Gitiles
Code Review Sign In
gerrit.benkard.de / kubeia / d382359117583c309238ad067e84411c5d6e1d7d / . / mailcow / src / mailcow-dockerized / data / conf / nginx / includes / site-defaults.conf
blob: ef2c4fb856f96f24878162d3e6f60c6b2d4b4337 [file] [log] [blame]
Matthias Andreas Benkardb382b102021-01-02 15:32:21 +0100[diff] [blame]1
2 include /etc/nginx/mime.types;
3 charset utf-8;
4 override_charset on;
5
Matthias Andreas Benkard7b2a3a12021-08-16 10:57:25 +0200[diff] [blame]6 server_tokens off;
7
Matthias Andreas Benkardb382b102021-01-02 15:32:21 +0100[diff] [blame]8 ssl_protocols TLSv1.2 TLSv1.3;
9 ssl_prefer_server_ciphers on;
10 ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
11 ssl_ecdh_curve X25519:X448:secp384r1:secp256k1;
12 ssl_session_cache shared:SSL:50m;
13 ssl_session_timeout 1d;
14 ssl_session_tickets off;
15
16 add_header Strict-Transport-Security "max-age=15768000;";
17 add_header X-Content-Type-Options nosniff;
18 add_header X-XSS-Protection "1; mode=block";
19 add_header X-Robots-Tag none;
20 add_header X-Download-Options noopen;
21 add_header X-Frame-Options "SAMEORIGIN" always;
22 add_header X-Permitted-Cross-Domain-Policies none;
23 add_header Referrer-Policy strict-origin;
24
25 index index.php index.html;
26
27 client_max_body_size 0;
28
29 gzip on;
30 gzip_disable "msie6";
31
32 gzip_vary on;
33 gzip_proxied off;
34 gzip_comp_level 6;
35 gzip_buffers 16 8k;
36 gzip_http_version 1.1;
37 gzip_min_length 256;
38 gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript application/vnd.ms-fontobject application/x-font-ttf font/opentype image/svg+xml image/x-icon;
39
40 location ~ ^/(fonts|js|css|img)/ {
41 expires max;
42 add_header Cache-Control public;
43 }
44
45 error_log /var/log/nginx/error.log;
46 access_log /var/log/nginx/access.log;
47 fastcgi_hide_header X-Powered-By;
48 absolute_redirect off;
49 root /web;
50
51 location / {
52 try_files $uri $uri/ @strip-ext;
53 }
54
55 location /qhandler {
56 rewrite ^/qhandler/(.*)/(.*) /qhandler.php?action=$1&hash=$2;
57 }
58
59 location /edit {
60 rewrite ^/edit/(.*)/(.*) /edit.php?$1=$2;
61 }
62
63 location @strip-ext {
64 rewrite ^(.*)$ $1.php last;
65 }
66
67 location ~ ^/api/v1/(.*)$ {
Matthias Andreas Benkard1ba53812022-12-27 17:32:58 +0100[diff] [blame]68 try_files $uri $uri/ /json_api.php?query=$1&$args;
Matthias Andreas Benkardb382b102021-01-02 15:32:21 +0100[diff] [blame]69 }
70
71 location ^~ /.well-known/acme-challenge/ {
72 allow all;
73 default_type "text/plain";
74 }
75
76 # If behind reverse proxy, forwards the correct IP
77 set_real_ip_from 10.0.0.0/8;
78 set_real_ip_from 172.16.0.0/12;
79 set_real_ip_from 192.168.0.0/16;
80 set_real_ip_from fc00::/7;
81 real_ip_header X-Forwarded-For;
82 real_ip_recursive on;
83
84 rewrite ^/.well-known/caldav$ /SOGo/dav/ permanent;
85 rewrite ^/.well-known/carddav$ /SOGo/dav/ permanent;
86
87 location ^~ /principals {
88 return 301 /SOGo/dav;
89 }
90
Matthias Andreas Benkard7b2a3a12021-08-16 10:57:25 +0200[diff] [blame]91 location ^~ /inc/lib/ {
92 deny all;
93 return 403;
94 }
95
Matthias Andreas Benkardb382b102021-01-02 15:32:21 +0100[diff] [blame]96 location ~ \.php$ {
97 try_files $uri =404;
98 fastcgi_split_path_info ^(.+\.php)(/.+)$;
99 fastcgi_pass phpfpm:9002;
100 fastcgi_index index.php;
101 include /etc/nginx/fastcgi_params;
102 fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
103 fastcgi_param PATH_INFO $fastcgi_path_info;
104 fastcgi_read_timeout 3600;
105 fastcgi_send_timeout 3600;
106 }
107
108 location /rspamd/ {
109 location /rspamd/auth {
110 # proxy_pass is not inherited
111 proxy_pass http://rspamd:11334/auth;
112 proxy_intercept_errors on;
113 proxy_set_header Host $http_host;
114 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
115 proxy_set_header X-Real-IP $remote_addr;
116 proxy_redirect off;
117 error_page 403 /_rspamderror.php;
118 }
119 proxy_pass http://rspamd:11334/;
120 proxy_set_header Host $http_host;
121 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
122 proxy_set_header X-Real-IP $remote_addr;
123 proxy_redirect off;
124 }
125
126 location ~* ^/Autodiscover/Autodiscover.xml {
127 fastcgi_split_path_info ^(.+\.php)(/.+)$;
128 fastcgi_pass phpfpm:9002;
129 include /etc/nginx/fastcgi_params;
130 fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
131 try_files /autodiscover.php =404;
132 }
133
134 location ~* ^/Autodiscover/Autodiscover.json {
135 fastcgi_split_path_info ^(.+\.php)(/.+)$;
136 fastcgi_pass phpfpm:9002;
137 include /etc/nginx/fastcgi_params;
138 fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
139 try_files /autodiscover-json.php =404;
140 }
141
142 location ~ /(?:m|M)ail/(?:c|C)onfig-v1.1.xml {
143 fastcgi_split_path_info ^(.+\.php)(/.+)$;
144 fastcgi_pass phpfpm:9002;
145 include /etc/nginx/fastcgi_params;
146 fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
147 try_files /autoconfig.php =404;
148 }
149
Matthias Andreas Benkardb382b102021-01-02 15:32:21 +0100[diff] [blame]150 location /sogo-auth-verify {
151 internal;
152 proxy_set_header X-Original-URI $request_uri;
153 proxy_set_header X-Real-IP $remote_addr;
154 proxy_set_header Host $http_host;
155 proxy_set_header Content-Length "";
156 proxy_pass http://127.0.0.1:65510/sogo-auth;
157 proxy_pass_request_body off;
158 }
159
160 location ^~ /Microsoft-Server-ActiveSync {
Matthias Andreas Benkard7b2a3a12021-08-16 10:57:25 +0200[diff] [blame]161 include /etc/nginx/conf.d/includes/sogo_proxy_auth.conf;
Matthias Andreas Benkardb382b102021-01-02 15:32:21 +0100[diff] [blame]162 include /etc/nginx/conf.d/sogo_eas.active;
163 proxy_connect_timeout 75;
164 proxy_send_timeout 3600;
165 proxy_read_timeout 3600;
Matthias Andreas Benkard1ba53812022-12-27 17:32:58 +0100[diff] [blame]166 proxy_buffer_size 128k;
167 proxy_buffers 64 512k;
168 proxy_busy_buffers_size 512k;
Matthias Andreas Benkardb382b102021-01-02 15:32:21 +0100[diff] [blame]169 proxy_set_header X-Real-IP $remote_addr;
170 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
171 proxy_set_header Host $http_host;
172 client_body_buffer_size 512k;
173 client_max_body_size 0;
174 }
175
176 location ^~ /SOGo {
Matthias Andreas Benkard7b2a3a12021-08-16 10:57:25 +0200[diff] [blame]177 location ~* ^/SOGo/so/.*\.(xml|js|html|xhtml)$ {
178 include /etc/nginx/conf.d/includes/sogo_proxy_auth.conf;
179 include /etc/nginx/conf.d/sogo.active;
180 proxy_set_header X-Real-IP $remote_addr;
181 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
182 proxy_set_header Host $http_host;
183 proxy_set_header x-webobjects-server-protocol HTTP/1.0;
184 proxy_set_header x-webobjects-remote-host $remote_addr;
185 proxy_set_header x-webobjects-server-name $server_name;
186 proxy_set_header x-webobjects-server-url $client_req_scheme://$http_host;
187 proxy_set_header x-webobjects-server-port $server_port;
188 proxy_hide_header Content-Type;
189 add_header Content-Type text/plain;
190 break;
191 }
192 include /etc/nginx/conf.d/includes/sogo_proxy_auth.conf;
Matthias Andreas Benkardb382b102021-01-02 15:32:21 +0100[diff] [blame]193 include /etc/nginx/conf.d/sogo.active;
194 proxy_set_header X-Real-IP $remote_addr;
195 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
196 proxy_set_header Host $http_host;
197 proxy_set_header x-webobjects-server-protocol HTTP/1.0;
198 proxy_set_header x-webobjects-remote-host $remote_addr;
199 proxy_set_header x-webobjects-server-name $server_name;
200 proxy_set_header x-webobjects-server-url $client_req_scheme://$http_host;
201 proxy_set_header x-webobjects-server-port $server_port;
Matthias Andreas Benkard1ba53812022-12-27 17:32:58 +0100[diff] [blame]202 proxy_buffer_size 128k;
203 proxy_buffers 64 512k;
204 proxy_busy_buffers_size 512k;
Matthias Andreas Benkardb382b102021-01-02 15:32:21 +0100[diff] [blame]205 proxy_send_timeout 3600;
206 proxy_read_timeout 3600;
207 client_body_buffer_size 128k;
208 client_max_body_size 0;
209 break;
210 }
211
212 location ~* /sogo$ {
213 return 301 $client_req_scheme://$http_host/SOGo;
214 }
215
216 location /SOGo.woa/WebServerResources/ {
217 alias /usr/lib/GNUstep/SOGo/WebServerResources/;
218 }
219
220 location /.woa/WebServerResources/ {
221 alias /usr/lib/GNUstep/SOGo/WebServerResources/;
222 }
223
224 location /SOGo/WebServerResources/ {
225 alias /usr/lib/GNUstep/SOGo/WebServerResources/;
226 }
227
228 location (^/SOGo/so/ControlPanel/Products/[^/]*UI/Resources/.*\.(jpg|png|gif|css|js)$) {
229 alias /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2;
230 }
231
232 include /etc/nginx/conf.d/site.*.custom;
233
234 error_page 502 @awaitingupstream;
235
236 location @awaitingupstream {
237 rewrite ^(.*)$ /_status.502.html break;
238 }
239
240 location ~ ^/cache/(.*)$ {
241 try_files $uri $uri/ /resource.php?file=$1;
242 }