Prepare nginx as a unique frontend

2017-09-24 14:01:03 +02:00
parent 995147f444
commit 755d9f0520
4 changed files with 42 additions and 14 deletions
--- a/nginx/conf/nginx.conf
+++ b/nginx/conf/nginx.conf
@@ -1,6 +1,6 @@
 #  Basic configuration
 user nginx;
-worker_processes  1;
+worker_processes 4;
 error_log /dev/stderr info;
 pid /var/run/nginx.pid;
 load_module "modules/ngx_mail_module.so";
@@ -21,7 +21,26 @@ http {
    server {
      listen 80;

+      {% if TLS_FLAVOR != 'notls' %}
+      listen 443 ssl;
+
+      ssl_protocols TLSv1.1 TLSv1.2;
+      ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA';
+      ssl_prefer_server_ciphers on;
+      ssl_session_timeout 5m;
+      ssl_session_cache shared:SSL:50m;
+      ssl_certificate /certs/cert.pem;
+      ssl_certificate_key /certs/key.pem;
+
+      add_header Strict-Transport-Security max-age=15768000;
+
+      if ($scheme = http) {
+        return 301 https://$host$request_uri;
+      }
+      {% endif %}
+
      # Actual logic
+      {% if WEBMAIL != 'none' %}
      location / {
        return 301 $scheme://$host/webmail/;
      }
@@ -29,20 +48,25 @@ http {
      location /webmail {
        proxy_pass http://webmail;
      }
+      {% endif %}

+      {% if ADMIN == 'true' %}
      location /admin {
        proxy_pass http://admin;
      }
+      {% endif %}

+      {% if WEBDAV != 'none' %}
      location /webdav {
        proxy_pass http://webdav:5232;
      }
+      {% endif %}
    }
 }

 mail {
-    server_name test.mailu.io;
-    auth_http http://172.18.0.1:5000/nginx;
+    server_name {{ HOSTNAME }};
+    auth_http http://{{ ADMIN_ADDRESS }}/nginx;
    proxy_pass_error_message on;

    server {
@@ -56,6 +80,4 @@ mail {
      protocol imap;
      imap_auth plain;
    }
-
-    
 }