mirror of
https://github.com/mail-in-a-box/mailinabox.git
synced 2024-11-25 02:47:04 +00:00
d96613b8fe
@joshdata squashed pull request #1398, removed some comments, and added these notes: * The old init.d script for the management daemon is replaced with a systemd service. * A systemd service configuration is added to configure permissions for munin on startup. * nginx SSL settings are updated because nginx's options and defaults have changed, and we now enable http2. * Automatic SSHFP record generation is updated to know that 22 is the default SSH daemon port, since it is no longer explicit in sshd_config. * The dovecot-lucene package is dropped because the Mail-in-a-Box PPA where we built the package has not been updated for Ubuntu 18.04. * The stock postgrey package is installed instead of the one from our PPA (which we no longer support), which loses the automatic whitelisting of DNSWL.org-whitelisted senders. * Drop memcached and the status check for memcached, which we used to use with ownCloud long ago but are no longer installing. * Other minor changes.
48 lines
1.3 KiB
Nginx Configuration File
48 lines
1.3 KiB
Nginx Configuration File
## $HOSTNAME
|
|
|
|
# Redirect all HTTP to HTTPS *except* the ACME challenges (Let's Encrypt TLS certificate
|
|
# domain validation challenges) path, which must be served over HTTP per the ACME spec
|
|
# (due to some Apache vulnerability).
|
|
server {
|
|
listen 80;
|
|
listen [::]:80;
|
|
|
|
server_name $HOSTNAME;
|
|
root /tmp/invalid-path-nothing-here;
|
|
|
|
# Improve privacy: Hide version an OS information on
|
|
# error pages and in the "Server" HTTP-Header.
|
|
server_tokens off;
|
|
|
|
location / {
|
|
# Redirect using the 'return' directive and the built-in
|
|
# variable '$request_uri' to avoid any capturing, matching
|
|
# or evaluation of regular expressions.
|
|
return 301 https://$HOSTNAME$request_uri;
|
|
}
|
|
|
|
location /.well-known/acme-challenge/ {
|
|
# This path must be served over HTTP for ACME domain validation.
|
|
# We map this to a special path where our TLS cert provisioning
|
|
# tool knows to store challenge response files.
|
|
alias $STORAGE_ROOT/ssl/lets_encrypt/webroot/.well-known/acme-challenge/;
|
|
}
|
|
}
|
|
|
|
# The secure HTTPS server.
|
|
server {
|
|
listen 443 ssl http2;
|
|
listen [::]:443 ssl http2;
|
|
|
|
server_name $HOSTNAME;
|
|
|
|
# Improve privacy: Hide version an OS information on
|
|
# error pages and in the "Server" HTTP-Header.
|
|
server_tokens off;
|
|
|
|
ssl_certificate $SSL_CERTIFICATE;
|
|
ssl_certificate_key $SSL_KEY;
|
|
|
|
# ADDITIONAL DIRECTIVES HERE
|
|
}
|