diff --git a/nginx/mailcow.conf b/nginx/mailcow.conf index 8ac5bfa..5d15b39 100644 --- a/nginx/mailcow.conf +++ b/nginx/mailcow.conf @@ -1,23 +1,33 @@ server { listen 443 ssl http2; listen [::]:443 ssl http2; - server_name email.* autodiscover.* autoconfig.*; + server_name email.* autodiscover.* autoconfig.* im.* conference.im.* proxy.im.* pubsub.im.* upload.im.*; ssl_certificate /opt/mailcow-dockerized/data/assets/ssl/cert.pem; ssl_certificate_key /opt/mailcow-dockerized/data/assets/ssl/key.pem; ssl_dhparam /opt/mailcow-dockerized/data/assets/ssl/dhparams.pem; include /etc/nginx/snippets/ssl.conf; - ssl_trusted_certificate /opt/mailcow-dockerized/data/assets/ssl/chain.pem; + + ssl_trusted_certificate /opt/mailcow-dockerized/data/assets/ssl/cert.pem; include /etc/nginx/snippets/mailcow-headers.conf; include /etc/nginx/snippets/letsencrypt.conf; + error_page 404 /index.html; + + if ($http_referer ~ "semalt\.com|badsite\.net|youtube\.com|leakix\.net|example\.com|httpbin\.org") { + return 404; + } + location /Microsoft-Server-ActiveSync { proxy_pass http://127.0.0.1:8080/Microsoft-Server-ActiveSync; - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_cache_bypass $http_upgrade; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_connect_timeout 75; proxy_send_timeout 3650; @@ -29,30 +39,41 @@ server { location / { proxy_pass http://127.0.0.1:8080/; - proxy_set_header Host $http_host; + proxy_cache_bypass $http_upgrade; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; client_max_body_size 0; } - + location /minio/ { - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_cache_bypass $http_upgrade; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; proxy_connect_timeout 300; proxy_http_version 1.1; proxy_set_header Connection ""; chunked_transfer_encoding off; proxy_pass http://localhost:9443; + add_header Strict-Transport-Security "max-age=31536000"; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; } } server { listen 443 ssl http2; listen [::]:443 ssl http2; - server_name webmail.thelyoncompany.com; + server_name webmail.*; ssl_certificate /opt/mailcow-dockerized/data/assets/ssl/cert.pem; ssl_certificate_key /opt/mailcow-dockerized/data/assets/ssl/key.pem; @@ -60,12 +81,11 @@ server { include /etc/nginx/snippets/ssl.conf; ssl_trusted_certificate /opt/mailcow-dockerized/data/assets/ssl/cert.pem; - - include /etc/nginx/snippets/letsencrypt.conf; - if ($http_referer ~ "semalt\.com|badsite\.net|example\.com") { - return 444; - } + add_header Strict-Transport-Security "max-age=16070400; includeSubDomains" always; + add_header Content-Security-Policy "upgrade-inecure-requests"; + + include /etc/nginx/snippets/letsencrypt.conf; location / { return 301 https://email.thelyoncompany.com/SOGo; @@ -73,6 +93,5 @@ server { add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header Referrer-Policy "no-referrer-when-downgrade"; - add_header Content-Security-Policy "upgrade-insecure-requests"; } }