mailcow/data/conf/nginx/includes/site-defaults.conf

216 lines
6.4 KiB
Plaintext
Raw Normal View History

2017-10-12 14:37:48 +08:00
include /etc/nginx/mime.types;
charset utf-8;
override_charset on;
ssl_protocols TLSv1.2 TLSv1.3;
2020-09-27 18:38:40 +08:00
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
ssl_ecdh_curve X25519:X448:secp384r1:secp256k1;
2017-09-14 19:34:07 +08:00
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
ssl_session_tickets off;
add_header Strict-Transport-Security "max-age=15768000;";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
2018-05-28 18:28:23 +08:00
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies none;
2018-08-06 15:24:34 +08:00
add_header Referrer-Policy strict-origin;
2017-09-11 23:37:25 +08:00
2016-12-22 19:20:26 +08:00
index index.php index.html;
2016-12-10 03:39:02 +08:00
2018-08-06 04:37:07 +08:00
client_max_body_size 0;
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied off;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_min_length 256;
2019-10-21 03:25:58 +08:00
gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript application/vnd.ms-fontobject application/x-font-ttf font/opentype image/svg+xml image/x-icon;
location ~ ^/(fonts|js|css|img)/ {
expires max;
add_header Cache-Control public;
}
2017-02-28 17:02:02 +08:00
error_log /var/log/nginx/error.log;
access_log /var/log/nginx/access.log;
fastcgi_hide_header X-Powered-By;
absolute_redirect off;
2017-02-28 17:02:02 +08:00
root /web;
location / {
try_files $uri $uri/ @strip-ext;
}
location /qhandler {
rewrite ^/qhandler/(.*)/(.*) /qhandler.php?action=$1&hash=$2;
}
location /edit {
rewrite ^/edit/(.*)/(.*) /edit.php?$1=$2;
}
location @strip-ext {
rewrite ^(.*)$ $1.php last;
}
2017-04-29 22:36:41 +08:00
location ~ ^/api/v1/(.*)$ {
try_files $uri $uri/ /json_api.php?query=$1;
2017-03-28 17:51:31 +08:00
}
location ^~ /.well-known/acme-challenge/ {
2017-06-15 05:10:50 +08:00
allow all;
default_type "text/plain";
}
2017-02-28 17:02:02 +08:00
# If behind reverse proxy, forwards the correct IP
set_real_ip_from 10.0.0.0/8;
set_real_ip_from 172.16.0.0/12;
set_real_ip_from 192.168.0.0/16;
set_real_ip_from fc00::/7;
2017-02-28 17:02:02 +08:00
real_ip_header X-Forwarded-For;
real_ip_recursive on;
2017-06-15 05:14:41 +08:00
rewrite ^/.well-known/caldav$ /SOGo/dav/ permanent;
2017-06-15 05:17:31 +08:00
rewrite ^/.well-known/carddav$ /SOGo/dav/ permanent;
2017-06-15 05:14:41 +08:00
2017-06-15 05:10:50 +08:00
location ^~ /principals {
return 301 /SOGo/dav;
2017-02-28 17:02:02 +08:00
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass phpfpm:9002;
2017-02-28 17:02:02 +08:00
fastcgi_index index.php;
include /etc/nginx/fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_read_timeout 1200;
}
location /rspamd/ {
location /rspamd/auth {
# proxy_pass is not inherited
proxy_pass http://rspamd:11334/auth;
proxy_intercept_errors on;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_redirect off;
error_page 403 /_rspamderror.php;
}
2018-01-21 21:59:45 +08:00
proxy_pass http://rspamd:11334/;
proxy_set_header Host $http_host;
2017-02-28 17:02:02 +08:00
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_redirect off;
2017-02-28 17:02:02 +08:00
}
2017-06-16 05:03:10 +08:00
location ~* ^/Autodiscover/Autodiscover.xml {
2017-05-04 04:26:10 +08:00
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass phpfpm:9002;
2017-05-04 04:26:10 +08:00
include /etc/nginx/fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
try_files /autodiscover.php =404;
2017-02-28 17:02:02 +08:00
}
location ~* ^/Autodiscover/Autodiscover.json {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass phpfpm:9002;
include /etc/nginx/fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
try_files /autodiscover-json.php =404;
}
location ~ /(?:m|M)ail/(?:c|C)onfig-v1.1.xml {
2017-05-04 04:26:10 +08:00
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass phpfpm:9002;
2017-05-04 04:26:10 +08:00
include /etc/nginx/fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
try_files /autoconfig.php =404;
2017-02-28 17:02:02 +08:00
}
# auth_request endpoint if ALLOW_ADMIN_EMAIL_LOGIN is set
location /sogo-auth-verify {
internal;
proxy_set_header X-Original-URI $request_uri;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_set_header Content-Length "";
2019-04-02 04:52:45 +08:00
proxy_pass http://127.0.0.1:65510/sogo-auth;
proxy_pass_request_body off;
}
location ^~ /Microsoft-Server-ActiveSync {
include /etc/nginx/conf.d/sogo_proxy_auth.active;
include /etc/nginx/conf.d/sogo_eas.active;
2019-10-06 16:12:46 +08:00
proxy_connect_timeout 75;
proxy_send_timeout 3600;
proxy_read_timeout 3600;
proxy_buffers 64 256k;
2019-02-27 05:13:37 +08:00
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
2019-10-06 16:12:46 +08:00
client_body_buffer_size 512k;
2019-02-27 05:13:37 +08:00
client_max_body_size 0;
}
location ^~ /SOGo {
include /etc/nginx/conf.d/sogo_proxy_auth.active;
include /etc/nginx/conf.d/sogo.active;
2017-02-28 17:02:02 +08:00
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
2017-02-28 17:02:02 +08:00
proxy_set_header x-webobjects-server-protocol HTTP/1.0;
proxy_set_header x-webobjects-remote-host $remote_addr;
proxy_set_header x-webobjects-server-name $server_name;
2017-05-04 04:26:10 +08:00
proxy_set_header x-webobjects-server-url $client_req_scheme://$http_host;
2017-04-25 16:49:38 +08:00
proxy_set_header x-webobjects-server-port $server_port;
proxy_send_timeout 300;
proxy_read_timeout 300;
2017-02-28 17:02:02 +08:00
client_body_buffer_size 128k;
2017-08-09 16:17:27 +08:00
client_max_body_size 0;
2017-02-28 17:02:02 +08:00
break;
}
location ~* /sogo$ {
return 301 $client_req_scheme://$http_host/SOGo;
}
2017-02-28 17:02:02 +08:00
location /SOGo.woa/WebServerResources/ {
2018-12-22 02:54:32 +08:00
alias /usr/lib/GNUstep/SOGo/WebServerResources/;
2017-02-28 17:02:02 +08:00
}
location /.woa/WebServerResources/ {
2018-12-22 02:54:32 +08:00
alias /usr/lib/GNUstep/SOGo/WebServerResources/;
2017-02-28 17:02:02 +08:00
}
location /SOGo/WebServerResources/ {
2018-12-22 02:54:32 +08:00
alias /usr/lib/GNUstep/SOGo/WebServerResources/;
2017-02-28 17:02:02 +08:00
}
2018-02-14 16:09:17 +08:00
location (^/SOGo/so/ControlPanel/Products/[^/]*UI/Resources/.*\.(jpg|png|gif|css|js)$) {
2018-12-22 02:54:32 +08:00
alias /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2;
2017-02-28 17:02:02 +08:00
}
include /etc/nginx/conf.d/site.*.custom;
2019-09-24 12:53:13 +08:00
error_page 502 @awaitingupstream;
2019-09-24 12:53:13 +08:00
location @awaitingupstream {
rewrite ^(.*)$ /_status.502.html break;
}
2019-10-21 03:25:58 +08:00
location ~ ^/cache/(.*)$ {
try_files $uri $uri/ /resource.php?file=$1;
}