From 4b7f6e20da09bb20716fa8be69915d36b0e4ecf0 Mon Sep 17 00:00:00 2001 From: David Duque Date: Sun, 27 Sep 2020 02:01:17 +0100 Subject: [PATCH] Update nginx files to discard non-essential locations for non-primary domains --- conf/nginx-alldomains.conf | 31 +------------------------------ conf/nginx-primaryonly.conf | 4 ++-- management/web_update.py | 15 ++++++++++++--- 3 files changed, 15 insertions(+), 35 deletions(-) diff --git a/conf/nginx-alldomains.conf b/conf/nginx-alldomains.conf index 4c81e3f3..8466efd8 100644 --- a/conf/nginx-alldomains.conf +++ b/conf/nginx-alldomains.conf @@ -1,6 +1,4 @@ - # Expose this directory as static files. - root $ROOT; - index index.html index.htm; + # ADDITIONAL DIRECTIVES HERE location = /robots.txt { log_not_found off; @@ -25,30 +23,6 @@ alias /var/lib/mailinabox/mta-sts.txt; } - # Roundcube Webmail configuration. - rewrite ^/mail$ /mail/ redirect; - rewrite ^/mail/$ /mail/index.php; - location /mail/ { - index index.php; - alias /usr/local/lib/roundcubemail/; - } - location ~ /mail/config/.* { - # A ~-style location is needed to give this precedence over the next block. - return 403; - } - location ~ /mail/.*\.php { - # note: ~ has precendence over a regular location block - include fastcgi_params; - fastcgi_split_path_info ^/mail(/.*)()$; - fastcgi_index index.php; - fastcgi_param SCRIPT_FILENAME /usr/local/lib/roundcubemail/$fastcgi_script_name; - fastcgi_pass php-fpm; - - # Outgoing mail also goes through this endpoint, so increase the maximum - # file upload limit to match the corresponding Postfix limit. - client_max_body_size 128M; - } - # Z-Push (Microsoft Exchange ActiveSync) location /Microsoft-Server-ActiveSync { include /etc/nginx/fastcgi_params; @@ -68,9 +42,6 @@ fastcgi_pass php-fpm; } - - # ADDITIONAL DIRECTIVES HERE - # Disable viewing dotfiles (.htaccess, .svn, .git, etc.) # This block is placed at the end. Nginx's precedence rules means this block # takes precedence over all non-regex matches and only regex matches that diff --git a/conf/nginx-primaryonly.conf b/conf/nginx-primaryonly.conf index 31bf0095..7c9bb7b7 100644 --- a/conf/nginx-primaryonly.conf +++ b/conf/nginx-primaryonly.conf @@ -1,3 +1,5 @@ + # ADDITIONAL DIRECTIVES HERE + # Control Panel # Proxy /admin to our Python based control panel daemon. It is # listening on IPv4 only so use an IP address and not 'localhost'. @@ -72,5 +74,3 @@ rewrite ^/.well-known/host-meta.json /cloud/public.php?service=host-meta-json last; rewrite ^/.well-known/carddav /cloud/remote.php/carddav/ redirect; rewrite ^/.well-known/caldav /cloud/remote.php/caldav/ redirect; - - # ADDITIONAL DIRECTIVES HERE diff --git a/management/web_update.py b/management/web_update.py index d8844f3c..c400e9b0 100644 --- a/management/web_update.py +++ b/management/web_update.py @@ -195,8 +195,18 @@ def make_domain_config(domain, templates, ssl_certificates, env): # Add in any user customizations in the includes/ folder. nginx_conf_custom_include = os.path.join(env["STORAGE_ROOT"], "www", safe_domain_name(domain) + ".conf") - if os.path.exists(nginx_conf_custom_include): - nginx_conf_extra += "\tinclude %s;\n" % (nginx_conf_custom_include) + if not os.path.exists(nginx_conf_custom_include): + with open(nginx_conf_custom_include, "a+") as f: + f.writelines([ + f"# Custom configurations for {domain} go here", + "# To use php: use the \"php-fpm\" alias", + "" + f"root {root};", + "index index.html index.htm;" + ]) + + nginx_conf_extra += "\tinclude %s;\n" % (nginx_conf_custom_include) + # PUT IT ALL TOGETHER # Combine the pieces. Iteratively place each template into the "# ADDITIONAL DIRECTIVES HERE" placeholder @@ -208,7 +218,6 @@ def make_domain_config(domain, templates, ssl_certificates, env): # Replace substitution strings in the template & return. nginx_conf = nginx_conf.replace("$STORAGE_ROOT", env['STORAGE_ROOT']) nginx_conf = nginx_conf.replace("$HOSTNAME", domain) - nginx_conf = nginx_conf.replace("$ROOT", root) nginx_conf = nginx_conf.replace("$SSL_KEY", tls_cert["private-key"]) nginx_conf = nginx_conf.replace("$SSL_CERTIFICATE", tls_cert["certificate"]) nginx_conf = nginx_conf.replace("$REDIRECT_DOMAIN", re.sub(r"^www\.", "", domain)) # for default www redirects to parent domain