Page Menu
Home
Phorge
Search
Configure Global Search
Log In
Files
F16569294
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Flag For Later
Award Token
Size
43 KB
Referenced Files
None
Subscribers
None
View Options
diff --git a/source/howtos/nginx-webserver.rst b/source/howtos/nginx-webserver.rst
index 9b5e992b..cf525c65 100644
--- a/source/howtos/nginx-webserver.rst
+++ b/source/howtos/nginx-webserver.rst
@@ -1,562 +1,1091 @@
==================================
HOWTO: Use NGINX as the Web Server
==================================
This HOWTO consists of two separate approaches.
Simple Installation
===================
-The simple configuration is supposed to provide only the webclient. If you look
-for a more complete setup including webadmin, irony, etc. take a look on the
-complex setup.
+The simple configuration is supposed to provide only the webclient. This simple
+setup only includes the webmail part (roundcubemail) and doesn't provide the
+full experience (file browser, freebusy, caldav/carddav, etc).
+
+If you look for a more complete setup including webadmin, irony, etc. take a
+look on the complex setup.
#. Install NGINX and PHP FPM:
.. parsed-literal::
# :command:`yum -y install nginx php-fpm`
#. Configure **php-fpm** to listen on a local UNIX socket:
.. parsed-literal::
# :command:`sed -r -i \\
-e 's|^listen = 127\.0\.0\.1.*$|listen = /var/run/php-fpm/php-fpm.sock|g' \\
/etc/php-fpm.d/www.conf`
#. Replace the contents of :file:`/etc/nginx/conf.d/default.conf`:
.. parsed-literal::
# :command:`cat > /etc/nginx/conf.d/default.conf` << EOF
server {
listen 8080 default_server;
server_name localhost:8080;
# support roundcubemail secure urls
rewrite "^/roundcubemail/[a-f0-9]{16}/(.*)" /roundcubemail/$1;
# roundcube
location /roundcubemail {
alias /usr/share/roundcubemail/public_html;
index index.php;
location ~ \\.php$ {
include fastcgi_params;
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
fastcgi_split_path_info ^(.+.php)(/.*)$;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $request_filename;
}
}
}
EOF
.. note::
On debian based systems you might want to take a look at the
configuration :file:`/etc/nginx/sites-enabled/default` and a the
the default php-fpm socket: :file:`/var/run/php5-fpm.sock`
#. Start the **php-fpm** service and configure the service to start on boot:
.. parsed-literal::
# :command:`service php-fpm start`
# :command:`chkconfig php-fpm on`
#. Start the **nginx** service and configure the service to start on boot:
.. parsed-literal::
# :command:`service nginx start`
# :command:`chkconfig nginx on`
More Complex Installation
=========================
The following configuration is tested for Kolab 3.4 on CentOS6. It
should also work under Debian and Ubuntu, provided you adjust paths
and filenames according to their defaults.
.. WARNING::
- This HOWTO uses ports 8080 and 8443 as it is intended to demonstrate running
- Kolab Groupware under NGINX. Because of the use of ports not the standard
- ports for the related protocols, more changes are required to various
- configuration files.
+ To not create conflicts with the default apache configuration (which is
+ installed due to dependencies) we should move the apache default port from
+ 80 to 8080.
+
+ .. parsed-literal::
+
+ # :command:`sed -i -e 's/^Listen 80$/Listen 8080/g' /etc/httpd/conf/httpd.conf`
+ # :command:`service httpd restart`
- This creates a conflict with some mod_nss configuration for httpd, which (by
- default) is also configured to listen on port 8443. To correct this problem,
- issue the following commands:
+ In theory we don't need the apache daemon anymore. We can turn it off.
.. parsed-literal::
- # :command:`sed -i -e 's/^/#/g' /etc/httpd/conf.d/nss.conf`
- # :command:`service httpd reload`
+ # :command:`service httpd stop`
+ # :command:`chkconfig httpd off`
+
+Preperation and PHP-FPM
+-----------------------
#. Install NGINX and PHP FPM:
.. parsed-literal::
# :command:`yum -y install nginx php-fpm`
Note that to get full WebDAV support, an additional module is needed for
nginx. It's available from https://github.com/arut/nginx-dav-ext-module/,
but requires a rebuild of nginx from source. Some clients work without it,
others don't.
-#. Remove the default **php-fpm** configuration:
+ .. note::
+
+ On Debian just install the ``nginx-full`` package to get the full
+ WebDAV support of nginx (adjust your configuration accordingly.
+
+#. Disable the default **php-fpm** configuration (optional):
.. parsed-literal::
- # :command:`rm -rf /etc/php-fpm.d/www.conf`
+ # :command:`mv /etc/php-fpm.d/www.conf /etc/php-fpm.d/www.conf.bak`
+
+ .. note::
+
+ On Debian the pool configuration folder is located here:
+ ``/etc/php5/fpm/pool.d/``
#. Create the PHP FPM Pools [#fpm_pools]_:
.. parsed-literal::
# :command:`cat > /etc/php-fpm.d/kolab.example.org_chwala.conf` << EOF
[kolab.example.org_chwala]
user = apache
group = apache
listen = /var/run/php-fpm/kolab.example.org_chwala.sock
pm = dynamic
pm.max_children = 40
pm.start_servers = 15
pm.min_spare_servers = 10
pm.max_spare_servers = 20
chdir = /
+ php_value[upload_max_filesize] = 30M
+ php_value[post_max_size] = 30M
EOF
# :command:`cat > /etc/php-fpm.d/kolab.example.org_iRony.conf` << EOF
[kolab.example.org_iRony]
user = apache
group = apache
listen = /var/run/php-fpm/kolab.example.org_iRony.sock
pm = dynamic
pm.max_children = 40
pm.start_servers = 15
pm.min_spare_servers = 10
pm.max_spare_servers = 20
chdir = /
+ php_value[upload_max_filesize] = 30M
+ php_value[post_max_size] = 30M
EOF
# :command:`cat > /etc/php-fpm.d/kolab.example.org_kolab-freebusy.conf` << EOF
[kolab.example.org_kolab-freebusy]
user = apache
group = apache
listen = /var/run/php-fpm/kolab.example.org_kolab-freebusy.sock
pm = dynamic
pm.max_children = 40
pm.start_servers = 15
pm.min_spare_servers = 10
pm.max_spare_servers = 20
chdir = /
EOF
# :command:`cat > /etc/php-fpm.d/kolab.example.org_kolab-syncroton.conf` << EOF
[kolab.example.org_kolab-syncroton]
user = apache
group = apache
listen = /var/run/php-fpm/kolab.example.org_kolab-syncroton.sock
pm = dynamic
pm.max_children = 40
pm.start_servers = 15
pm.min_spare_servers = 10
pm.max_spare_servers = 20
chdir = /
php_flag[suhosin.session.encrypt] = Off
EOF
# :command:`cat > /etc/php-fpm.d/kolab.example.org_kolab-webadmin.conf` << EOF
[kolab.example.org_kolab-webadmin]
user = apache
group = apache
listen = /var/run/php-fpm/kolab.example.org_kolab-webadmin.sock
pm = dynamic
pm.max_children = 40
pm.start_servers = 15
pm.min_spare_servers = 10
pm.max_spare_servers = 20
chdir = /
EOF
# :command:`cat > /etc/php-fpm.d/kolab.example.org_roundcubemail.conf` << EOF
[roundcubemail]
user = apache
group = apache
listen = /var/run/php-fpm/kolab.example.org_roundcubemail.sock
pm = dynamic
pm.max_children = 40
pm.start_servers = 15
pm.min_spare_servers = 10
pm.max_spare_servers = 20
chdir = /
# Derived from .htaccess of roundcube
php_flag[display_errors] = Off
php_flag[log_errors] = On
php_value[upload_max_filesize] = 30M
php_value[post_max_size] = 30M
php_flag[zlib.output_compression] = Off
php_flag[magic_quotes_gpc] = Off
php_flag[magic_quotes_runtime] = Off
php_flag[zend.ze1_compatibility_mode] = Off
php_flag[suhosin.session.encrypt] = Off
php_flag[session.auto_start] = Off
php_value[session.gc_maxlifetime] = 21600
php_value[session.gc_divisor] = 500
php_value[session.gc_probability] = 1
# http://bugs.php.net/bug.php?id=30766
php_value[mbstring.func_overload] = 0
EOF
+ .. note::
+
+ On Debian the pool configuration folder is located here:
+ ``/etc/php5/fpm/pool.d/``
+
+ Also there's no explizit folder for php5-fpm socket folders. This is
+ how you can take of it and make it reboot safe.
+
+ Adjust the file: :file:`/etc/default/php5-fpm`
+
+ .. parsed-literal::
+
+ # create /var/run/php5-fpm for all sockets
+ # could be deleted during boot
+ test -e /var/run/php5-fpm || install -m 755 -o root -g root -d /var/run/php5-fpm
+
+ Now you can adjust all your socket files to:
+
+ .. parsed-literal::
+
+ listen = /var/run/php5-fpm/kolab.example.org_<app>.sock
+
+ Or fix the files above with this quick command:
+
+ .. parsed-literal::
+
+ # :command:`sed -i -e 's|/var/run/php-fpm/|/var/run/php5-fpm/|g' /etc/php5/fpm/pool.d/kolab*`
+
+#. Backup your nginx configuration
+
+ .. parsed-literal::
+
+ # :command:`cp /etc/nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf.bak`
+
+Single Domain Configuration
+---------------------------
+
+If you've only one domain, one ssl certificate or for whatever reason get all
+the kolab services under one host/domainname this is your configuration. The
+iRony service will provide all 3 dav services on a single endpoint. ActiveSync
+devices can be pointed to the main url. They'll find them Microsoft Url
+automatically.
+
++---------------------------+-----------------------------------------------+
+| Application / Service | URL |
++===========================+===============================================+
+| Roundcubemail | ``https://kolab.example.org`` |
++---------------------------+-----------------------------------------------+
+| CardDAV, CalDAV, WebDAV | ``https://kolab.example.org/iRony`` |
++---------------------------+-----------------------------------------------+
+| FreeBusy | ``https://kolab.example.org/freebusy`` |
++---------------------------+-----------------------------------------------+
+| Chwala API / WebUI | ``https://kolab.example.org/chwala`` |
++---------------------------+-----------------------------------------------+
+| Kolab Web Admin Panel | ``https://kolab.example.org/kolab-webadmin`` |
++---------------------------+-----------------------------------------------+
+| ActiveSync Host | ``https://kolab.example.org`` |
++---------------------------+-----------------------------------------------+
+
#. Replace the contents of :file:`/etc/nginx/conf.d/default.conf`:
.. parsed-literal::
- # :command:`cat > /etc/nginx/conf.d/default.conf` << EOF
+ #
+ # Force HTTP Redirect
+ #
server {
- listen 8080 default_server;
+ listen 80 default_server;
+ server_name _;
+ server_name_in_redirect off;
+ rewrite ^ https://$http_host$request_uri permanent; # enforce https redirect
+ }
+
+ #
+ # Full Kolab Stack
+ #
+ server {
+ listen 443 ssl default_server;
server_name kolab.example.org;
- rewrite ^ https://$server_name:8443$uri permanent; # enforce https redirect
+ access_log /var/log/nginx/kolab.example.org-access_log;
+ error_log /var/log/nginx/kolab.example.org-error_log;
+
+ # enable ssl
+
+ ssl on;
+ ssl_certificate /etc/pki/tls/private/localhost.pem;
+ ssl_certificate_key /etc/pki/tls/private/localhost.pem;
+
+ # Start common Kolab config
+
+ ##
+ ## Chwala
+ ##
+ location /chwala {
+ index index.php;
+ alias /usr/share/chwala/public_html;
+
+ client_max_body_size 30M; # set maximum upload size
+
+ # enable php
+ location ~ \.php$ {
+ include fastcgi_params;
+ fastcgi_param HTTPS on;
+ fastcgi_pass unix:/var/run/php-fpm/kolab.example.org_chwala.sock;
+ fastcgi_param SCRIPT_FILENAME $request_filename;
+ # Without this, PHPSESSION is replaced by webadmin-api X-Session-Token
+ fastcgi_param PHP_VALUE "session.auto_start=0
+ session.use_cookies=0";
+ fastcgi_pass_header X-Session-Token;
+ }
+ }
+
+ ##
+ ## iRony
+ ##
+ location /iRony {
+ alias /usr/share/iRony/public_html/index.php;
+
+ client_max_body_size 30M; # set maximum upload size
+
+ # If Nginx was built with http_dav_module:
+ dav_methods PUT DELETE MKCOL COPY MOVE;
+ # Required Nginx to be built with nginx-dav-ext-module:
+ # dav_ext_methods PROPFIND OPTIONS;
+
+ include fastcgi_params;
+ # fastcgi_param DAVBROWSER 1;
+ fastcgi_param HTTPS on;
+ fastcgi_index index.php;
+ fastcgi_pass unix:/var/run/php-fpm/kolab.example.org_iRony.sock;
+ fastcgi_param SCRIPT_FILENAME $request_filename;
+ }
+ location ~* /.well-known/(cal|card)dav {
+ rewrite ^ /iRony/ permanent;
+ }
+
+ ##
+ ## Kolab Webclient
+ ##
+ location / {
+ index index.php;
+ root /usr/share/roundcubemail/public_html;
+
+ # support for csrf token
+ rewrite "^/[a-f0-9]{16}/(.*)" /$1 break;
+
+ # maximum upload size for mail attachments
+ client_max_body_size 30M;
+
+ # enable php
+ location ~ \.php$ {
+ include fastcgi_params;
+ fastcgi_param HTTPS on;
+ fastcgi_split_path_info ^(.+\.php)(/.*)$;
+ fastcgi_pass unix:/var/run/php-fpm/kolab.example.org_roundcubemail.sock;
+ fastcgi_param SCRIPT_FILENAME $request_filename;
+ }
+ }
+
+ ##
+ ## Kolab Web Administration Panel (WAP) and API
+ ##
+ location /kolab-webadmin {
+ index index.php;
+ alias /usr/share/kolab-webadmin/public_html;
+ try_files $uri $uri/ @kolab-wapapi;
+
+ # enable php
+ location ~ \.php$ {
+ include fastcgi_params;
+ fastcgi_param HTTPS on;
+ fastcgi_pass unix:/var/run/php-fpm/kolab.example.org_kolab-webadmin.sock;
+ fastcgi_param SCRIPT_FILENAME $request_filename;
+ # Without this, PHPSESSION is replaced by webadmin-api X-Session-Token
+ fastcgi_param PHP_VALUE "session.auto_start=0
+ session.use_cookies=0";
+ fastcgi_pass_header X-Session-Token;
+ }
+ }
+ # kolab-webadmin api
+ location @kolab-wapapi {
+ rewrite ^/kolab-webadmin/api/([^\.]*)\.([^\.]*)$ /kolab-webadmin/api/index.php?service=$1&method=$2;
+ }
+
+ ##
+ ## Kolab syncroton ActiveSync
+ ##
+ location /Microsoft-Server-ActiveSync {
+ alias /usr/share/kolab-syncroton/index.php;
+
+ client_max_body_size 30M; # maximum upload size for mail attachments
+
+ include fastcgi_params;
+ fastcgi_param HTTPS on;
+ fastcgi_read_timeout 1200;
+ fastcgi_index index.php;
+ fastcgi_pass unix:/var/run/php-fpm/kolab.example.org_kolab-syncroton.sock;
+ fastcgi_param SCRIPT_FILENAME /usr/share/kolab-syncroton/index.php;
+ }
+
+ ##
+ ## Kolab Free/Busy
+ ##
+ location /freebusy {
+ alias /usr/share/kolab-freebusy/public_html/index.php;
+
+ include fastcgi_params;
+ fastcgi_param HTTPS on;
+ fastcgi_index index.php;
+ fastcgi_pass unix:/var/run/php-fpm/kolab.example.org_kolab-freebusy.sock;
+ fastcgi_param SCRIPT_FILENAME /usr/share/kolab-freebusy/public_html/index.php;
+ }
+ # End common Kolab config
}
+ .. note::
+
+ On Debian you can use the site configuration found at
+
+ * ``/etc/nginx/sites-available/``
+ * ``/etc/nginx/sites-enabled/``
+
+#. Adjust your kolab webadmin api url in the :file:`/etc/kolab/kolab.conf`
+ configuration, otherwise webadmin or commandline tools will not work.
+
+ .. parsed-literal::
+
+ [kolab_wap]
+ api_url = https://kolab.example.org/kolab-webadmin/api
+
+
+Multi Subdomain Configuration
+-----------------------------
+
+Sometimes it's nice to create seperate host/domainnames for every service that
+kolab offers. You can limit iRony to only provide a single dav-service on each
+url endpoint. The Chwala API should be located on the webmail domain to not
+create any cross-domain api call problems.
+
+mtch the default configuration. If you like change your config
+files you also move those to their url. But usually people don't often need
+direct access to this url.
+
+.. note::
+
+ It helps to have a wildcard ssl certificate or a certificate that
+ includes all needed hostnames as *SubjectAltNames*.
+
+**URL Scheme**
+
++---------------------------+-----------------------------------------------+
+| Application / Service | URL |
++===========================+===============================================+
+| Roundcubemail | ``https://webmail.example.org`` |
++---------------------------+-----------------------------------------------+
+| CardDAV | ``https://carddav.example.org`` |
++---------------------------+-----------------------------------------------+
+| CalDAV | ``https://caldav.example.org`` |
++---------------------------+-----------------------------------------------+
+| WebDAV | ``https://webdav.example.org`` |
++---------------------------+-----------------------------------------------+
+| FreeBusy | ``https://freebusy.example.org`` |
++---------------------------+-----------------------------------------------+
+| Chwala API / WebUI | ``https://webmail.example.org/chwala`` |
++---------------------------+-----------------------------------------------+
+| Kolab Web Admin Panel | ``https://kolab.example.org`` |
++---------------------------+-----------------------------------------------+
+| ActiveSync Host | ``https://activesync.example.org`` |
++---------------------------+-----------------------------------------------+
+
+You can also let the users use the serparte host/domain names for the non-web
+services.
+
+* ``imap.example.org``
+* ``smtp.example.org``
+* etc.
+
+But this all depends on you and your communication with your end users.
+
+#. Replace the contents of :file:`/etc/nginx/conf.d/default.conf`:
+
+ .. parsed-literal::
+
+ #
+ # Force HTTP Redirect
+ #
+ server {
+ listen 80 default_server;
+ server_name _;
+ server_name_in_redirect off;
+ rewrite ^ https://$http_host$request_uri permanent; # enforce https redirect
+ }
+
+ #
+ # Webmail + Chwala + Freebusy
+ #
server {
- listen 8443 ssl;
+ listen 443 ssl default_server;
+ server_name webmail.example.org;
+ access_log /var/log/nginx/webmail.example.org-access_log;
+ error_log /var/log/nginx/webmail.example.org-error_log;
+
+ # enable ssl
+
+ ssl on;
+ ssl_certificate /etc/pki/tls/private/localhost.pem;
+ ssl_certificate_key /etc/pki/tls/private/localhost.pem;
+
+ # Start common Kolab config
+
+ ##
+ ## Chwala
+ ##
+ location /chwala {
+ index index.php;
+ alias /usr/share/chwala/public_html;
+
+ client_max_body_size 30M; # set maximum upload size
+
+ # enable php
+ location ~ \.php$ {
+ include fastcgi_params;
+ fastcgi_param HTTPS on;
+ fastcgi_pass unix:/var/run/php-fpm/kolab.example.org_chwala.sock;
+ fastcgi_param SCRIPT_FILENAME $request_filename;
+ # Without this, PHPSESSION is replaced by webadmin-api X-Session-Token
+ fastcgi_param PHP_VALUE "session.auto_start=0
+ session.use_cookies=0";
+ fastcgi_pass_header X-Session-Token;
+ }
+ }
+
+ ##
+ ## Kolab Webclient
+ ##
+ index index.php;
+ root /usr/share/roundcubemail/public_html;
+
+ # support for csrf token
+ rewrite "^/[a-f0-9]{16}/(.*)" /$1 break;
+
+ # maximum upload size for mail attachments
+ client_max_body_size 30M;
+
+ # enable php
+ location ~ \.php$ {
+ include fastcgi_params;
+ fastcgi_param HTTPS on;
+ fastcgi_split_path_info ^(.+\.php)(/.*)$;
+ fastcgi_pass unix:/var/run/php-fpm/kolab.example.org_roundcubemail.sock;
+ fastcgi_param SCRIPT_FILENAME $request_filename;
+ }
+ }
+
+ #
+ # CardDAV
+ #
+ server {
+ listen 443 ssl;
+ server_name carddav.example.org;
+ access_log /var/log/nginx/carddav.example.org-access_log;
+ error_log /var/log/nginx/carddav.example.org-error_log;
+
+ # enable ssl
+
+ ssl on;
+ ssl_certificate /etc/pki/tls/private/localhost.pem;
+ ssl_certificate_key /etc/pki/tls/private/localhost.pem;
+
+ # Start common Kolab config
+
+ ##
+ ## DAV Discovery redirect
+ ##
+ location ~* /.well-known/carddav {
+ rewrite ^ / permanent;
+ }
+
+ ##
+ ## iRony
+ ##
+ root /usr/share/iRony/public_html;
+ index index.php;
+ try_files $uri $uri/ /index.php?$args;
+
+ client_max_body_size 30M; # set maximum upload size
+
+ # If Nginx was built with http_dav_module:
+ dav_methods PUT DELETE MKCOL COPY MOVE;
+ # Required Nginx to be built with nginx-dav-ext-module:
+ # dav_ext_methods PROPFIND OPTIONS;
+
+ location ~ \.php$ {
+ include fastcgi_params;
+ fastcgi_param CARDDAV 1;
+ # fastcgi_param DAVBROWSER 1;
+
+ fastcgi_param HTTPS on;
+ fastcgi_index index.php;
+ fastcgi_pass unix:/var/run/php-fpm/kolab.example.org_iRony.sock;
+ fastcgi_param SCRIPT_FILENAME $request_filename;
+ }
+ }
+
+ #
+ # CalDAV
+ #
+ server {
+ listen 443 ssl;
+ server_name caldav.example.org;
+ access_log /var/log/nginx/caldav.example.org-access_log;
+ error_log /var/log/nginx/caldav.example.org-error_log;
+
+ # enable ssl
+
+ ssl on;
+ ssl_certificate /etc/pki/tls/private/localhost.pem;
+ ssl_certificate_key /etc/pki/tls/private/localhost.pem;
+
+ # Start common Kolab config
+
+ ##
+ ## DAV Discovery redirect
+ ##
+ location ~* /.well-known/caldav {
+ rewrite ^ / permanent;
+ }
+
+ ##
+ ## iRony
+ ##
+ root /usr/share/iRony/public_html;
+ index index.php;
+ try_files $uri $uri/ /index.php?$args;
+
+ client_max_body_size 30M; # set maximum upload size
+
+ # If Nginx was built with http_dav_module:
+ dav_methods PUT DELETE MKCOL COPY MOVE;
+ # Required Nginx to be built with nginx-dav-ext-module:
+ # dav_ext_methods PROPFIND OPTIONS;
+
+ location ~ \.php$ {
+ include fastcgi_params;
+ fastcgi_param CALDAV 1;
+ # fastcgi_param DAVBROWSER 1;
+
+ fastcgi_param HTTPS on;
+ fastcgi_index index.php;
+ fastcgi_pass unix:/var/run/php-fpm/kolab.example.org_iRony.sock;
+ fastcgi_param SCRIPT_FILENAME $request_filename;
+ }
+ }
+
+ #
+ # WebDAV
+ #
+ server {
+ listen 443 ssl;
+ server_name webadv.example.org;
+ access_log /var/log/nginx/webadv.example.org-access_log;
+ error_log /var/log/nginx/webadv.example.org-error_log;
+
+ # enable ssl
+
+ ssl on;
+ ssl_certificate /etc/pki/tls/private/localhost.pem;
+ ssl_certificate_key /etc/pki/tls/private/localhost.pem;
+
+ # Start common Kolab config
+
+ ##
+ ## iRony
+ ##
+ root /usr/share/iRony/public_html;
+ index index.php;
+ try_files $uri $uri/ /index.php?$args;
+
+ client_max_body_size 30M; # set maximum upload size
+
+ # If Nginx was built with http_dav_module:
+ dav_methods PUT DELETE MKCOL COPY MOVE;
+ # Required Nginx to be built with nginx-dav-ext-module:
+ # dav_ext_methods PROPFIND OPTIONS;
+
+ location ~ \.php$ {
+ include fastcgi_params;
+ fastcgi_param WEBDAV 1;
+ # fastcgi_param DAVBROWSER 1;
+
+ fastcgi_param HTTPS on;
+ fastcgi_index index.php;
+ fastcgi_pass unix:/var/run/php-fpm/kolab.example.org_iRony.sock;
+ fastcgi_param SCRIPT_FILENAME $request_filename;
+ }
+ }
+
+ #
+ # Kolab Web Admin Panel + API
+ #
+ server {
+ listen 443 ssl;
server_name kolab.example.org;
access_log /var/log/nginx/kolab.example.org-access_log;
error_log /var/log/nginx/kolab.example.org-error_log;
+ # enable ssl
+
ssl on;
- ssl_certificate /etc/pki/tls/certs/localhost.pem;
- ssl_certificate_key /etc/pki/tls/certs/localhost.pem;
-
- # Tell supporting clients to always connect over HTTPS
- add_header Strict-Transport-Security "max-age=15768000;includeSubDomains";
-
- fastcgi_param HTTPS on;
-
- # Start common Kolab config
- ##
- ## Chwala
- ##
- location /chwala {
- index index.php;
- alias /usr/share/chwala/public_html;
-
- client_max_body_size 1000M; # set maximum upload size
-
- # enable php
- location ~ \.php$ {
- include fastcgi_params;
- fastcgi_pass unix:/var/run/php-fpm/kolab_chwala.sock;
- fastcgi_param SCRIPT_FILENAME $request_filename;
- # Without this, PHPSESSION is replaced by webadmin-api X-Session-Token
- fastcgi_param PHP_VALUE "session.auto_start=0
- session.use_cookies=0";
- fastcgi_pass_header X-Session-Token;
- }
- }
-
- ##
- ## iRony
- ##
- location /iRony {
- alias /usr/share/iRony/public_html/index.php;
-
- client_max_body_size 1000M; # set maximum upload size for webdav
- # adjust along with upload_max_filesize and post_max_size in /etc/php.ini
-
- # If Nginx was built with http_dav_module:
- dav_methods PUT DELETE MKCOL COPY MOVE;
- # Required Nginx to be built with nginx-dav-ext-module:
- # dav_ext_methods PROPFIND OPTIONS;
-
- include fastcgi_params;
- fastcgi_index index.php;
- fastcgi_pass unix:/var/run/php-fpm/kolab_iRony.sock;
- fastcgi_param SCRIPT_FILENAME $request_filename;
- }
- location ~* /.well-known/(cal|card)dav {
- rewrite ^ /iRony/ permanent;
- }
-
- ##
- ## Kolab Webclient
- ##
- location / {
- index index.php;
- root /usr/share/roundcubemail/public_html;
-
- client_max_body_size 30M; # maximum upload size for mail attachments
-
- # Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
- location ~ /(README(.md)?|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
- deny all;
- }
- location ~ /(bin|SQL|config|logs)/ {
- deny all;
- }
- location ~ /program/(include|lib|localization|steps)/ {
- deny all;
- }
-
- # enable php
- location ~ \.php$ {
- include fastcgi_params;
- fastcgi_split_path_info ^(.+\.php)(/.*)$;
- fastcgi_pass unix:/var/run/php-fpm/kolab_roundcubemail.sock;
- fastcgi_param SCRIPT_FILENAME $request_filename;
- }
- }
-
- ##
- ## Kolab Web Administration Panel (WAP) and API
- ##
- location /kolab-webadmin {
- index index.php;
- alias /usr/share/kolab-webadmin/public_html;
- try_files $uri $uri/ @kolab-wapapi;
-
- # enable php
- location ~ \.php$ {
- include fastcgi_params;
- fastcgi_pass unix:/var/run/php-fpm/kolab_webadmin.sock;
- fastcgi_param SCRIPT_FILENAME $request_filename;
- # Without this, PHPSESSION is replaced by webadmin-api X-Session-Token
- fastcgi_param PHP_VALUE "session.auto_start=0
- session.use_cookies=0";
- fastcgi_pass_header X-Session-Token;
- }
- }
- # kolab-webadmin api
- location @kolab-wapapi {
- rewrite ^/kolab-webadmin/api/(.*)\.(.*)$ /kolab-webadmin/api/index.php?service=$1&method=$2;
- }
-
- ##
- ## Kolab syncroton ActiveSync
- ##
- location /Microsoft-Server-ActiveSync {
- alias /usr/share/kolab-syncroton/index.php;
-
- client_max_body_size 30M; # maximum upload size for mail attachments
-
- include fastcgi_params;
- fastcgi_index index.php;
- fastcgi_pass unix:/var/run/php-fpm/kolab_syncroton.sock;
- fastcgi_param SCRIPT_FILENAME /usr/share/kolab-syncroton/index.php;
- }
-
- ##
- ## Kolab Free/Busy
- ##
- location /freebusy {
- alias /usr/share/kolab-freebusy/public_html/index.php;
-
- include fastcgi_params;
- fastcgi_index index.php;
- fastcgi_pass unix:/var/run/php-fpm/kolab_freebusy.sock;
- fastcgi_param SCRIPT_FILENAME /usr/share/kolab-freebusy/public_html/index.php;
- }
- # End common Kolab config
+ ssl_certificate /etc/pki/tls/private/localhost.pem;
+ ssl_certificate_key /etc/pki/tls/private/localhost.pem;
+
+ # Start common Kolab config
+
+ ##
+ ## Kolab Web Administration Panel (WAP) and API
+ ##
+ root /usr/share/kolab-webadmin/public_html;
+ index index.php;
+ try_files $uri $uri/ @kolab-wapapi;
+
+ # enable php
+ location ~ \.php$ {
+ include fastcgi_params;
+ fastcgi_param HTTPS on;
+ fastcgi_pass unix:/var/run/php-fpm/kolab.example.org_kolab-webadmin.sock;
+ fastcgi_param SCRIPT_FILENAME $request_filename;
+ # Without this, PHPSESSION is replaced by webadmin-api X-Session-Token
+ fastcgi_param PHP_VALUE "session.auto_start=0
+ session.use_cookies=0";
+ fastcgi_pass_header X-Session-Token;
+ }
+
+ # kolab-webadmin api
+ location @kolab-wapapi {
+ rewrite ^/api/([^\.]*)\.([^\.]*)$ /api/index.php?service=$1&method=$2;
+ }
}
- EOF
-#. For this demonstrative configuration, make sure the following setting is in
- :file:`/etc/roundcubemail/config.inc.php`:
+ #
+ # Syncroton / ActiveSync
+ #
+ server {
+ listen 443 ssl;
+ server_name activesync.example.org;
+
+ access_log /var/log/nginx/kolab.example.org-access_log;
+ error_log /var/log/nginx/kolab.example.org-error_log;
+
+ # enable ssl
+
+ ssl on;
+ ssl_certificate /etc/pki/tls/private/localhost.pem;
+ ssl_certificate_key /etc/pki/tls/private/localhost.pem;
+
+ ##
+ ## Kolab syncroton ActiveSync
+ ##
+ location /Microsoft-Server-ActiveSync {
+ alias /usr/share/kolab-syncroton/index.php;
+
+ client_max_body_size 30M; # maximum upload size for mail attachments
+
+ include fastcgi_params;
+ fastcgi_param HTTPS on;
+ fastcgi_read_timeout 1200;
+ fastcgi_index index.php;
+ fastcgi_pass unix:/var/run/php-fpm/kolab.example.org_kolab-syncroton.sock;
+ fastcgi_param SCRIPT_FILENAME /usr/share/kolab-syncroton/index.php;
+ }
+
+ ##
+ ## Return to Webmail any other invalid request
+ ##
+ location / {
+ rewrite ^ https://webmail.example.org permanent;
+ }
+ }
+
+ #
+ # FreeBusy
+ #
+ server {
+ listen 443 ssl;
+ server_name freebusy.example.org;
+
+ access_log /var/log/nginx/freebusy.example.org-access_log;
+ error_log /var/log/nginx/freebusy.example.org-error_log;
+
+ # enable ssl
+
+ ssl on;
+ ssl_certificate /etc/pki/tls/private/localhost.pem;
+ ssl_certificate_key /etc/pki/tls/private/localhost.pem;
+
+ # Start common Kolab config
+
+ ##
+ ## Kolab Free/Busy
+ ##
+ root /usr/share/kolab-freebusy/public_html/index.php;
+ index index.php;
+ try_files $uri $uri/ /index.php?$args;
+
+ location ~ \.php$ {
+ include fastcgi_params;
+ fastcgi_param HTTPS on;
+ fastcgi_index index.php;
+ fastcgi_pass unix:/var/run/php-fpm/kolab.example.org_kolab-freebusy.sock;
+ fastcgi_param SCRIPT_FILENAME /usr/share/kolab-freebusy/public_html/index.php;
+ }
+ }
+
+ .. note::
+
+ On Debian you can use the site configuration found at
+
+ * ``/etc/nginx/sites-available/``
+ * ``/etc/nginx/sites-enabled/``
+
+
+#. Adjust your kolab webadmin api url in the :file:`/etc/kolab/kolab.conf`
+ configuration, otherwise webadmin or commandline tools will not work.
+
+ .. parsed-literal::
+
+ [kolab_wap]
+ api_url = https://kolab.example.org/api
+
+#. Since Freebusy has moved to a different location we've to adjust the api
+ endpoint in :file:`/etc/roundcubemail/libkolab.inc.php`
+
+ .. parsed-literal::
+
+ $config['kolab_freebusy_server'] = 'https://freebusy.example.org';
+
+#. iRony basedir has to be adjusted in :file:`/etc/iRony/dav.inc.php`
+
+ .. parsed-literal::
+
+ $config['base_uri'] = '/';
+
+#. We can now set the absolute urls for the CalDAV/CardDAV integration
+
+ :file:`/etc/roundcubemail/calendar.inc.php`
.. parsed-literal::
- $config['file_api_url'] = 'https://kolab.example.org:8443/chwala/api/';
+ $config['calendar_caldav_url'] = "https://caldav.example.org/calendars/%u/%i";
-#. Ensure, if you are using HTTPS, that the Chwala URL (``kolab_files_url``)
- in :file:`/etc/roundcubemail/kolab_files.inc.php` is also set to
- ``https`` rather than ``http``, and port set to 8443, or most browsers will be unable to access
- the files component in Roundcube.
+ :file:`/etc/roundcubemail/kolab_addressbook.inc.php`
+
+ .. parsed-literal::
+
+ $config['kolab_addressbook_carddav_url'] = "https://carddav.example.org/addressbooks/%u/%i";
+
+Finalize / Common
+-----------------
+
+#. Since we run Roundcube in the base directory ``/`` of the server, we've to
+ set the correct asset path
+
+ .. parsed-literal::
+
+ $config['assets_path'] = '/assets/';
#. For configurations that use SSL, make sure to work around a known issue in
PHP pear module HTTP_Request2, and include in
:file:`/etc/roundcubemail/config.inc.php`:
.. parsed-literal::
$config['ssl_verify_host'] = false;
$config['ssl_verify_peer'] = false;
#. Start the **php-fpm** service and configure the service to start on boot:
.. parsed-literal::
# :command:`service php-fpm start`
# :command:`chkconfig php-fpm on`
#. Start the **nginx** service and configure the service to start on boot:
.. parsed-literal::
# :command:`service nginx start`
# :command:`chkconfig nginx on`
Tips, tweaks and optimizations
==============================
Tweaking ssl cipher settings
----------------------------
To ensure Perfect Forward Secrecy is enabled when possible
#. Add the following into **http** section of :file:`/etc/nginx/nginx.conf`:
.. parsed-literal::
- # These cipher settings should ensure Perfect Forward Secrecy is
- # enabled when possible.
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
- ssl_prefer_server_ciphers on;
-
- ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM
- EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384
- EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL
- !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
-
- ssl_session_cache shared:SSL:10m;
+ # These cipher settings should ensure Perfect Forward Secrecy is
+ # enabled when possible.
+ ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ ssl_prefer_server_ciphers on;
+
+ ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM
+ EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384
+ EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL
+ !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
+
+ ssl_session_cache shared:SSL:10m;
#. Restart the **nginx** service:
.. parsed-literal::
# :command:`service nginx restart`
-
Adding open file cache to nginx
-------------------------------
Open file cache will make nginx cache static files, that were accessed
``open_file_cache_min_uses`` times.
#. Add the following into **http** section of :file:`/etc/nginx/nginx.conf`:
.. parsed-literal::
open_file_cache max=16384 inactive=5m;
open_file_cache_valid 90s;
open_file_cache_min_uses 2;
open_file_cache_errors on;
#. Restart the **nginx** service:
.. parsed-literal::
# :command:`service nginx restart`
Adding fastcgi_cache to nginx
-----------------------------
#. Create and set ownership on the following directories:
* :file:`/var/lib/nginx/fastcgi/`
.. parsed-literal::
# :command:`mkdir -p /var/lib/nginx/fastcgi/`
# :command:`chown -R nginx:nginx /var/lib/nginx/fastcgi/`
# :command:`chmod -R 700 /var/lib/nginx/fastcgi/`
#. Add the following into **http** section of :file:`/etc/nginx/nginx.conf`:
.. parsed-literal::
fastcgi_cache_key "$scheme$request_method$host$request_uri";
fastcgi_cache_use_stale error timeout invalid_header http_500;
- fastcgi_cache_valid 200 302 304 10m;
- fastcgi_cache_valid 301 1h;
- fastcgi_cache_min_uses 2;
+ fastcgi_cache_valid 200 302 304 10m;
+ fastcgi_cache_valid 301 1h;
+ fastcgi_cache_min_uses 2;
#. Add the following outside **server** sections of :file:`/etc/nginx/conf.d/default.conf`:
.. parsed-literal::
fastcgi_cache_path /var/lib/nginx/fastcgi/ levels=1:2 keys_zone=key-zone-name:16m max_size=256m inactive=1d;
#. Add the following into **ssl server** section of :file:`/etc/nginx/conf.d/default.conf`:
-
+
.. parsed-literal::
- fastcgi_cache key-zone-name;
-
+ fastcgi_cache key-zone-name;
+
#. Restart the **nginx** service:
.. parsed-literal::
# :command:`service nginx restart`
+Browse CalDAV/CardDAV/WebDAV with your browser
+----------------------------------------------
+
+In the default configuration iRony only supports the default DAV commands. If
+you want to use GET to browse through your DAV instance to make sure everything
+is working, just uncomment the ``fastcgi_param DAVBROWSER 1`` option in the php
+section and point your browser to it.
+
Splitting Kolab nginx config for use with multi-domain
------------------------------------------------------
You can put common Kolab config into separate file and include it into
server configurations, if you need different settings for
different domains in a multi-domain setup (eg. different ssl
certificates).
This way you wount have to keep up to date lines common to all Kolab
servers in multitude of server configurations.
-#. Common Kolab config is between lines:
+#. Common Kolab config is between lines:
.. parsed-literal::
- # Start common Kolab config
- ...
- # End common Kolab config
+ # Start common Kolab config
+ ...
+ # End common Kolab config
move it into separate file (eg. :file:`/etc/nginx/kolab_common.conf`)
-#. Use ``include`` directive to include the new file into configuration:
+#. Use ``include`` directive to include the new file into configuration:
- .. parsed-literal::
-
- # Start common Kolab config
- include /etc/nginx/kolab_common.conf
- # End common Kolab config
+ .. parsed-literal::
+ # Start common Kolab config
+ include /etc/nginx/kolab_common.conf
+ # End common Kolab config
So your server configuration file can look like similar to this:
.. parsed-literal::
fastcgi_cache_path /var/lib/nginx/fastcgi/ levels=1:2 keys_zone=kolab1-key-zone-name:16m max_size=256m inactive=1d;
server {
- listen 8080 default_server;
+ listen 80 default_server;
server_name kolab1.example.org;
- rewrite ^ https://$server_name:8443$uri permanent; # enforce https redirect
+ rewrite ^ https://$http_hosts$request_uri permanent; # enforce https redirect
}
server {
- listen 8443 ssl;
+ listen 443 ssl;
server_name kolab1.example.org;
access_log /var/log/nginx/kolab1.example.org-access_log;
error_log /var/log/nginx/kolab1.example.org-error_log;
ssl on;
ssl_certificate /etc/pki/tls/certs/kolab1.example.org.pem;
ssl_certificate_key /etc/pki/tls/certs/kolab1.example.org.pem;
- fastcgi_cache kolab1-key-zone-name;
+ fastcgi_cache kolab1-key-zone-name;
+
+ # Start common Kolab config
+ include /etc/nginx/kolab_common.conf
+ # End common Kolab config
+ }
- # Start common Kolab config
- include /etc/nginx/kolab_common.conf
- # End common Kolab config
- }
-
.. rubric:: Footnotes
.. [#fpm_pools] Values for fpm servers are taken from a
- moderately loaded virtual server with 4x3.5GHz CPU
- and 4GB RAM, feel free to adjust them according to
- your setup.
+ moderately loaded virtual server with 4x3.5GHz CPU
+ and 4GB RAM, feel free to adjust them according to
+ your setup.
File Metadata
Details
Attached
Mime Type
text/x-diff
Expires
Fri, Nov 1, 8:20 AM (1 d, 7 h)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
10074927
Default Alt Text
(43 KB)
Attached To
Mode
rD docs
Attached
Detach File
Event Timeline
Log In to Comment