Skip to content

Instantly share code, notes, and snippets.

@Alvarus
Last active January 17, 2019 14:17
Show Gist options
  • Save Alvarus/5245005 to your computer and use it in GitHub Desktop.
Save Alvarus/5245005 to your computer and use it in GitHub Desktop.
A sample nginx + php-fpm pool config for Kolab 3. Roundcube web client will be accessible from "https://mail.example.net", Kolab web administration from "https://mail.example.net/kolab-webadmin". Attempt to set all php variables using "fastcgi_param PHP_VALUE" resulted in strange behaviour, so they're set in php-fpm pools. Please note that sligh…
# http part, may want to move that to nginx.conf, but will work here also
fastcgi_cache_path /var/lib/nginx/fastcgi/ levels=1:2 keys_zone=kolab3.example.net:16m max_size=256m inactive=1d;
fastcgi_temp_path /var/lib/nginx/fastcgi/temp 1 2;
fastcgi_cache_key "$scheme$request_method$host$request_uri";
fastcgi_cache_use_stale error timeout invalid_header http_500;
server {
listen 80;
server_name kolab3.example.net;
rewrite ^ https://$server_name$request_uri permanent; # enforce https
}
server {
listen 443 ssl;
server_name .kolab3.example.net;
access_log /var/log/nginx/access_kolab3.example.net_ssl.log;
error_log /var/log/nginx/error_kolab3.example.net_ssl.log;
ssl on;
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; # dummy certificate, please create your own
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; # dummy certificate key, please create your own
#-------------------------------------------------
# cache settings
#-------------------------------------------------
open_file_cache max=1024 inactive=1m;
open_file_cache_valid 90s;
open_file_cache_min_uses 2;
#-------------------------------------------------
# Common Fastcgi settings
#-------------------------------------------------
fastcgi_param HTTPS on;
fastcgi_keep_conn on;
fastcgi_cache kolab3.example.net;
fastcgi_cache_valid 200 302 304 10m;
fastcgi_cache_valid 301 1h;
fastcgi_cache_min_uses 2;
fastcgi_buffers 256 4k;
fastcgi_busy_buffers_size 8k;
fastcgi_temp_file_write_size 8k;
#-------------------------------------------------
# roundcube mail
#-------------------------------------------------
location / {
index index.php;
root /usr/share/roundcubemail;
client_max_body_size 30M; # set maximum upload size for mail attachments
# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
location ~ ^/(README(.md)?|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
deny all;
}
location ~ ^/(bin|SQL|config|logs)/ {
deny all;
}
location ~^/program/(include|lib|localization|steps)/ {
deny all;
}
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}
# enable php
location ~ \.php$ {
include fastcgi_params;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
fastcgi_pass unix:/var/run/php5-roundcube.sock;
fastcgi_param SCRIPT_FILENAME $request_filename;
}
}
#-------------------------------------------------
# kolab web administration panel
#-------------------------------------------------
location /kolab-webadmin {
index index.php;
alias /usr/share/kolab-webadmin/public_html;
try_files $uri $uri/ @kolab-wapapi;
# enable php
location ~ \.php$ {
include fastcgi_params;
fastcgi_pass unix:/var/run/php5-wap.sock;
fastcgi_param SCRIPT_FILENAME $request_filename;
# Without this, PHPSESSION is replaced by webadmin-api X-Session-Token
fastcgi_param PHP_VALUE "session.auto_start=0
session.use_cookies=0";
fastcgi_pass_header X-Session-Token;
}
}
# kolab-webadmin api
location @kolab-wapapi {
rewrite ^/kolab-webadmin/api/(.*)\.(.*)$ /kolab-webadmin/api/index.php?service=$1&method=$2 last;
}
#-------------------------------------------------
# Kolab syncroton ActiveSync
#-------------------------------------------------
location /Microsoft-Server-ActiveSync {
alias /usr/share/kolab-syncroton/index.php;
client_max_body_size 30M; # set maximum upload size for mail attachments
include fastcgi_params;
fastcgi_index index.php;
fastcgi_pass unix:/var/run/php5-syncroton.sock;
fastcgi_param SCRIPT_FILENAME /usr/share/kolab-syncroton/index.php;
}
#-------------------------------------------------
# Kolab freebusy
#-------------------------------------------------
location /freebusy {
alias /usr/share/kolab-freebusy/public_html/index.php;
include fastcgi_params;
fastcgi_index index.php;
fastcgi_pass unix:/var/run/php5-freebusy.sock;
fastcgi_param SCRIPT_FILENAME /usr/share/kolab-freebusy/public_html/index.php;
}
}
[kolab-freebusy]
user = www-data
group = www-data
listen = /var/run/php5-freebusy.sock
pm = dynamic
pm.max_children = 40
pm.start_servers = 15
pm.min_spare_servers = 10
pm.max_spare_servers = 20
chdir = /
[kolab-syncroton]
user = www-data
group = www-data
listen = /var/run/php5-syncroton.sock
pm = dynamic
pm.max_children = 40
pm.start_servers = 15
pm.min_spare_servers = 10
pm.max_spare_servers = 20
chdir = /
[kolab-wap]
user = www-data
group = www-data
listen = /var/run/php5-wap.sock
pm = dynamic
pm.max_children = 40
pm.start_servers = 15
pm.min_spare_servers = 10
pm.max_spare_servers = 20
chdir = /
[roundcubemail]
user = www-data
group = www-data
listen = /var/run/php5-roundcube.sock
pm = dynamic
pm.max_children = 40
pm.start_servers = 15
pm.min_spare_servers = 10
pm.max_spare_servers = 20
chdir = /
# Derived from .htaccess of roundcube
php_flag[display_errors] = Off
php_flag[log_errors] = On
php_value[upload_max_filesize] = 30M
php_value[post_max_size] = 30M
php_flag[zlib.output_compression] = Off
php_flag[magic_quotes_gpc] = Off
php_flag[magic_quotes_runtime] = Off
php_flag[zend.ze1_compatibility_mode] = Off
php_flag[suhosin.session.encrypt] = Off
php_flag[session.auto_start] = Off
php_value[session.gc_maxlifetime] = 21600
php_value[session.gc_divisor] = 500
php_value[session.gc_probability] = 1
# http://bugs.php.net/bug.php?id=30766
php_value[mbstring.func_overload] = 0
@tehownt
Copy link

tehownt commented Oct 9, 2013

ActiveSync needs the suhosin encryption bypass too
php_flag[suhosin.session.encrypt] = Off

in

php5-fpm_pool.d_kolab-syncroton.conf

@AlexAndrascu
Copy link

Hi, I'm pretty keen to try this one on a Debian Wheezy. Can you please let me know what've you used for initial Kolab setup ? I assume you haven't used the default setup-kolab ?

Thank you.

@quiricada
Copy link

on the php5-fpm conf files, i was getting permission denied errors

https://stackoverflow.com/questions/23443398/nginx-error-connect-to-php5-fpm-sock-failed-13-permission-denied/23487409#23487409

so added these lines to the conf files
listen.owner = www-data
listen.group = www-data
listen.mode = 0660

@thehiddenbit
Copy link

This basically works good for me, but I noticed that my iphone don't automatically detect new mails in idle state. If I check for new mails manually, they arrive at my iphone.

If I switch back to the apache, everything works like charm.

The following errors occur in the nginx error.log:

[error] 5211#0: *79 upstream timed out (110: Connection timed out) while reading response header from upstream, client: xx.xx.xx.xx, server: domain.com, request: "POST /Microsoft-Server-ActiveSync?User=mail@domain.com&DeviceId=ApplF99ATZEZFFG8&DeviceType=iPhone&Cmd=Ping HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-syncroton.sock", host: "domain.com"

@dosas
Copy link

dosas commented Mar 16, 2015

works nicely on debian with a few minor changes:
had to change the php conf files according to quiricada

also the nginx documentation http://nginx.org/en/docs/http/converting_rewrite_rules.html recommends using 301 redirect instead of rewrite

return 301 https://$server_name$request_uri;

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment