-
-
Save dawoodjee/622b8b1d5c570c22d489fea55f218d95 to your computer and use it in GitHub Desktop.
My working NGINX config on the host machine acting as a reverse proxy for mailcow:dockerized. Redirects root URLs to SOGo for easy webmail access and allows users/administrators to access mailcow admin by going to URL/setup. Also handles invalid domains. Ex: NGINX serving mail.example.com but you don't want it answering example.com.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
####### | |
### NGINX Reverse-Proxy to mailcow and SOGo | |
### Redirects root to SOGo and /setup to mailcow control panel | |
### Handles all SSL security | |
####### | |
## HTTP catch-all for invalid domain names (e.g. root domain "example.com") | |
server { | |
listen 80 default_server; | |
listen [::]:80 default_server; | |
# Have NGINX drop the connection (return no-data) | |
return 444; | |
} | |
## Redirect HTTP to HTTPS for valid domain names on this server | |
## (e.g. mail.example.com, webmail.example.com) | |
server { | |
listen 80; | |
listen [::]:80; | |
server_name mail.example.com | |
webmail.example.com | |
autodiscover.example.com | |
autoconfig.example.com; | |
# Redirect to properly formed HTTPS request | |
return 301 https://$host$request_uri; | |
} | |
## HTTPS catch-all site for invalid domains that generate a certificate | |
## mismatch but the user proceeds anyways | |
server { | |
listen 443 default_server ssl http2; | |
listen [::]:443 default_server ssl http2; | |
# SSL settings in another file (see my 'mozModern_ssl' file as an example) | |
include /etc/nginx/mozModern_ssl.conf | |
# SSL certificates for this connection | |
ssl_certificate /etc/ssl/certs/your-certificate-full-chain.crt; | |
ssl_certificate_key /etc/ssl/private/your-certificate-private-key.key; | |
# Have NGINX drop the connection (return no-data) | |
return 444; | |
} | |
## Proxy primary server and webmail subdomain to mailcow | |
## Go to SOGo after typing root address only (default browsing action) | |
## Go to mailcow admin panel after typing /admin subdirectory | |
server { | |
listen 443 ssl http2; | |
listen [::]:443 ssl http2; | |
server_name mail.example.com | |
webmail.example.com; | |
# SSL settings in another file (see my 'mozModern_ssl' file as an example) | |
include /etc/nginx/mozModern_ssl.conf | |
# SSL certificates for this connection | |
ssl_certificate /etc/ssl/certs/your-certificate-full-chain.crt; | |
ssl_certificate_key /etc/ssl/private/your-certificate-private-key.key; | |
# Redirect root to SOGo. Rewrite rule changes / to /SOGo | |
location / { | |
rewrite ^/$ /SOGo; | |
proxy_pass http://127.0.0.1:8080; | |
proxy_set_header Host $http_host; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_set_header X-Forwarded-Proto $scheme; | |
client_max_body_size 100m; | |
} | |
# Redirect /setup to mailcow admin panel | |
# Note the trailing / after setup and the trailing / after proxy URL | |
# This makes sure that NGINX doesn't try to go to proxyURL/setup which | |
# would result in a 404. | |
# Recent updates result in loops if you try to use 'admin' here | |
location ^~ /setup/ { | |
proxy_pass http://127.0.0.1:8080/; | |
proxy_set_header Host $http_host; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_set_header X-Forwarded-Proto $scheme; | |
client_max_body_size 100m; | |
} | |
} | |
## Proxy auto configuration URLs to mailcow root folder | |
server { | |
listen 443 ssl http2; | |
listen [::]:443 ssl http2; | |
server_name autodiscover.example.com | |
autoconfig.example.com; | |
# SSL certificates for this connection | |
ssl_certificate /etc/ssl/certs/your-certificate-full-chain.crt; | |
ssl_certificate_key /etc/ssl/private/your-certificate-private-key.key; | |
# Proxy to mailcow root | |
location / { | |
proxy_pass http://127.0.0.1:8080; | |
proxy_set_header Host $http_host; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_set_header X-Forwarded-Proto $scheme; | |
client_max_body_size 100m; | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Based on settings recommended by Mozilla SSL Configuration Generator | |
# 'modern' NGINX profile | |
# SSL certificates specified in the server block | |
# SSL parameters | |
ssl_session_timeout 1d; | |
ssl_session_cache shared:SSL:50m; | |
ssl_session_tickets off; | |
# SSL ciphers | |
ssl_protocols TLSv1.2; | |
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; | |
ssl_prefer_server_ciphers on; | |
# Diffie-Hellman parameter for DHE cipher suites, using 4096 bits | |
ssl_dhparam /etc/ssl/certs/dhparam.pem; | |
# HSTS - mailcow adds an HSTS header even for non-secured connections | |
# uncomment the following line once your setup is working properly and | |
# if you understand the implications of doing so | |
#add_header Strict-Transport-Security max-age=15768000; | |
# OCSP Stapling | |
# fetch OCSP records from URL in ssl_certificate and cache them | |
# This will not work for self-signed certificates or if not supported | |
# by your certificate issuer | |
# if that's the case, comment the following 3 lines | |
ssl_stapling on; | |
ssl_stapling_verify on; | |
ssl_trusted_certificate /etc/ssl/certs/full_certificate_CA_chain.pem; | |
# resolver should be specified in nginx.conf or in networking configuration |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment