git subrepo clone https://github.com/mailcow/mailcow-dockerized.git mailcow/src/mailcow-dockerized
subrepo: subdir: "mailcow/src/mailcow-dockerized"
merged: "a832becb"
upstream: origin: "https://github.com/mailcow/mailcow-dockerized.git"
branch: "master"
commit: "a832becb"
git-subrepo: version: "0.4.3"
origin: "???"
commit: "???"
Change-Id: If5be2d621a211e164c9b6577adaa7884449f16b5
diff --git a/mailcow/src/mailcow-dockerized/data/conf/nginx/000-map-size.conf b/mailcow/src/mailcow-dockerized/data/conf/nginx/000-map-size.conf
new file mode 100644
index 0000000..a834306
--- /dev/null
+++ b/mailcow/src/mailcow-dockerized/data/conf/nginx/000-map-size.conf
@@ -0,0 +1,3 @@
+map_hash_max_size 256;
+map_hash_bucket_size 256;
+
diff --git a/mailcow/src/mailcow-dockerized/data/conf/nginx/dynmaps.conf b/mailcow/src/mailcow-dockerized/data/conf/nginx/dynmaps.conf
new file mode 100644
index 0000000..99c0c6a
--- /dev/null
+++ b/mailcow/src/mailcow-dockerized/data/conf/nginx/dynmaps.conf
@@ -0,0 +1,19 @@
+server {
+ listen 8081;
+ listen [::]:8081;
+ index index.php index.html;
+ server_name _;
+ error_log /var/log/nginx/error.log;
+ access_log /var/log/nginx/access.log;
+ root /dynmaps;
+
+ location ~ \.php$ {
+ try_files $uri =404;
+ fastcgi_split_path_info ^(.+\.php)(/.+)$;
+ fastcgi_pass phpfpm:9001;
+ fastcgi_index index.php;
+ include fastcgi_params;
+ fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+ fastcgi_param PATH_INFO $fastcgi_path_info;
+ }
+}
diff --git a/mailcow/src/mailcow-dockerized/data/conf/nginx/includes/site-defaults.conf b/mailcow/src/mailcow-dockerized/data/conf/nginx/includes/site-defaults.conf
new file mode 100644
index 0000000..c4c06b2
--- /dev/null
+++ b/mailcow/src/mailcow-dockerized/data/conf/nginx/includes/site-defaults.conf
@@ -0,0 +1,216 @@
+
+ include /etc/nginx/mime.types;
+ charset utf-8;
+ override_charset on;
+
+ ssl_protocols TLSv1.2 TLSv1.3;
+ ssl_prefer_server_ciphers on;
+ ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
+ ssl_ecdh_curve X25519:X448:secp384r1:secp256k1;
+ ssl_session_cache shared:SSL:50m;
+ ssl_session_timeout 1d;
+ ssl_session_tickets off;
+
+ add_header Strict-Transport-Security "max-age=15768000;";
+ add_header X-Content-Type-Options nosniff;
+ add_header X-XSS-Protection "1; mode=block";
+ add_header X-Robots-Tag none;
+ add_header X-Download-Options noopen;
+ add_header X-Frame-Options "SAMEORIGIN" always;
+ add_header X-Permitted-Cross-Domain-Policies none;
+ add_header Referrer-Policy strict-origin;
+
+ index index.php index.html;
+
+ client_max_body_size 0;
+
+ gzip on;
+ gzip_disable "msie6";
+
+ gzip_vary on;
+ gzip_proxied off;
+ gzip_comp_level 6;
+ gzip_buffers 16 8k;
+ gzip_http_version 1.1;
+ gzip_min_length 256;
+ gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript application/vnd.ms-fontobject application/x-font-ttf font/opentype image/svg+xml image/x-icon;
+
+ location ~ ^/(fonts|js|css|img)/ {
+ expires max;
+ add_header Cache-Control public;
+ }
+
+ error_log /var/log/nginx/error.log;
+ access_log /var/log/nginx/access.log;
+ fastcgi_hide_header X-Powered-By;
+ absolute_redirect off;
+ root /web;
+
+ location / {
+ try_files $uri $uri/ @strip-ext;
+ }
+
+ location /qhandler {
+ rewrite ^/qhandler/(.*)/(.*) /qhandler.php?action=$1&hash=$2;
+ }
+
+ location /edit {
+ rewrite ^/edit/(.*)/(.*) /edit.php?$1=$2;
+ }
+
+ location @strip-ext {
+ rewrite ^(.*)$ $1.php last;
+ }
+
+ location ~ ^/api/v1/(.*)$ {
+ try_files $uri $uri/ /json_api.php?query=$1;
+ }
+
+ location ^~ /.well-known/acme-challenge/ {
+ allow all;
+ default_type "text/plain";
+ }
+
+ # If behind reverse proxy, forwards the correct IP
+ set_real_ip_from 10.0.0.0/8;
+ set_real_ip_from 172.16.0.0/12;
+ set_real_ip_from 192.168.0.0/16;
+ set_real_ip_from fc00::/7;
+ real_ip_header X-Forwarded-For;
+ real_ip_recursive on;
+
+ rewrite ^/.well-known/caldav$ /SOGo/dav/ permanent;
+ rewrite ^/.well-known/carddav$ /SOGo/dav/ permanent;
+
+ location ^~ /principals {
+ return 301 /SOGo/dav;
+ }
+
+ location ~ \.php$ {
+ try_files $uri =404;
+ fastcgi_split_path_info ^(.+\.php)(/.+)$;
+ fastcgi_pass phpfpm:9002;
+ fastcgi_index index.php;
+ include /etc/nginx/fastcgi_params;
+ fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+ fastcgi_param PATH_INFO $fastcgi_path_info;
+ fastcgi_read_timeout 3600;
+ fastcgi_send_timeout 3600;
+ }
+
+ location /rspamd/ {
+ location /rspamd/auth {
+ # proxy_pass is not inherited
+ proxy_pass http://rspamd:11334/auth;
+ proxy_intercept_errors on;
+ proxy_set_header Host $http_host;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_redirect off;
+ error_page 403 /_rspamderror.php;
+ }
+ proxy_pass http://rspamd:11334/;
+ proxy_set_header Host $http_host;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_redirect off;
+ }
+
+ location ~* ^/Autodiscover/Autodiscover.xml {
+ fastcgi_split_path_info ^(.+\.php)(/.+)$;
+ fastcgi_pass phpfpm:9002;
+ include /etc/nginx/fastcgi_params;
+ fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+ try_files /autodiscover.php =404;
+ }
+
+ location ~* ^/Autodiscover/Autodiscover.json {
+ fastcgi_split_path_info ^(.+\.php)(/.+)$;
+ fastcgi_pass phpfpm:9002;
+ include /etc/nginx/fastcgi_params;
+ fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+ try_files /autodiscover-json.php =404;
+ }
+
+ location ~ /(?:m|M)ail/(?:c|C)onfig-v1.1.xml {
+ fastcgi_split_path_info ^(.+\.php)(/.+)$;
+ fastcgi_pass phpfpm:9002;
+ include /etc/nginx/fastcgi_params;
+ fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+ try_files /autoconfig.php =404;
+ }
+
+ # auth_request endpoint if ALLOW_ADMIN_EMAIL_LOGIN is set
+ location /sogo-auth-verify {
+ internal;
+ proxy_set_header X-Original-URI $request_uri;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header Host $http_host;
+ proxy_set_header Content-Length "";
+ proxy_pass http://127.0.0.1:65510/sogo-auth;
+ proxy_pass_request_body off;
+ }
+
+ location ^~ /Microsoft-Server-ActiveSync {
+ include /etc/nginx/conf.d/sogo_proxy_auth.active;
+ include /etc/nginx/conf.d/sogo_eas.active;
+ proxy_connect_timeout 75;
+ proxy_send_timeout 3600;
+ proxy_read_timeout 3600;
+ proxy_buffers 64 256k;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header Host $http_host;
+ client_body_buffer_size 512k;
+ client_max_body_size 0;
+ }
+
+ location ^~ /SOGo {
+ include /etc/nginx/conf.d/sogo_proxy_auth.active;
+ include /etc/nginx/conf.d/sogo.active;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header Host $http_host;
+ proxy_set_header x-webobjects-server-protocol HTTP/1.0;
+ proxy_set_header x-webobjects-remote-host $remote_addr;
+ proxy_set_header x-webobjects-server-name $server_name;
+ proxy_set_header x-webobjects-server-url $client_req_scheme://$http_host;
+ proxy_set_header x-webobjects-server-port $server_port;
+ proxy_send_timeout 3600;
+ proxy_read_timeout 3600;
+ client_body_buffer_size 128k;
+ client_max_body_size 0;
+ break;
+ }
+
+ location ~* /sogo$ {
+ return 301 $client_req_scheme://$http_host/SOGo;
+ }
+
+ location /SOGo.woa/WebServerResources/ {
+ alias /usr/lib/GNUstep/SOGo/WebServerResources/;
+ }
+
+ location /.woa/WebServerResources/ {
+ alias /usr/lib/GNUstep/SOGo/WebServerResources/;
+ }
+
+ location /SOGo/WebServerResources/ {
+ alias /usr/lib/GNUstep/SOGo/WebServerResources/;
+ }
+
+ location (^/SOGo/so/ControlPanel/Products/[^/]*UI/Resources/.*\.(jpg|png|gif|css|js)$) {
+ alias /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2;
+ }
+
+ include /etc/nginx/conf.d/site.*.custom;
+
+ error_page 502 @awaitingupstream;
+
+ location @awaitingupstream {
+ rewrite ^(.*)$ /_status.502.html break;
+ }
+
+ location ~ ^/cache/(.*)$ {
+ try_files $uri $uri/ /resource.php?file=$1;
+ }
diff --git a/mailcow/src/mailcow-dockerized/data/conf/nginx/meta_exporter.conf b/mailcow/src/mailcow-dockerized/data/conf/nginx/meta_exporter.conf
new file mode 100644
index 0000000..74291b1
--- /dev/null
+++ b/mailcow/src/mailcow-dockerized/data/conf/nginx/meta_exporter.conf
@@ -0,0 +1,19 @@
+server {
+ listen 9081;
+ index index.php index.html;
+ server_name _;
+ error_log /var/log/nginx/error.log;
+ access_log /var/log/nginx/access.log;
+ root /meta_exporter;
+ client_max_body_size 10M;
+ location ~ \.php$ {
+ client_max_body_size 10M;
+ try_files $uri =404;
+ fastcgi_split_path_info ^(.+\.php)(/.+)$;
+ fastcgi_pass phpfpm:9001;
+ fastcgi_index pipe.php;
+ include fastcgi_params;
+ fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+ fastcgi_param PATH_INFO $fastcgi_path_info;
+ }
+}
diff --git a/mailcow/src/mailcow-dockerized/data/conf/nginx/site.conf b/mailcow/src/mailcow-dockerized/data/conf/nginx/site.conf
new file mode 100644
index 0000000..d6e6b13
--- /dev/null
+++ b/mailcow/src/mailcow-dockerized/data/conf/nginx/site.conf
@@ -0,0 +1,10 @@
+server_tokens off;
+proxy_cache_path /tmp levels=1:2 keys_zone=sogo:10m inactive=24h max_size=1g;
+server_names_hash_bucket_size 64;
+
+map $http_x_forwarded_proto $client_req_scheme {
+ default $scheme;
+ https https;
+}
+
+include /etc/nginx/conf.d/sites.active;
diff --git a/mailcow/src/mailcow-dockerized/data/conf/nginx/templates/listen_plain.template b/mailcow/src/mailcow-dockerized/data/conf/nginx/templates/listen_plain.template
new file mode 100644
index 0000000..a044b22
--- /dev/null
+++ b/mailcow/src/mailcow-dockerized/data/conf/nginx/templates/listen_plain.template
@@ -0,0 +1,2 @@
+listen ${HTTP_PORT};
+listen [::]:${HTTP_PORT};
diff --git a/mailcow/src/mailcow-dockerized/data/conf/nginx/templates/listen_ssl.template b/mailcow/src/mailcow-dockerized/data/conf/nginx/templates/listen_ssl.template
new file mode 100644
index 0000000..93ec80c
--- /dev/null
+++ b/mailcow/src/mailcow-dockerized/data/conf/nginx/templates/listen_ssl.template
@@ -0,0 +1,2 @@
+listen ${HTTPS_PORT} ssl http2;
+listen [::]:${HTTPS_PORT} ssl http2;
diff --git a/mailcow/src/mailcow-dockerized/data/conf/nginx/templates/server_name.template b/mailcow/src/mailcow-dockerized/data/conf/nginx/templates/server_name.template
new file mode 100644
index 0000000..261a1ec
--- /dev/null
+++ b/mailcow/src/mailcow-dockerized/data/conf/nginx/templates/server_name.template
@@ -0,0 +1 @@
+server_name ${MAILCOW_HOSTNAME} autodiscover.* autoconfig.*;
diff --git a/mailcow/src/mailcow-dockerized/data/conf/nginx/templates/sites.template.sh b/mailcow/src/mailcow-dockerized/data/conf/nginx/templates/sites.template.sh
new file mode 100644
index 0000000..782c814
--- /dev/null
+++ b/mailcow/src/mailcow-dockerized/data/conf/nginx/templates/sites.template.sh
@@ -0,0 +1,38 @@
+echo '
+server {
+ listen 127.0.0.1:65510;
+ include /etc/nginx/conf.d/listen_plain.active;
+ include /etc/nginx/conf.d/listen_ssl.active;
+
+ ssl_certificate /etc/ssl/mail/cert.pem;
+ ssl_certificate_key /etc/ssl/mail/key.pem;
+
+ include /etc/nginx/conf.d/server_name.active;
+
+ include /etc/nginx/conf.d/includes/site-defaults.conf;
+}
+';
+for cert_dir in /etc/ssl/mail/*/ ; do
+ if [[ ! -f ${cert_dir}domains ]] || [[ ! -f ${cert_dir}cert.pem ]] || [[ ! -f ${cert_dir}key.pem ]]; then
+ continue
+ fi
+ # do not create vhost for default-certificate. the cert is already in the default server listen
+ domains="$(cat ${cert_dir}domains | sed -e 's/^[[:space:]]*//')"
+ case "${domains}" in
+ "") continue;;
+ "${MAILCOW_HOSTNAME}"*) continue;;
+ esac
+ echo -n '
+server {
+ include /etc/nginx/conf.d/listen_ssl.active;
+
+ ssl_certificate '${cert_dir}'cert.pem;
+ ssl_certificate_key '${cert_dir}'key.pem;
+';
+ echo -n '
+ server_name '${domains}';
+
+ include /etc/nginx/conf.d/includes/site-defaults.conf;
+}
+';
+done
diff --git a/mailcow/src/mailcow-dockerized/data/conf/nginx/templates/sogo.auth_request.template.sh b/mailcow/src/mailcow-dockerized/data/conf/nginx/templates/sogo.auth_request.template.sh
new file mode 100644
index 0000000..f6d2d98
--- /dev/null
+++ b/mailcow/src/mailcow-dockerized/data/conf/nginx/templates/sogo.auth_request.template.sh
@@ -0,0 +1,10 @@
+if printf "%s\n" "${ALLOW_ADMIN_EMAIL_LOGIN}" | grep -E '^([yY][eE][sS]|[yY])+$' >/dev/null; then
+ echo 'auth_request /sogo-auth-verify;
+auth_request_set $user $upstream_http_x_user;
+auth_request_set $auth $upstream_http_x_auth;
+auth_request_set $auth_type $upstream_http_x_auth_type;
+proxy_set_header x-webobjects-remote-user "$user";
+proxy_set_header Authorization "$auth";
+proxy_set_header x-webobjects-auth-type "$auth_type";
+'
+fi
diff --git a/mailcow/src/mailcow-dockerized/data/conf/nginx/templates/sogo.template b/mailcow/src/mailcow-dockerized/data/conf/nginx/templates/sogo.template
new file mode 100644
index 0000000..2c08438
--- /dev/null
+++ b/mailcow/src/mailcow-dockerized/data/conf/nginx/templates/sogo.template
@@ -0,0 +1 @@
+proxy_pass http://${IPV4_NETWORK}.248:20000;
diff --git a/mailcow/src/mailcow-dockerized/data/conf/nginx/templates/sogo_eas.template.sh b/mailcow/src/mailcow-dockerized/data/conf/nginx/templates/sogo_eas.template.sh
new file mode 100644
index 0000000..b241ef0
--- /dev/null
+++ b/mailcow/src/mailcow-dockerized/data/conf/nginx/templates/sogo_eas.template.sh
@@ -0,0 +1,5 @@
+if printf "%s\n" "${SKIP_SOGO}" | grep -E '^([yY][eE][sS]|[yY])+$' >/dev/null; then
+ echo "return 410;"
+else
+ echo "proxy_pass http://${IPV4_NETWORK}.248:20000/SOGo/Microsoft-Server-ActiveSync;"
+fi