dawoodjee/mailcow-ReverseProxy

## mailcow-ReverseProxy
#######
### NGINX Reverse-Proxy to mailcow and SOGo
### Redirects root to SOGo and /setup to mailcow control panel
### Handles all SSL security
#######


## HTTP catch-all for invalid domain names (e.g. root domain "example.com")
server {

     listen 80 default_server;
     listen [::]:80 default_server;

     # Have NGINX drop the connection (return no-data)
     return 444;

}


## Redirect HTTP to HTTPS for valid domain names on this server
## (e.g. mail.example.com, webmail.example.com)
server {

     listen 80;
     listen [::]:80;

     server_name mail.example.com
          webmail.example.com
          autodiscover.example.com
          autoconfig.example.com;

     # Redirect to properly formed HTTPS request
     return 301 https://$host$request_uri;

}


## HTTPS catch-all site for invalid domains that generate a certificate
## mismatch but the user proceeds anyways
server {

     listen 443 default_server ssl http2;
     listen [::]:443 default_server ssl http2;

     # SSL settings in another file (see my 'mozModern_ssl' file as an example)
     include /etc/nginx/mozModern_ssl.conf

     # SSL certificates for this connection
     ssl_certificate /etc/ssl/certs/your-certificate-full-chain.crt;
     ssl_certificate_key /etc/ssl/private/your-certificate-private-key.key;


     # Have NGINX drop the connection (return no-data)
     return 444;

}


## Proxy primary server and webmail subdomain to mailcow
## Go to SOGo after typing root address only (default browsing action)
## Go to mailcow admin panel after typing /admin subdirectory
server {

     listen 443 ssl http2;
     listen [::]:443 ssl http2;

     server_name mail.example.com
          webmail.example.com;

     # SSL settings in another file (see my 'mozModern_ssl' file as an example)
     include /etc/nginx/mozModern_ssl.conf

     # SSL certificates for this connection
     ssl_certificate /etc/ssl/certs/your-certificate-full-chain.crt;
     ssl_certificate_key /etc/ssl/private/your-certificate-private-key.key;


     # Redirect root to SOGo. Rewrite rule changes / to /SOGo
     location / {
          rewrite ^/$ /SOGo;
          proxy_pass http://127.0.0.1:8080;
          proxy_set_header Host $http_host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header X-Forwarded-Proto $scheme;
          client_max_body_size 100m;
     }

     # Redirect /setup to mailcow admin panel
	 # Note the trailing / after setup and the trailing / after proxy URL
	 # This makes sure that NGINX doesn't try to go to proxyURL/setup which
	 # would result in a 404.
	 # Recent updates result in loops if you try to use 'admin' here
     location ^~ /setup/ {
          proxy_pass http://127.0.0.1:8080/;
          proxy_set_header Host $http_host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header X-Forwarded-Proto $scheme;
          client_max_body_size 100m;
     }

}


## Proxy auto configuration URLs to mailcow root folder
server {

     listen 443 ssl http2;
     listen [::]:443 ssl http2;

     server_name autodiscover.example.com
          autoconfig.example.com;

     # SSL certificates for this connection
     ssl_certificate /etc/ssl/certs/your-certificate-full-chain.crt;
     ssl_certificate_key /etc/ssl/private/your-certificate-private-key.key;


     # Proxy to mailcow root
     location / {
          proxy_pass http://127.0.0.1:8080;
          proxy_set_header Host $http_host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header X-Forwarded-Proto $scheme;
          client_max_body_size 100m;
     }

}

## mozModern_ssl.conf
# Based on settings recommended by Mozilla SSL Configuration Generator
# 'modern' NGINX profile

# SSL certificates specified in the server block

# SSL parameters
ssl_session_timeout	1d;
ssl_session_cache	shared:SSL:50m;
ssl_session_tickets	off;

# SSL ciphers
ssl_protocols	TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers	on;

# Diffie-Hellman parameter for DHE cipher suites, using 4096 bits
ssl_dhparam	/etc/ssl/certs/dhparam.pem;

# HSTS - mailcow adds an HSTS header even for non-secured connections
# uncomment the following line once your setup is working properly and
# if you understand the implications of doing so
#add_header	Strict-Transport-Security max-age=15768000;

# OCSP Stapling
# fetch OCSP records from URL in ssl_certificate and cache them
# This will not work for self-signed certificates or if not supported
# by your certificate issuer
# if that's the case, comment the following 3 lines
ssl_stapling			on;
ssl_stapling_verify		on;
ssl_trusted_certificate	/etc/ssl/certs/full_certificate_CA_chain.pem;

# resolver should be specified in nginx.conf or in networking configuration
	#######
	### NGINX Reverse-Proxy to mailcow and SOGo
	### Redirects root to SOGo and /setup to mailcow control panel
	### Handles all SSL security
	#######


	## HTTP catch-all for invalid domain names (e.g. root domain "example.com")
	server {

	listen 80 default_server;
	listen [::]:80 default_server;

	# Have NGINX drop the connection (return no-data)
	return 444;

	}


	## Redirect HTTP to HTTPS for valid domain names on this server
	## (e.g. mail.example.com, webmail.example.com)
	server {

	listen 80;
	listen [::]:80;

	server_name mail.example.com
	webmail.example.com
	autodiscover.example.com
	autoconfig.example.com;

	# Redirect to properly formed HTTPS request
	return 301 https://$host$request_uri;

	}


	## HTTPS catch-all site for invalid domains that generate a certificate
	## mismatch but the user proceeds anyways
	server {

	listen 443 default_server ssl http2;
	listen [::]:443 default_server ssl http2;

	# SSL settings in another file (see my 'mozModern_ssl' file as an example)
	include /etc/nginx/mozModern_ssl.conf

	# SSL certificates for this connection
	ssl_certificate /etc/ssl/certs/your-certificate-full-chain.crt;
	ssl_certificate_key /etc/ssl/private/your-certificate-private-key.key;


	# Have NGINX drop the connection (return no-data)
	return 444;

	}


	## Proxy primary server and webmail subdomain to mailcow
	## Go to SOGo after typing root address only (default browsing action)
	## Go to mailcow admin panel after typing /admin subdirectory
	server {

	listen 443 ssl http2;
	listen [::]:443 ssl http2;

	server_name mail.example.com
	webmail.example.com;

	# SSL settings in another file (see my 'mozModern_ssl' file as an example)
	include /etc/nginx/mozModern_ssl.conf

	# SSL certificates for this connection
	ssl_certificate /etc/ssl/certs/your-certificate-full-chain.crt;
	ssl_certificate_key /etc/ssl/private/your-certificate-private-key.key;


	# Redirect root to SOGo. Rewrite rule changes / to /SOGo
	location / {
	rewrite ^/$ /SOGo;
	proxy_pass http://127.0.0.1:8080;
	proxy_set_header Host $http_host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto $scheme;
	client_max_body_size 100m;
	}

	# Redirect /setup to mailcow admin panel
	# Note the trailing / after setup and the trailing / after proxy URL
	# This makes sure that NGINX doesn't try to go to proxyURL/setup which
	# would result in a 404.
	# Recent updates result in loops if you try to use 'admin' here
	location ^~ /setup/ {
	proxy_pass http://127.0.0.1:8080/;
	proxy_set_header Host $http_host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto $scheme;
	client_max_body_size 100m;
	}

	}


	## Proxy auto configuration URLs to mailcow root folder
	server {

	listen 443 ssl http2;
	listen [::]:443 ssl http2;

	server_name autodiscover.example.com
	autoconfig.example.com;

	# SSL certificates for this connection
	ssl_certificate /etc/ssl/certs/your-certificate-full-chain.crt;
	ssl_certificate_key /etc/ssl/private/your-certificate-private-key.key;


	# Proxy to mailcow root
	location / {
	proxy_pass http://127.0.0.1:8080;
	proxy_set_header Host $http_host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto $scheme;
	client_max_body_size 100m;
	}

	}
	# Based on settings recommended by Mozilla SSL Configuration Generator
	# 'modern' NGINX profile

	# SSL certificates specified in the server block

	# SSL parameters
	ssl_session_timeout 1d;
	ssl_session_cache shared:SSL:50m;
	ssl_session_tickets off;

	# SSL ciphers
	ssl_protocols TLSv1.2;
	ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
	ssl_prefer_server_ciphers on;

	# Diffie-Hellman parameter for DHE cipher suites, using 4096 bits
	ssl_dhparam /etc/ssl/certs/dhparam.pem;

	# HSTS - mailcow adds an HSTS header even for non-secured connections
	# uncomment the following line once your setup is working properly and
	# if you understand the implications of doing so
	#add_header Strict-Transport-Security max-age=15768000;

	# OCSP Stapling
	# fetch OCSP records from URL in ssl_certificate and cache them
	# This will not work for self-signed certificates or if not supported
	# by your certificate issuer
	# if that's the case, comment the following 3 lines
	ssl_stapling on;
	ssl_stapling_verify on;
	ssl_trusted_certificate /etc/ssl/certs/full_certificate_CA_chain.pem;

	# resolver should be specified in nginx.conf or in networking configuration