mailinabox/conf/nginx.conf

# The HTTP (not SSL) server.

server {
	listen 80;
	listen [::]:80 default_server ipv6only=on;

	server_name $PUBLIC_HOSTNAME;

	# We'll expose this directory publicly over http.
	root $STORAGE_ROOT/www/static;

	index index.html index.htm;
	location / {
		# First attempt to serve request as file, then
		# as directory, then fall back to displaying a 404.
		try_files $uri $uri/ /index.html;
	}
	
	# Convenience redirect to https.
	rewrite ^/mail(/.*)?$ https://$PUBLIC_HOSTNAME/mail$1 permanent;
}

# The secure HTTPS server.

server {
	listen 443 ssl;

	server_name $PUBLIC_HOSTNAME;

	ssl_certificate $STORAGE_ROOT/ssl/ssl_certificate.pem;
	ssl_certificate_key $STORAGE_ROOT/ssl/ssl_private_key.pem;

	# SSL configuration by @konklone at https://gist.github.com/konklone/6532544
	# 1) prefer certain ciphersuites, to enforce Perfect Forward Secrecy and avoid known vulnerabilities. http://ggramaize.wordpress.com/2013/08/02/tls-perfect-forward-secrecy-support-with-apache/ and https://www.ssllabs.com/ssltest/analyze.html
	ssl_prefer_server_ciphers on;
	ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA:AES256-GCM-SHA384:AES256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA;
	# 2) turn on session resumption, using a 10 min cache shared across nginx processes, as recommended by http://nginx.org/en/docs/http/configuring_https_servers.html
	ssl_session_cache   shared:SSL:10m;
	ssl_session_timeout 10m;
	keepalive_timeout   70;	

	# We'll expose the same static directory under https.
	root $STORAGE_ROOT/www/static;

	index index.html index.htm;

	# Roundcube Webmail configuration.
	rewrite ^/mail$ /mail/ redirect;
	rewrite ^/mail/$ /mail/index.php;
	location /mail/ {
		index index.php;
		alias /var/lib/roundcube/;
	}
	location ~ /mail/.*\.php {
		include fastcgi_params;
		fastcgi_split_path_info ^/mail(/.*)()$;
		fastcgi_index index.php;
		fastcgi_param SCRIPT_FILENAME /var/lib/roundcube/$fastcgi_script_name;
		fastcgi_pass unix:/tmp/php-fastcgi.www-data.sock;
		client_max_body_size 20M;
	}

}
web and roundcube webmail 2013-09-07 20:53:25 +00:00			`# The HTTP (not SSL) server.`

preliminary script for nginx 2013-09-01 14:24:49 +00:00			`server {`
			`listen 80;`
			`listen [::]:80 default_server ipv6only=on;`

			`server_name $PUBLIC_HOSTNAME;`

web and roundcube webmail 2013-09-07 20:53:25 +00:00			`# We'll expose this directory publicly over http.`
preliminary script for nginx 2013-09-01 14:24:49 +00:00			`root $STORAGE_ROOT/www/static;`

			`index index.html index.htm;`
			`location / {`
			`# First attempt to serve request as file, then`
			`# as directory, then fall back to displaying a 404.`
			`try_files $uri $uri/ /index.html;`
			`}`
web and roundcube webmail 2013-09-07 20:53:25 +00:00
			`# Convenience redirect to https.`
			`rewrite ^/mail(/.*)?$ https://$PUBLIC_HOSTNAME/mail$1 permanent;`
			`}`

			`# The secure HTTPS server.`

			`server {`
			`listen 443 ssl;`
preliminary script for nginx 2013-09-01 14:24:49 +00:00
web and roundcube webmail 2013-09-07 20:53:25 +00:00			`server_name $PUBLIC_HOSTNAME;`

			`ssl_certificate $STORAGE_ROOT/ssl/ssl_certificate.pem;`
			`ssl_certificate_key $STORAGE_ROOT/ssl/ssl_private_key.pem;`

apply @konklone's nginx https: recommendations from https://gist.github.com/konklone/6532544 2013-09-14 14:11:47 +00:00			`# SSL configuration by @konklone at https://gist.github.com/konklone/6532544`
			`# 1) prefer certain ciphersuites, to enforce Perfect Forward Secrecy and avoid known vulnerabilities. http://ggramaize.wordpress.com/2013/08/02/tls-perfect-forward-secrecy-support-with-apache/ and https://www.ssllabs.com/ssltest/analyze.html`
			`ssl_prefer_server_ciphers on;`
			`ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA:AES256-GCM-SHA384:AES256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA;`
			`# 2) turn on session resumption, using a 10 min cache shared across nginx processes, as recommended by http://nginx.org/en/docs/http/configuring_https_servers.html`
			`ssl_session_cache shared:SSL:10m;`
			`ssl_session_timeout 10m;`
			`keepalive_timeout 70;`

web and roundcube webmail 2013-09-07 20:53:25 +00:00			`# We'll expose the same static directory under https.`
			`root $STORAGE_ROOT/www/static;`

			`index index.html index.htm;`

			`# Roundcube Webmail configuration.`
			`rewrite ^/mail$ /mail/ redirect;`
			`rewrite ^/mail/$ /mail/index.php;`
			`location /mail/ {`
			`index index.php;`
			`alias /var/lib/roundcube/;`
			`}`
			`location ~ /mail/.*\.php {`
			`include fastcgi_params;`
			`fastcgi_split_path_info ^/mail(/.*)()$;`
			`fastcgi_index index.php;`
			`fastcgi_param SCRIPT_FILENAME /var/lib/roundcube/$fastcgi_script_name;`
			`fastcgi_pass unix:/tmp/php-fastcgi.www-data.sock;`
			`client_max_body_size 20M;`
			`}`
preliminary script for nginx 2013-09-01 14:24:49 +00:00
			`}`