Adding options for mail-letsencrypt

2025-11-02 11:08:01 +00:00 · 2017-12-05 00:21:58 +01:00
parent 34d88144b2
commit 6ec0fe7036
5 changed files with 37 additions and 8 deletions
--- a/core/nginx/conf/nginx.conf
+++ b/core/nginx/conf/nginx.conf
@@ -20,6 +20,14 @@ http {
    absolute_redirect off;
    resolver {{ RESOLVER }} valid=30s;

+    {% if REAL_IP_HEADER %}
+    real_ip_header {{ REAL_IP_HEADER }};
+    {% endif %}
+
+    {% if REAL_IP_FROM %}{% for from_ip in REAL_IP_FROM.split(',') %}
+    set_real_ip_from {{ from_ip }};
+    {% endfor %}{% endif %}
+
    # Header maps
    map $http_x_forwarded_proto $proxy_x_forwarded_proto {
      default $http_x_forwarded_proto;
@@ -45,17 +53,23 @@ http {

      include /etc/nginx/tls.conf;
      ssl_session_cache shared:SSLHTTP:50m;
-      add_header Strict-Transport-Security max-age=15768000;
+      add_header Strict-Transport-Security 'max-age=31536000';

-      {% if not TLS_FLAVOR == "mail" %}
-      if ($scheme = http) {
+      {% if not TLS_FLAVOR in [ 'mail', 'mail-letsencrypt' ] %}
+      if ($proxy_x_forwarded_proto = http) {
        return 301 https://$host$request_uri;
      }
      {% endif %}
      {% endif %}

+      add_header X-Frame-Options 'DENY';
+      add_header X-Content-Type-Options 'nosniff';
+      add_header X-Permitted-Cross-Domain-Policies 'none';
+      add_header X-XSS-Protection '1; mode=block';
+      add_header Referrer-Policy 'same-origin';
+
      # In any case, enable the proxy for certbot if the flavor is letsencrypt
-      {% if TLS_FLAVOR == 'letsencrypt' %}
+      {% if TLS_FLAVOR in [ 'letsencrypt', 'mail-letsencrypt' ] %}
      location ^~ /.well-known/acme-challenge/ {
          proxy_pass http://127.0.0.1:8008;
      }
--- a/core/nginx/config.py
+++ b/core/nginx/config.py
@@ -16,9 +16,11 @@ with open("/etc/resolv.conf") as handle:
 # TLS configuration
 args["TLS"] = {
    "cert": ("/certs/cert.pem", "/certs/key.pem"),
-    "mail": ("/certs/cert.pem", "/certs/key.pem"),
    "letsencrypt": ("/certs/letsencrypt/live/mailu/fullchain.pem",
        "/certs/letsencrypt/live/mailu/privkey.pem"),
+    "mail": ("/certs/cert.pem", "/certs/key.pem"),
+    "mail-letsencrypt": ("/certs/letsencrypt/live/mailu/fullchain.pem",
+        "/certs/letsencrypt/live/mailu/privkey.pem"),
    "notls": None
 }[args["TLS_FLAVOR"]]

@@ -26,7 +28,6 @@ if args["TLS"] and not all(os.path.exists(file_path) for file_path in args["TLS"
    print("Missing cert or key file, disabling TLS")
    args["TLS_ERROR"] = "yes"

-
 # Build final configuration paths
 convert("/conf/tls.conf", "/etc/nginx/tls.conf", args)
 convert("/conf/proxy.conf", "/etc/nginx/proxy.conf", args)
--- a/core/nginx/start.py
+++ b/core/nginx/start.py
@@ -7,7 +7,7 @@ import subprocess
 if os.path.exists("/var/log/nginx.pid"):
    os.remove("/var/log/nginx.pid")

-if os.environ["TLS_FLAVOR"] == "letsencrypt":
+if os.environ["TLS_FLAVOR"] in [ "letsencrypt","mail-letsencrypt" ]:
    subprocess.Popen(["/letsencrypt.py"])

 subprocess.call(["/config.py"])