Last active
September 2, 2022 10:54
-
-
Save asifbacchus/122f43a39a1e24066ed50a3af579f5dc to your computer and use it in GitHub Desktop.
NGINX configuration where the machine hosting mailcow is acting as a reverse proxy. Includes section where certain domain names/CNAMEs can be redirected to webmail (SOGo) by default instead of the admin panel and said panel is accessed via the `/config` sub-uri instead.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# these are common security headers that you can easily add to locations or | |
# entire server blocks by including this file | |
# include /etc/nginx/headersSecurity.conf; | |
add_header Feature-Policy "geolocation 'self'"; | |
add_header Referrer-Policy "same-origin" always; | |
add_header X-Content-Type-Options "nosniff" always; | |
add_header X-Download-Options noopen; | |
add_header X-Frame-Options SAMEORIGIN; | |
add_header X-Permitted-Cross-Domain-Policies none; | |
add_header X-UA-Compatible "IE=edge"; | |
add_header X-XSS-Protection "1; mode=block" always; | |
# prevent search engines from indexing sites on this server | |
add_header X-Robots-Tag none; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# | |
# mailcow reverse-proxy configuration | |
# direct-access to host: root = config (default mailcow setup) | |
# CNAME for webmail or mailserver: root = SOGo, configuration at /config | |
# | |
# | |
# HTTP catch-all for all unconfigured domain names | |
server { | |
listen 80 default_server; | |
listen [::]:80 default_server; | |
# silently drop the connection | |
return 444; | |
} | |
# | |
# HTTPS catch-all for all unconfigured domain names | |
# (user gets HTTPS certificate mismatch error and continues anyways to an invalid domain) | |
server { | |
listen 443 default_server ssl http2; | |
listen [::]:443 default_server ssl http2; | |
# ssl certificates for this server | |
ssl_certificate /path/to/your-certificate-full-chain.crt; | |
ssl_certificate_key /path/to/your-certificate-private-key.key; | |
# ssl configuration for this server | |
include /etc/nginx/mozIntermediate_ssl.conf | |
# silently drop the connection | |
return 444; | |
} | |
# | |
# Redirect HTTP to HTTPS for *configured* domain names on this server | |
server { | |
listen 80; | |
listen [::]:80; | |
# specify configured mailcow host server name and CNAMEs | |
server_name | |
host.domain.tld | |
mail.domain.tld | |
webmail.domain.tld | |
autodiscover.domain.tld | |
autoconfig.domain.tld | |
; | |
# redirect to properly formed HTTPS request | |
return 301 https://$host$request_uri; | |
} | |
# | |
# proxy to mailcow using default setup (root = admin backend) | |
server { | |
listen 443 ssl http2; | |
listen [::]:443 ssl http2; | |
# specify mailcow-related server names which should redirect as per default setup | |
server_name | |
autodiscover.domain.tld | |
autoconfig.domain.tld | |
; | |
# ssl certificates for this server | |
ssl_certificate /path/to/your-certificate-full-chain.crt; | |
ssl_certificate_key /path/to/your-certificate-private-key.key; | |
# ssl configuration for this server | |
include /etc/nginx/mozIntermediate_ssl.conf | |
# security headers | |
include /etc/nginx/headersSecurity.conf | |
# client body size settings (you can set a reasonable size here, 0 means no limit) | |
client_max_body_size 0; | |
# common proxy settings (reduces annoying proxy buffer messages in logs when dealing with NGINX in docker) | |
proxy_buffers 16 16k; | |
proxy_buffer_size 16k; | |
# set common proxy headers | |
proxy_set_header Host $http_host; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_set_header X-Forwarded-Proto $scheme; | |
# set upstream locations | |
# (this allows NGINX to start without crashing if mailcow is not running, make sure the port is correct!) | |
set $upstream_mailcow http://127.0.0.1:8080; | |
# proxy ActiveSync connections | |
location /Microsoft-Server-ActiveSync { | |
# proxy connect options | |
proxy_connect_timeout 75s; | |
proxy_send_timeout 3650s; | |
proxy_receive_timeout 3650s; | |
proxy_buffers 64 256k; | |
# set body buffer size | |
client_body_buffer_size 512k; | |
# proxy to mailcow | |
proxy_pass $upstream_mailcow/Microsoft-Server-ActiveSync; | |
} | |
# proxy /config to Mailcow Admin Panel | |
location ^~ /config/ { | |
proxy_pass $upstream_mailcow/; | |
} | |
# proxy root to Mailcow Admin Panel | |
location / { | |
# rewrite case variations of 'config' | |
rewrite (?i)^/config/ /config/ redirect; | |
# rewrite 'webmail' to 'SOGo' | |
rewrite (?i)^/webmail/ /SOGo/ redirect; | |
# proxy to mailcow | |
proxy_pass $upstream_mailcow; | |
} | |
} | |
# | |
# proxy to mailcow using webmail-first setup (root = SOGo, /config = admin backend) | |
server { | |
listen 443 ssl http2; | |
listen [::]:443 ssl http2; | |
# specify mailcow-related server names which should redirect to SOGo by default | |
server_name | |
mail.domain.tld | |
webmail.domain.tld | |
; | |
# ssl certificates for this server | |
ssl_certificate /path/to/your-certificate-full-chain.crt; | |
ssl_certificate_key /path/to/your-certificate-private-key.key; | |
# ssl configuration for this server | |
include /etc/nginx/mozIntermediate_ssl.conf | |
# security headers | |
include /etc/nginx/headersSecurity.conf | |
# client body size settings (you can set a reasonable size here, 0 means no limit) | |
client_max_body_size 0; | |
# common proxy settings (reduces annoying proxy buffer messages in logs when dealing with NGINX in docker) | |
proxy_buffers 16 16k; | |
proxy_buffer_size 16k; | |
# set common proxy headers | |
proxy_set_header Host $http_host; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_set_header X-Forwarded-Proto $scheme; | |
# set upstream locations | |
# (this allows NGINX to start without crashing if mailcow is not running, make sure the port is correct!) | |
set $upstream_mailcow http://127.0.0.1:8080; | |
# static assets | |
location ^~ /resources/webmail/ { | |
# cache graphics files | |
location ~* \.(?:jpe?g|gif|png|ico|gz|svgz?) { | |
# you can set a different expiry here if you want, this works well though | |
expires 30d; | |
add_header Cache-Control "public"; | |
} | |
# find requested files or return 404 | |
try_files $uri =404; | |
} | |
# override logo | |
# OPTIONAL: if you have a custom logo you want to serve instead of the SOGo logo, here's where to do it | |
location = /SOGo.woa/WebServerResources/img/sogo-full.svg { | |
rewrite ^ /file/path/to/your/logo_file.svg break; | |
} | |
# proxy /config to Mailcow Admin Panel | |
location ^~ /config/ { | |
proxy_pass $upstream_mailcow/; | |
} | |
# default location (SOGo) | |
location / { | |
# rewrite case variations of config | |
rewrite (?i)^/config/ /config/ redirect; | |
# proxy everything else to SOGo | |
rewrite ^/$ /SOGo/; | |
proxy_pass $upstream_mailcow; | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# | |
# Shared SSL configuration | |
# Based on Mozilla 'Intermediate' configuration (TLS1.2 and TLS1.3) | |
# last updated: 2022-02-10 | |
# | |
# SSL certificate and key are defined in the server blocks | |
# SSL parameters | |
ssl_session_timeout 1d; | |
ssl_session_cache shared:SSL:10m; | |
ssl_session_tickets off; | |
# SSL protocls and ciphers | |
ssl_protocols TLSv1.2 TLSv1.3; | |
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; | |
ssl_prefer_server_ciphers off; | |
# Diffie-Hellman parameters | |
ssl_dhparam /path/to/dhparam.pem; | |
# HSTS (6 months) | |
# other common max-age values: | |
# max-age=31536000 (1 year) | |
# max-age=63072000 (2 years) | |
add_header Strict-Transport-Security "max-age=15768000" always; | |
# OCSP stapling | |
ssl_stapling on; | |
ssl_stapling_verify on; | |
# verify chain of trust (this path should work as-is on all debian/ubuntu systems) | |
ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt; | |
# configuration templates recommend setting a resolver here, | |
# it should properly be set your nginx.conf or a linked configuration file |
@Green2Matter If you were getting that specific error open() "/etc/nginx/htmllogo.svg" failed
then it's likely you forgot the leading slash in your rewrite line -- you were using a relative instead of absolute path. The giveaway is in the concatenation ".../htmllogo.svg".
Regardless, I'm glad you got it working!
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi @asifbacchus
Thanks for this config, it helped me to redo my mailcow setup! One thing I can't get to work is rewriting sogo logo. I keep getting 404 error (nginx log: "GET /SOGo.woa/WebServerResources/img/sogo-full.svg?lm=1657003071 HTTP/2.0" 404 146). I tried different file's path, web server file's ownership and so on. Still 404... Content type isn't correct (in answer headers) but I think it's related to missing or somehow not accessible file...
Answer headers:
EDIT
It's all about nginx default root: error log: open() "/etc/nginx/htmllogo.svg" failed
But even if I put root directive or absolute path this error remains the same. Nginx keeps prepending default root (/etc/nginx/html)...
EDIT2
Somehow it worked:
I had to restart nginx and not only reload. I don't know why I couldn't use absolut path...