From b5cacbaf376a700c5ee15e8b4cdc4bd33c99c73f Mon Sep 17 00:00:00 2001
From: ArturMail <kusartur@gmail.com>
Date: Sat, 31 May 2025 18:20:08 +0000
Subject: [PATCH] nginx.conf

---
 mailu/nginx.conf | 212 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 212 insertions(+)
 create mode 100644 mailu/nginx.conf

diff --git a/mailu/nginx.conf b/mailu/nginx.conf
new file mode 100644
index 0000000..70ff276
--- /dev/null
+++ b/mailu/nginx.conf
@@ -0,0 +1,212 @@
+# Basic configuration
+user nginx;
+worker_processes auto;
+pcre_jit on;
+error_log /dev/stderr notice;
+pid /var/run/nginx.pid;
+load_module "modules/ngx_mail_module.so";
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    # Standard HTTP configuration with slight hardening
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+    sendfile on;
+    keepalive_timeout 65;
+    server_tokens off;
+    absolute_redirect off;
+    resolver 127.0.0.11 valid=30s;
+
+    
+
+    
+
+    # Header maps
+    map $http_x_forwarded_proto $proxy_x_forwarded_proto {
+      default $http_x_forwarded_proto;
+      ''      $scheme;
+    }
+    map $uri $expires {
+      default off;
+      ~*\.(ico|css|js|gif|jpeg|jpg|png|woff2?|ttf|otf|svg|tiff|eot|webp)$ 97d;
+    }
+
+    map $request_uri $loggable {
+      /health 0;
+      /auth/email 0;
+      default 1;
+    }
+    access_log /dev/stdout combined if=$loggable;
+
+    # compression
+    gzip on;
+    gzip_static on;
+    gzip_types text/plain text/css application/xml application/javascript
+    gzip_min_length 1024;
+    # TODO: figure out how to server pre-compressed assets from admin container
+
+    
+    # Enable the proxy for certbot if the flavor is letsencrypt and not on kubernetes
+    #
+    server {
+      # Listen over HTTP
+      listen 80;
+
+      
+      location ^~ /.well-known/acme-challenge/testing {
+          return 204;
+      }
+      location ^~ /.well-known/acme-challenge/ {
+          proxy_pass http://127.0.0.1:8008;
+      }
+      
+      # redirect to https
+      location / {
+        return 301 https://$host$request_uri;
+      }
+
+      location /health {
+        return 204;
+      }
+    }
+    
+
+    # Main HTTP server
+    server {
+      # Favicon stuff
+      root /static;
+      # Variables for proxifying
+      set $admin admin:8080;
+      set $antispam antispam:11334;
+      
+      set $webmail webmail;
+      
+      
+      set $webdav webdav:5232;
+      
+      client_max_body_size 60817408;
+      http2 on;
+
+      # Listen on HTTP only in kubernetes or behind reverse proxy
+      
+
+      # Only enable HTTPS if TLS is enabled with no error
+      
+
+      # Remove headers to prevent duplication and information disclosure
+      proxy_hide_header X-XSS-Protection;
+      proxy_hide_header X-Powered-By;
+
+      add_header X-Frame-Options 'SAMEORIGIN';
+      add_header X-Content-Type-Options 'nosniff';
+      add_header X-Permitted-Cross-Domain-Policies 'none';
+      add_header Referrer-Policy 'same-origin';
+
+      # mozilla autoconfiguration
+      location ~ ^/(\.well\-known/autoconfig/)?mail/config\-v1\.1\.xml {
+        rewrite ^ /internal/autoconfig/mozilla break;
+        include /etc/nginx/proxy.conf;
+        proxy_pass http://$admin;
+      }
+      # microsoft autoconfiguration
+      location ~* ^/Autodiscover/Autodiscover.json {
+        rewrite ^ /internal/autoconfig/microsoft.json break;
+        include /etc/nginx/proxy.conf;
+        proxy_pass http://$admin;
+      }
+      location ~* ^/Autodiscover/Autodiscover.xml {
+        rewrite ^ /internal/autoconfig/microsoft break;
+        include /etc/nginx/proxy.conf;
+        proxy_pass http://$admin;
+      }
+      # apple mobileconfig
+      location ~ ^/(apple\.)?mobileconfig {
+        rewrite ^ /internal/autoconfig/apple break;
+        include /etc/nginx/proxy.conf;
+        proxy_pass http://$admin;
+      }
+
+      
+      location ^~ /.well-known/acme-challenge/testing {
+          return 204;
+      }
+      location ^~ /.well-known/acme-challenge/ {
+          proxy_pass http://127.0.0.1:8008;
+      }
+      
+
+      # If TLS is failing, prevent access to anything except certbot
+      
+      location / {
+        return 403;
+      }
+      
+
+      
+
+      location /internal {
+        internal;
+
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header Authorization $http_authorization;
+        proxy_pass_header Authorization;
+        proxy_pass http://$admin;
+        proxy_pass_request_body off;
+        proxy_set_header Content-Length "";
+      }
+      location /health {
+        return 204;
+      }
+    }
+
+    # Forwarding authentication server
+    server {
+      # Variables for proxifying
+      set $admin admin:8080;
+
+      listen 127.0.0.1:8000;
+
+      location / {
+        proxy_pass http://$admin/internal$request_uri;
+      }
+    }
+
+    # Healthcheck over localhost, for docker
+    server {
+      listen 127.0.0.1:10204;
+      location /health {
+        return 204;
+      }
+    }
+
+    include /etc/nginx/conf.d/*.conf;
+}
+
+mail {
+    server_name mail.arti24.eu;
+    auth_http http://127.0.0.1:8000/auth/email;
+    proxy_pass_error_message on;
+    resolver 127.0.0.11 valid=30s;
+    error_log /dev/stderr info;
+
+    
+
+    
+
+    # Advertise real capabilities of backends (postfix/dovecot)
+    smtp_capabilities PIPELINING "SIZE 52428800" ETRN ENHANCEDSTATUSCODES 8BITMIME DSN;
+
+    # SMTP is always enabled, to avoid losing emails when TLS is failing
+    server {
+      listen 25;
+
+      
+      protocol smtp;
+      smtp_auth none;
+      auth_http_header Auth-Port 25;
+      auth_http_header Client-Port $remote_port;
+    }
+}
\ No newline at end of file