Remove autoconfig from HTTPS configs
Dieser Commit ist enthalten in:
Ursprung
376f9361a1
Commit
751650b51c
2 geänderte Dateien mit 68 neuen und 23 gelöschten Zeilen
|
@ -31,33 +31,43 @@ Required modules:
|
||||||
```
|
```
|
||||||
a2enmod rewrite proxy proxy_http headers ssl
|
a2enmod rewrite proxy proxy_http headers ssl
|
||||||
```
|
```
|
||||||
|
We rewrite to HTTPS, but keep requests to autoconfig.* on a plain session.
|
||||||
|
|
||||||
``` apache
|
Let's Encrypt will follow our rewrite, certificate requests will work fine.
|
||||||
|
|
||||||
|
**Take care of highlighted lines.**
|
||||||
|
|
||||||
|
``` apache hl_lines="2 12 13 19 23 24 29 30"
|
||||||
<VirtualHost *:80>
|
<VirtualHost *:80>
|
||||||
ServerName CHANGE_TO_MAILCOW_HOSTNAME
|
ServerName CHANGE_TO_MAILCOW_HOSTNAME
|
||||||
ServerAlias autodiscover.*
|
ServerAlias autodiscover.*
|
||||||
ServerAlias autoconfig.*
|
ServerAlias autoconfig.*
|
||||||
RewriteEngine on
|
RewriteEngine on
|
||||||
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
|
|
||||||
|
RewriteCond %{HTTP_HOST} ^autoconfig\. [NC]
|
||||||
|
RewriteRule ^ - [S=1]
|
||||||
|
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI}# [L,NE,R=permanent]
|
||||||
|
RewriteRule ^ /autoconfig.php [PT]
|
||||||
|
|
||||||
|
ProxyPass / http://127.0.0.1:8080/
|
||||||
|
ProxyPassReverse / http://127.0.0.1:8080/
|
||||||
|
ProxyPreserveHost On
|
||||||
|
ProxyAddHeaders On
|
||||||
|
RequestHeader set X-Forwarded-Proto "http"
|
||||||
</VirtualHost>
|
</VirtualHost>
|
||||||
<VirtualHost *:443>
|
<VirtualHost *:443>
|
||||||
ServerName CHANGE_TO_MAILCOW_HOSTNAME
|
ServerName CHANGE_TO_MAILCOW_HOSTNAME
|
||||||
ServerAlias autodiscover.*
|
ServerAlias autodiscover.*
|
||||||
ServerAlias autoconfig.*
|
|
||||||
|
|
||||||
# You should proxy to a plain HTTP session to offload SSL processing
|
# You should proxy to a plain HTTP session to offload SSL processing
|
||||||
ProxyPass / http://127.0.0.1:8080/
|
ProxyPass / http://127.0.0.1:8080/
|
||||||
ProxyPassReverse / http://127.0.0.1:8080/
|
ProxyPassReverse / http://127.0.0.1:8080/
|
||||||
|
|
||||||
ProxyPreserveHost On
|
ProxyPreserveHost On
|
||||||
ProxyAddHeaders On
|
ProxyAddHeaders On
|
||||||
|
|
||||||
# This header does not need to be set when using http
|
|
||||||
RequestHeader set X-Forwarded-Proto "https"
|
RequestHeader set X-Forwarded-Proto "https"
|
||||||
|
|
||||||
# Change the pathes if necessary!
|
SSLCertificateFile MAILCOW_PATH/data/assets/ssl/cert.pem
|
||||||
SSLCertificateFile /opt/mailcow-dockerized/data/assets/ssl/cert.pem
|
SSLCertificateKeyFile MAILCOW_PATH/data/assets/ssl/key.pem
|
||||||
SSLCertificateKeyFile /opt/mailcow-dockerized/data/assets/ssl/key.pem
|
|
||||||
|
|
||||||
# If you plan to proxy to a HTTPS host:
|
# If you plan to proxy to a HTTPS host:
|
||||||
#SSLProxyEngine On
|
#SSLProxyEngine On
|
||||||
|
@ -71,25 +81,43 @@ a2enmod rewrite proxy proxy_http headers ssl
|
||||||
```
|
```
|
||||||
|
|
||||||
### Nginx
|
### Nginx
|
||||||
```
|
In our Nginx reverse proxy template, we rewrite all requests to HTTPS, while keeping autoconfig.* domains on a plain session.
|
||||||
|
|
||||||
|
Let's Encrypt will follow our rewrite, certificate requests will work fine.
|
||||||
|
|
||||||
|
**Take care of highlighted lines.**
|
||||||
|
|
||||||
|
``` hl_lines="4 13 23 26 27"
|
||||||
server {
|
server {
|
||||||
listen 80 default_server;
|
listen 80 default_server;
|
||||||
listen [::]:80 default_server;
|
listen [::]:80 default_server;
|
||||||
server_name CHANGE_TO_MAILCOW_HOSTNAME autodiscover.* autoconfig.*;
|
server_name CHANGE_TO_MAILCOW_HOSTNAME autodiscover.*;
|
||||||
return 301 https://$host$request_uri;
|
return 301 https://$host$request_uri;
|
||||||
}
|
}
|
||||||
|
server {
|
||||||
|
listen 80;
|
||||||
|
listen [::]:80;
|
||||||
|
server_name autoconfig.*;
|
||||||
|
rewrite ^/(.*)$ /autoconfig.php last;
|
||||||
|
location / {
|
||||||
|
proxy_pass http://127.0.0.1:8080/;
|
||||||
|
proxy_set_header Host $http_host;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
client_max_body_size 0;
|
||||||
|
}
|
||||||
|
}
|
||||||
server {
|
server {
|
||||||
listen 443;
|
listen 443;
|
||||||
server_name CHANGE_TO_MAILCOW_HOSTNAME autodiscover.* autoconfig.*;
|
server_name CHANGE_TO_MAILCOW_HOSTNAME autodiscover.* autoconfig.*;
|
||||||
|
|
||||||
ssl on;
|
ssl on;
|
||||||
|
ssl_certificate MAILCOW_PATH/data/assets/ssl/cert.pem;
|
||||||
|
ssl_certificate_key MAILCOW_PATH/data/assets/ssl/key.pem;
|
||||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||||
ssl_ciphers HIGH:!aNULL:!MD5;
|
ssl_ciphers HIGH:!aNULL:!MD5;
|
||||||
|
|
||||||
# Change the pathes if necessary!
|
|
||||||
ssl_certificate /opt/mailcow-dockerized/data/assets/ssl/cert.pem;
|
|
||||||
ssl_certificate_key /opt/mailcow-dockerized/data/assets/ssl/key.pem;
|
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
proxy_pass http://127.0.0.1:8080/;
|
proxy_pass http://127.0.0.1:8080/;
|
||||||
proxy_set_header Host $http_host;
|
proxy_set_header Host $http_host;
|
||||||
|
|
|
@ -1,10 +1,27 @@
|
||||||
Since February the 28th 2017 mailcow does come with port 80 and 443 enabled.
|
Since February the 28th 2017 mailcow does come with port 80 and 443 enabled.
|
||||||
|
|
||||||
|
**Do not use the config below for reverse proxy setups**, please see our reverse proxy guide for this, which includes a redirect from HTTP to HTTPS.
|
||||||
|
|
||||||
Open `mailcow.conf` and set `HTTP_BIND=0.0.0.0` - if not already set.
|
Open `mailcow.conf` and set `HTTP_BIND=0.0.0.0` - if not already set.
|
||||||
|
|
||||||
Open `data/conf/nginx/site.conf` and add a new site at the top of that file:
|
Now we need to redirect all requests other than autoconfig.* to HTTPS. You do not need to change anything in the template below.
|
||||||
|
|
||||||
|
Open `data/conf/nginx/site.conf` and add two new server configs at the top of that file:
|
||||||
|
|
||||||
```
|
```
|
||||||
|
server {
|
||||||
|
listen 80;
|
||||||
|
listen [::]:80;
|
||||||
|
server_name autoconfig.*;
|
||||||
|
root /web;
|
||||||
|
location / {
|
||||||
|
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||||
|
fastcgi_pass phpfpm:9002;
|
||||||
|
include /etc/nginx/fastcgi_params;
|
||||||
|
fastcgi_param SCRIPT_FILENAME $document_root/autoconfig.php;
|
||||||
|
try_files /autoconfig.php =404;
|
||||||
|
}
|
||||||
|
}
|
||||||
server {
|
server {
|
||||||
listen 80 default_server;
|
listen 80 default_server;
|
||||||
listen [::]:80 default_server;
|
listen [::]:80 default_server;
|
||||||
|
|
Laden …
In neuem Issue referenzieren