- server {
- listen 993 ssl;
- listen [::]:993 ssl;
- protocol imap;
- imap_auth plain;
- }
- server {
- listen 995 ssl;
- listen [::]:995 ssl;
- protocol pop3;
- pop3_auth plain;
- }
- }
- # configuration file /etc/nginx/mime.types:
- types {
- text/html html htm shtml;
- text/css css;
- text/xml xml;
- image/gif gif;
- image/jpeg jpeg jpg;
- application/javascript js;
- application/atom+xml atom;
- application/rss+xml rss;
- text/mathml mml;
- text/plain txt;
- text/vnd.sun.j2me.app-descriptor jad;
- text/vnd.wap.wml wml;
- text/x-component htc;
- image/png png;
- image/tiff tif tiff;
- image/vnd.wap.wbmp wbmp;
- image/x-icon ico;
- image/x-jng jng;
- image/x-ms-bmp bmp;
- image/svg+xml svg svgz;
- image/webp webp;
- application/font-woff woff;
- application/java-archive jar war ear;
- application/json json;
- application/mac-binhex40 hqx;
- application/msword doc;
- application/pdf pdf;
- application/postscript ps eps ai;
- application/rtf rtf;
- application/vnd.apple.mpegurl m3u8;
- application/vnd.ms-excel xls;
- application/vnd.ms-fontobject eot;
- application/vnd.ms-powerpoint ppt;
- application/vnd.wap.wmlc wmlc;
- application/vnd.google-earth.kml+xml kml;
- application/vnd.google-earth.kmz kmz;
- application/x-7z-compressed 7z;
- application/x-cocoa cco;
- application/x-java-archive-diff jardiff;
- application/x-java-jnlp-file jnlp;
- application/x-makeself run;
- application/x-perl pl pm;
- application/x-pilot prc pdb;
- application/x-rar-compressed rar;
- application/x-redhat-package-manager rpm;
- application/x-sea sea;
- application/x-shockwave-flash swf;
- application/x-stuffit sit;
- application/x-tcl tcl tk;
- application/x-x509-ca-cert der pem crt;
- application/x-xpinstall xpi;
- application/xhtml+xml xhtml;
- application/xspf+xml xspf;
- application/zip zip;
- application/octet-stream bin exe dll;
- application/octet-stream deb;
- application/octet-stream dmg;
- application/octet-stream iso img;
- application/octet-stream msi msp msm;
- application/vnd.openxmlformats-officedocument.wordprocessingml.document docx;
- application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx;
- application/vnd.openxmlformats-officedocument.presentationml.presentation pptx;
- audio/midi mid midi kar;
- audio/mpeg mp3;
- audio/ogg ogg;
- audio/x-m4a m4a;
- audio/x-realaudio ra;
- video/3gpp 3gpp 3gp;
- video/mp2t ts;
- video/mp4 mp4;
- video/mpeg mpeg mpg;
- video/quicktime mov;
- video/webm webm;
- video/x-flv flv;
- video/x-m4v m4v;
- video/x-mng mng;
- video/x-ms-asf asx asf;
- video/x-ms-wmv wmv;
- video/x-msvideo avi;
- }
- # configuration file /etc/nginx/tls.conf:
- ssl_protocols TLSv1.1 TLSv1.2;
- ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384';
- ssl_prefer_server_ciphers on;
- ssl_session_timeout 10m;
- ssl_certificate /certs/letsencrypt/live/mailu/fullchain.pem;
- ssl_certificate_key /certs/letsencrypt/live/mailu/privkey.pem;
- ssl_dhparam /certs/dhparam.pem;
- # configuration file /etc/nginx/proxy.conf:
- # Default proxy setup
- proxy_set_header Host $host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement