From dcd50b22452564371391100b06e908f678e3d2d5 Mon Sep 17 00:00:00 2001 From: Marcel Hofer Date: Sun, 20 Oct 2019 16:41:53 +0200 Subject: [PATCH 1/2] [SSL] restore old nginx templates. fix possible issues with custom nginx sites --- .../conf/nginx/templates/listen_plain.template | 2 ++ data/conf/nginx/templates/listen_ssl.template | 2 ++ data/conf/nginx/templates/server_name.template | 1 + data/conf/nginx/templates/sites.template.sh | 18 ++++++++---------- docker-compose.yml | 5 ++++- 5 files changed, 17 insertions(+), 11 deletions(-) create mode 100644 data/conf/nginx/templates/listen_plain.template create mode 100644 data/conf/nginx/templates/listen_ssl.template create mode 100644 data/conf/nginx/templates/server_name.template diff --git a/data/conf/nginx/templates/listen_plain.template b/data/conf/nginx/templates/listen_plain.template new file mode 100644 index 00000000..a044b22f --- /dev/null +++ b/data/conf/nginx/templates/listen_plain.template @@ -0,0 +1,2 @@ +listen ${HTTP_PORT}; +listen [::]:${HTTP_PORT}; diff --git a/data/conf/nginx/templates/listen_ssl.template b/data/conf/nginx/templates/listen_ssl.template new file mode 100644 index 00000000..93ec80c6 --- /dev/null +++ b/data/conf/nginx/templates/listen_ssl.template @@ -0,0 +1,2 @@ +listen ${HTTPS_PORT} ssl http2; +listen [::]:${HTTPS_PORT} ssl http2; diff --git a/data/conf/nginx/templates/server_name.template b/data/conf/nginx/templates/server_name.template new file mode 100644 index 00000000..261a1ece --- /dev/null +++ b/data/conf/nginx/templates/server_name.template @@ -0,0 +1 @@ +server_name ${MAILCOW_HOSTNAME} autodiscover.* autoconfig.*; diff --git a/data/conf/nginx/templates/sites.template.sh b/data/conf/nginx/templates/sites.template.sh index b9f58738..51d24ee7 100644 --- a/data/conf/nginx/templates/sites.template.sh +++ b/data/conf/nginx/templates/sites.template.sh @@ -1,15 +1,13 @@ echo ' server { listen 127.0.0.1:65510; - listen '${HTTP_PORT}' default_server; - listen [::]:'${HTTP_PORT}' default_server; - listen '${HTTPS_PORT}' ssl http2 default_server; - listen [::]:'${HTTPS_PORT}' ssl http2 default_server; + include /etc/nginx/conf.d/listen_plain.active; + include /etc/nginx/conf.d/listen_ssl.active; ssl_certificate /etc/ssl/mail/cert.pem; ssl_certificate_key /etc/ssl/mail/key.pem; - server_name '${MAILCOW_HOSTNAME}' autodiscover.* autoconfig.*; + include /etc/nginx/conf.d/server_name.active; include /etc/nginx/conf.d/includes/site-defaults.conf; } @@ -18,15 +16,15 @@ for cert_dir in /etc/ssl/mail/*/ ; do if [[ ! -f ${cert_dir}domains ]] || [[ ! -f ${cert_dir}cert.pem ]] || [[ ! -f ${cert_dir}key.pem ]]; then continue fi - # remove hostname to not cause nginx warnings (hostname is covered in default server listen) - domains="$(cat ${cert_dir}domains | sed -e "s/\(^\| \)\($(echo ${MAILCOW_HOSTNAME} | sed 's/\./\\./g')\)\( \|$\)/ /g" | sed -e 's/^[[:space:]]*//')" - if [[ "${domains}" == "" ]]; then + # do not create vhost for default-certificate. the cert is already in the default server listen + domains="$(cat ${cert_dir}domains | sed -e 's/^[[:space:]]*//')" + if [[ "${domains}" == "" ]] || [[ "${domains}" == "${MAILCOW_HOSTNAME}"* ]]; then continue fi echo -n ' server { - listen '${HTTPS_PORT}' ssl http2; - listen [::]:'${HTTPS_PORT}' ssl http2; + include /etc/nginx/conf.d/listen_plain.active; + include /etc/nginx/conf.d/listen_ssl.active; ssl_certificate '${cert_dir}'cert.pem; ssl_certificate_key '${cert_dir}'key.pem; diff --git a/docker-compose.yml b/docker-compose.yml index 41e6a514..b135646d 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -275,7 +275,10 @@ services: image: nginx:mainline-alpine dns: - ${IPV4_NETWORK:-172.22.1}.254 - command: /bin/sh -c "envsubst < /etc/nginx/conf.d/templates/sogo.template > /etc/nginx/conf.d/sogo.active && + command: /bin/sh -c "envsubst < /etc/nginx/conf.d/templates/listen_plain.template > /etc/nginx/conf.d/listen_plain.active && + envsubst < /etc/nginx/conf.d/templates/listen_ssl.template > /etc/nginx/conf.d/listen_ssl.active && + envsubst < /etc/nginx/conf.d/templates/server_name.template > /etc/nginx/conf.d/server_name.active && + envsubst < /etc/nginx/conf.d/templates/sogo.template > /etc/nginx/conf.d/sogo.active && envsubst < /etc/nginx/conf.d/templates/sogo_eas.template > /etc/nginx/conf.d/sogo_eas.active && . /etc/nginx/conf.d/templates/sogo.auth_request.template.sh > /etc/nginx/conf.d/sogo_proxy_auth.active && . /etc/nginx/conf.d/templates/sites.template.sh > /etc/nginx/conf.d/sites.active && From 05e7c958297600b7877344592e88827b1b837452 Mon Sep 17 00:00:00 2001 From: Marcel Hofer Date: Sun, 20 Oct 2019 17:02:54 +0200 Subject: [PATCH 2/2] [SSL] fix wildcard compare for non-bash shell --- data/conf/nginx/templates/sites.template.sh | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/data/conf/nginx/templates/sites.template.sh b/data/conf/nginx/templates/sites.template.sh index 51d24ee7..b2ca6f81 100644 --- a/data/conf/nginx/templates/sites.template.sh +++ b/data/conf/nginx/templates/sites.template.sh @@ -18,9 +18,10 @@ for cert_dir in /etc/ssl/mail/*/ ; do fi # do not create vhost for default-certificate. the cert is already in the default server listen domains="$(cat ${cert_dir}domains | sed -e 's/^[[:space:]]*//')" - if [[ "${domains}" == "" ]] || [[ "${domains}" == "${MAILCOW_HOSTNAME}"* ]]; then - continue - fi + case "${domains}" in + "") continue;; + "${MAILCOW_HOSTNAME}"*) continue;; + esac echo -n ' server { include /etc/nginx/conf.d/listen_plain.active;