Remove autoconfig from HTTPS configs

Dieser Commit ist enthalten in:
André 2018-10-16 12:09:35 +02:00
Ursprung 376f9361a1
Commit 751650b51c
2 geänderte Dateien mit 68 neuen und 23 gelöschten Zeilen

Datei anzeigen

@ -31,33 +31,43 @@ Required modules:
``` ```
a2enmod rewrite proxy proxy_http headers ssl a2enmod rewrite proxy proxy_http headers ssl
``` ```
We rewrite to HTTPS, but keep requests to autoconfig.* on a plain session.
``` apache Let's Encrypt will follow our rewrite, certificate requests will work fine.
**Take care of highlighted lines.**
``` apache hl_lines="2 12 13 19 23 24 29 30"
<VirtualHost *:80> <VirtualHost *:80>
ServerName CHANGE_TO_MAILCOW_HOSTNAME ServerName CHANGE_TO_MAILCOW_HOSTNAME
ServerAlias autodiscover.* ServerAlias autodiscover.*
ServerAlias autoconfig.* ServerAlias autoconfig.*
RewriteEngine on RewriteEngine on
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
RewriteCond %{HTTP_HOST} ^autoconfig\. [NC]
RewriteRule ^ - [S=1]
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI}# [L,NE,R=permanent]
RewriteRule ^ /autoconfig.php [PT]
ProxyPass / http://127.0.0.1:8080/
ProxyPassReverse / http://127.0.0.1:8080/
ProxyPreserveHost On
ProxyAddHeaders On
RequestHeader set X-Forwarded-Proto "http"
</VirtualHost> </VirtualHost>
<VirtualHost *:443> <VirtualHost *:443>
ServerName CHANGE_TO_MAILCOW_HOSTNAME ServerName CHANGE_TO_MAILCOW_HOSTNAME
ServerAlias autodiscover.* ServerAlias autodiscover.*
ServerAlias autoconfig.*
# You should proxy to a plain HTTP session to offload SSL processing # You should proxy to a plain HTTP session to offload SSL processing
ProxyPass / http://127.0.0.1:8080/ ProxyPass / http://127.0.0.1:8080/
ProxyPassReverse / http://127.0.0.1:8080/ ProxyPassReverse / http://127.0.0.1:8080/
ProxyPreserveHost On ProxyPreserveHost On
ProxyAddHeaders On ProxyAddHeaders On
# This header does not need to be set when using http
RequestHeader set X-Forwarded-Proto "https" RequestHeader set X-Forwarded-Proto "https"
# Change the pathes if necessary! SSLCertificateFile MAILCOW_PATH/data/assets/ssl/cert.pem
SSLCertificateFile /opt/mailcow-dockerized/data/assets/ssl/cert.pem SSLCertificateKeyFile MAILCOW_PATH/data/assets/ssl/key.pem
SSLCertificateKeyFile /opt/mailcow-dockerized/data/assets/ssl/key.pem
# If you plan to proxy to a HTTPS host: # If you plan to proxy to a HTTPS host:
#SSLProxyEngine On #SSLProxyEngine On
@ -71,25 +81,24 @@ a2enmod rewrite proxy proxy_http headers ssl
``` ```
### Nginx ### Nginx
``` In our Nginx reverse proxy template, we rewrite all requests to HTTPS, while keeping autoconfig.* domains on a plain session.
Let's Encrypt will follow our rewrite, certificate requests will work fine.
**Take care of highlighted lines.**
``` hl_lines="4 13 23 26 27"
server { server {
listen 80 default_server; listen 80 default_server;
listen [::]:80 default_server; listen [::]:80 default_server;
server_name CHANGE_TO_MAILCOW_HOSTNAME autodiscover.* autoconfig.*; server_name CHANGE_TO_MAILCOW_HOSTNAME autodiscover.*;
return 301 https://$host$request_uri; return 301 https://$host$request_uri;
} }
server { server {
listen 443; listen 80;
server_name CHANGE_TO_MAILCOW_HOSTNAME autodiscover.* autoconfig.*; listen [::]:80;
server_name autoconfig.*;
ssl on; rewrite ^/(.*)$ /autoconfig.php last;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
# Change the pathes if necessary!
ssl_certificate /opt/mailcow-dockerized/data/assets/ssl/cert.pem;
ssl_certificate_key /opt/mailcow-dockerized/data/assets/ssl/key.pem;
location / { location / {
proxy_pass http://127.0.0.1:8080/; proxy_pass http://127.0.0.1:8080/;
proxy_set_header Host $http_host; proxy_set_header Host $http_host;
@ -99,6 +108,25 @@ server {
client_max_body_size 0; client_max_body_size 0;
} }
} }
server {
listen 443;
server_name CHANGE_TO_MAILCOW_HOSTNAME autodiscover.* autoconfig.*;
ssl on;
ssl_certificate MAILCOW_PATH/data/assets/ssl/cert.pem;
ssl_certificate_key MAILCOW_PATH/data/assets/ssl/key.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
location / {
proxy_pass http://127.0.0.1:8080/;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
client_max_body_size 0;
}
}
``` ```
### HAProxy ### HAProxy

Datei anzeigen

@ -1,10 +1,27 @@
Since February the 28th 2017 mailcow does come with port 80 and 443 enabled. Since February the 28th 2017 mailcow does come with port 80 and 443 enabled.
**Do not use the config below for reverse proxy setups**, please see our reverse proxy guide for this, which includes a redirect from HTTP to HTTPS.
Open `mailcow.conf` and set `HTTP_BIND=0.0.0.0` - if not already set. Open `mailcow.conf` and set `HTTP_BIND=0.0.0.0` - if not already set.
Open `data/conf/nginx/site.conf` and add a new site at the top of that file: Now we need to redirect all requests other than autoconfig.* to HTTPS. You do not need to change anything in the template below.
Open `data/conf/nginx/site.conf` and add two new server configs at the top of that file:
``` ```
server {
listen 80;
listen [::]:80;
server_name autoconfig.*;
root /web;
location / {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass phpfpm:9002;
include /etc/nginx/fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root/autoconfig.php;
try_files /autoconfig.php =404;
}
}
server { server {
listen 80 default_server; listen 80 default_server;
listen [::]:80 default_server; listen [::]:80 default_server;