server_tokens off; proxy_cache_path /tmp levels=1:2 keys_zone=sogo:10m inactive=24h max_size=1g; server_names_hash_bucket_size 64; map $http_x_forwarded_proto $client_req_scheme { default $scheme; https https; } server { include /etc/nginx/mime.types; charset utf-8; override_charset on; ssl_certificate /etc/ssl/mail/cert.pem; ssl_certificate_key /etc/ssl/mail/key.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:50m; ssl_session_timeout 1d; ssl_session_tickets off; add_header Strict-Transport-Security "max-age=15768000;"; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header X-Robots-Tag none; add_header X-Download-Options noopen; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Permitted-Cross-Domain-Policies none; add_header Referrer-Policy strict-origin; index index.php index.html; client_max_body_size 0; listen 127.0.0.1:65510; include /etc/nginx/conf.d/listen_plain.active; include /etc/nginx/conf.d/listen_ssl.active; include /etc/nginx/conf.d/server_name.active; gzip on; gzip_disable "msie6"; gzip_vary on; gzip_proxied off; gzip_comp_level 6; gzip_buffers 16 8k; gzip_http_version 1.1; gzip_min_length 256; gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/vnd.ms-fontobject application/x-font-ttf font/opentype image/svg+xml image/x-icon; location ~ ^/(fonts|js|css|img)/ { expires max; add_header Cache-Control public; } error_log /var/log/nginx/error.log; access_log /var/log/nginx/access.log; absolute_redirect off; root /web; location / { try_files $uri $uri/ @strip-ext; } location /qhandler { rewrite ^/qhandler/(.*)/(.*) /qhandler.php?action=$1&hash=$2; } location /edit { rewrite ^/edit/(.*)/(.*) /edit.php?$1=$2; } location @strip-ext { rewrite ^(.*)$ $1.php last; } location /api { try_files /_apidocs.html =404; } location ~ ^/api/v1/(.*)$ { try_files $uri $uri/ /json_api.php?query=$1; } location ^~ /.well-known/acme-challenge/ { allow all; default_type "text/plain"; } # If behind reverse proxy, forwards the correct IP set_real_ip_from 10.0.0.0/8; set_real_ip_from 172.16.0.0/12; set_real_ip_from 192.168.0.0/16; set_real_ip_from fc00::/7; real_ip_header X-Forwarded-For; real_ip_recursive on; rewrite ^/.well-known/caldav$ /SOGo/dav/ permanent; rewrite ^/.well-known/carddav$ /SOGo/dav/ permanent; location ^~ /principals { return 301 /SOGo/dav; } location ~ \.php$ { try_files $uri =404; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass phpfpm:9002; fastcgi_index index.php; include /etc/nginx/fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_read_timeout 1200; } location /rspamd/ { proxy_pass http://rspamd:11334/; proxy_set_header Host $http_host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Real-IP $remote_addr; proxy_redirect off; } location ~* ^/Autodiscover/Autodiscover.xml { fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass phpfpm:9002; include /etc/nginx/fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; try_files /autodiscover.php =404; } location ~* ^/Autodiscover/Autodiscover.json { fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass phpfpm:9002; include /etc/nginx/fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; try_files /autodiscover-json.php =404; } location ~ /(?:m|M)ail/(?:c|C)onfig-v1.1.xml { fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass phpfpm:9002; include /etc/nginx/fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; try_files /autoconfig.php =404; } # auth_request endpoint if ALLOW_ADMIN_EMAIL_LOGIN is set location /sogo-auth-verify { internal; proxy_set_header X-Original-URI $request_uri; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $http_host; proxy_set_header Content-Length ""; proxy_pass http://127.0.0.1:65510/sogo-auth; proxy_pass_request_body off; } location ^~ /Microsoft-Server-ActiveSync { include /etc/nginx/conf.d/sogo_proxy_auth.active; include /etc/nginx/conf.d/sogo_eas.active; proxy_connect_timeout 4000; proxy_next_upstream timeout error; proxy_send_timeout 4000; proxy_read_timeout 4000; proxy_buffer_size 8k; proxy_buffers 16 64k; proxy_temp_file_write_size 64k; proxy_busy_buffers_size 64k; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_set_header x-webobjects-server-protocol HTTP/1.0; proxy_set_header x-webobjects-remote-host $remote_addr; proxy_set_header x-webobjects-server-name $server_name; proxy_set_header x-webobjects-server-url $client_req_scheme://$http_host; proxy_set_header x-webobjects-server-port $server_port; client_body_buffer_size 128k; client_max_body_size 0; } location ^~ /SOGo { include /etc/nginx/conf.d/sogo_proxy_auth.active; include /etc/nginx/conf.d/sogo.active; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_set_header x-webobjects-server-protocol HTTP/1.0; proxy_set_header x-webobjects-remote-host $remote_addr; proxy_set_header x-webobjects-server-name $server_name; proxy_set_header x-webobjects-server-url $client_req_scheme://$http_host; proxy_set_header x-webobjects-server-port $server_port; client_body_buffer_size 128k; client_max_body_size 0; break; } location /SOGo.woa/WebServerResources/ { alias /usr/lib/GNUstep/SOGo/WebServerResources/; } location /.woa/WebServerResources/ { alias /usr/lib/GNUstep/SOGo/WebServerResources/; } location /SOGo/WebServerResources/ { alias /usr/lib/GNUstep/SOGo/WebServerResources/; } location (^/SOGo/so/ControlPanel/Products/[^/]*UI/Resources/.*\.(jpg|png|gif|css|js)$) { alias /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2; } include /etc/nginx/conf.d/site.*.custom; error_page 502 @awaitingupstream; location @awaitingupstream { rewrite ^(.*)$ /_status.502.html break; } }