From c1b6b1d438699426d42cada4a7c4fadd51dea4bf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Toke=20H=C3=B8iland-J=C3=B8rgensen?= Date: Wed, 17 Sep 2014 18:23:41 +0200 Subject: [PATCH] Some fixes to the nginx webserver HOWTO. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Toke Høiland-Jørgensen --- source/howtos/nginx-webserver.rst | 32 ++++++++++++++++++++++++++----- 1 file changed, 27 insertions(+), 5 deletions(-) diff --git a/source/howtos/nginx-webserver.rst b/source/howtos/nginx-webserver.rst index f8ce09b..7aed2e9 100644 --- a/source/howtos/nginx-webserver.rst +++ b/source/howtos/nginx-webserver.rst @@ -95,6 +95,11 @@ More Complex Installation # :command:`yum -y install nginx php-fpm` + Note that to get full WebDAV support, an additional module is needed for + nginx. It's available from https://github.com/arut/nginx-dav-ext-module/, + but requires a rebuild of nginx from source. Some clients work without it, + others don't. + #. Remove the default **php-fpm** configuration: .. parsed-literal:: @@ -126,7 +131,7 @@ More Complex Installation server { listen 8080 default_server; server_name kolab.example.org; - rewrite ^ https://$server_name$request_uri permanent; # enforce https + return 301 https://$host:8443$request_uri; # enforce https } server { @@ -140,6 +145,15 @@ More Complex Installation ssl_certificate /etc/pki/tls/certs/localhost.pem; ssl_certificate_key /etc/pki/tls/certs/localhost.pem; + # These cipher settings should ensure Perfect Forward Secrecy is + # enabled when possible. + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_prefer_server_ciphers on; + ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"; + + # Tell supporting clients to always connect over HTTPS + add_header Strict-Transport-Security "max-age=15768000;includeSubDomains"; + open_file_cache max=1024 inactive=1m; open_file_cache_valid 90s; open_file_cache_min_uses 2; @@ -195,15 +209,23 @@ More Complex Installation include fastcgi_params; fastcgi_index index.php; fastcgi_pass unix:/var/run/php-fpm/kolab.example.org_iRony.sock; - fastcgi_param SCRIPT_FILENAME $request_filename; + fastcgi_split_path_info ^(.+\.php)(/.*)$; + fastcgi_param SCRIPT_FILENAME /usr/share/iRony/public_html/index.php; + fastcgi_param PATH_INFO $fastcgi_path_info; + # Enable this if you want to be able to browse iRony with a web browser. + #fastcgi_param DAVBROWSER 1; } ## ## Kolab Webclient ## + + # For roundcube CSRF token support. + rewrite "^/roundcubemail/[a-f0-9]{16}/(.*)" /roundcubemail/$1 last; + location /roundcubemail { index index.php; - alias //usr/share/roundcubemail; + alias /usr/share/roundcubemail; client_max_body_size 30M; # set maximum upload size for mail attachments @@ -225,7 +247,7 @@ More Complex Installation include fastcgi_params; fastcgi_split_path_info ^(.+\\.php)(/.*)$; fastcgi_pass unix:/var/run/php-fpm/kolab.example.org_roundcubemail.sock; - fastcgi_param SCRIPT_FILENAME \\$request_filename; + fastcgi_param SCRIPT_FILENAME $request_filename; } } @@ -235,7 +257,7 @@ More Complex Installation location /kolab-webadmin { index index.php; alias /usr/share/kolab-webadmin/public_html; - try_files \\$uri \\$uri/ @kolab-wapapi; + try_files $uri $uri/ @kolab-wapapi; # enable php location ~ \\.php$ {