diff --git a/source/howtos/nginx-webserver.rst b/source/howtos/nginx-webserver.rst index 9b5e992b..cf525c65 100644 --- a/source/howtos/nginx-webserver.rst +++ b/source/howtos/nginx-webserver.rst @@ -1,562 +1,1091 @@ ================================== HOWTO: Use NGINX as the Web Server ================================== This HOWTO consists of two separate approaches. Simple Installation =================== -The simple configuration is supposed to provide only the webclient. If you look -for a more complete setup including webadmin, irony, etc. take a look on the -complex setup. +The simple configuration is supposed to provide only the webclient. This simple +setup only includes the webmail part (roundcubemail) and doesn't provide the +full experience (file browser, freebusy, caldav/carddav, etc). + +If you look for a more complete setup including webadmin, irony, etc. take a +look on the complex setup. #. Install NGINX and PHP FPM: .. parsed-literal:: # :command:`yum -y install nginx php-fpm` #. Configure **php-fpm** to listen on a local UNIX socket: .. parsed-literal:: # :command:`sed -r -i \\ -e 's|^listen = 127\.0\.0\.1.*$|listen = /var/run/php-fpm/php-fpm.sock|g' \\ /etc/php-fpm.d/www.conf` #. Replace the contents of :file:`/etc/nginx/conf.d/default.conf`: .. parsed-literal:: # :command:`cat > /etc/nginx/conf.d/default.conf` << EOF server { listen 8080 default_server; server_name localhost:8080; # support roundcubemail secure urls rewrite "^/roundcubemail/[a-f0-9]{16}/(.*)" /roundcubemail/$1; # roundcube location /roundcubemail { alias /usr/share/roundcubemail/public_html; index index.php; location ~ \\.php$ { include fastcgi_params; fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock; fastcgi_split_path_info ^(.+.php)(/.*)$; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $request_filename; } } } EOF .. note:: On debian based systems you might want to take a look at the configuration :file:`/etc/nginx/sites-enabled/default` and a the the default php-fpm socket: :file:`/var/run/php5-fpm.sock` #. Start the **php-fpm** service and configure the service to start on boot: .. parsed-literal:: # :command:`service php-fpm start` # :command:`chkconfig php-fpm on` #. Start the **nginx** service and configure the service to start on boot: .. parsed-literal:: # :command:`service nginx start` # :command:`chkconfig nginx on` More Complex Installation ========================= The following configuration is tested for Kolab 3.4 on CentOS6. It should also work under Debian and Ubuntu, provided you adjust paths and filenames according to their defaults. .. WARNING:: - This HOWTO uses ports 8080 and 8443 as it is intended to demonstrate running - Kolab Groupware under NGINX. Because of the use of ports not the standard - ports for the related protocols, more changes are required to various - configuration files. + To not create conflicts with the default apache configuration (which is + installed due to dependencies) we should move the apache default port from + 80 to 8080. + + .. parsed-literal:: + + # :command:`sed -i -e 's/^Listen 80$/Listen 8080/g' /etc/httpd/conf/httpd.conf` + # :command:`service httpd restart` - This creates a conflict with some mod_nss configuration for httpd, which (by - default) is also configured to listen on port 8443. To correct this problem, - issue the following commands: + In theory we don't need the apache daemon anymore. We can turn it off. .. parsed-literal:: - # :command:`sed -i -e 's/^/#/g' /etc/httpd/conf.d/nss.conf` - # :command:`service httpd reload` + # :command:`service httpd stop` + # :command:`chkconfig httpd off` + +Preperation and PHP-FPM +----------------------- #. Install NGINX and PHP FPM: .. parsed-literal:: # :command:`yum -y install nginx php-fpm` Note that to get full WebDAV support, an additional module is needed for nginx. It's available from https://github.com/arut/nginx-dav-ext-module/, but requires a rebuild of nginx from source. Some clients work without it, others don't. -#. Remove the default **php-fpm** configuration: + .. note:: + + On Debian just install the ``nginx-full`` package to get the full + WebDAV support of nginx (adjust your configuration accordingly. + +#. Disable the default **php-fpm** configuration (optional): .. parsed-literal:: - # :command:`rm -rf /etc/php-fpm.d/www.conf` + # :command:`mv /etc/php-fpm.d/www.conf /etc/php-fpm.d/www.conf.bak` + + .. note:: + + On Debian the pool configuration folder is located here: + ``/etc/php5/fpm/pool.d/`` #. Create the PHP FPM Pools [#fpm_pools]_: .. parsed-literal:: # :command:`cat > /etc/php-fpm.d/kolab.example.org_chwala.conf` << EOF [kolab.example.org_chwala] user = apache group = apache listen = /var/run/php-fpm/kolab.example.org_chwala.sock pm = dynamic pm.max_children = 40 pm.start_servers = 15 pm.min_spare_servers = 10 pm.max_spare_servers = 20 chdir = / + php_value[upload_max_filesize] = 30M + php_value[post_max_size] = 30M EOF # :command:`cat > /etc/php-fpm.d/kolab.example.org_iRony.conf` << EOF [kolab.example.org_iRony] user = apache group = apache listen = /var/run/php-fpm/kolab.example.org_iRony.sock pm = dynamic pm.max_children = 40 pm.start_servers = 15 pm.min_spare_servers = 10 pm.max_spare_servers = 20 chdir = / + php_value[upload_max_filesize] = 30M + php_value[post_max_size] = 30M EOF # :command:`cat > /etc/php-fpm.d/kolab.example.org_kolab-freebusy.conf` << EOF [kolab.example.org_kolab-freebusy] user = apache group = apache listen = /var/run/php-fpm/kolab.example.org_kolab-freebusy.sock pm = dynamic pm.max_children = 40 pm.start_servers = 15 pm.min_spare_servers = 10 pm.max_spare_servers = 20 chdir = / EOF # :command:`cat > /etc/php-fpm.d/kolab.example.org_kolab-syncroton.conf` << EOF [kolab.example.org_kolab-syncroton] user = apache group = apache listen = /var/run/php-fpm/kolab.example.org_kolab-syncroton.sock pm = dynamic pm.max_children = 40 pm.start_servers = 15 pm.min_spare_servers = 10 pm.max_spare_servers = 20 chdir = / php_flag[suhosin.session.encrypt] = Off EOF # :command:`cat > /etc/php-fpm.d/kolab.example.org_kolab-webadmin.conf` << EOF [kolab.example.org_kolab-webadmin] user = apache group = apache listen = /var/run/php-fpm/kolab.example.org_kolab-webadmin.sock pm = dynamic pm.max_children = 40 pm.start_servers = 15 pm.min_spare_servers = 10 pm.max_spare_servers = 20 chdir = / EOF # :command:`cat > /etc/php-fpm.d/kolab.example.org_roundcubemail.conf` << EOF [roundcubemail] user = apache group = apache listen = /var/run/php-fpm/kolab.example.org_roundcubemail.sock pm = dynamic pm.max_children = 40 pm.start_servers = 15 pm.min_spare_servers = 10 pm.max_spare_servers = 20 chdir = / # Derived from .htaccess of roundcube php_flag[display_errors] = Off php_flag[log_errors] = On php_value[upload_max_filesize] = 30M php_value[post_max_size] = 30M php_flag[zlib.output_compression] = Off php_flag[magic_quotes_gpc] = Off php_flag[magic_quotes_runtime] = Off php_flag[zend.ze1_compatibility_mode] = Off php_flag[suhosin.session.encrypt] = Off php_flag[session.auto_start] = Off php_value[session.gc_maxlifetime] = 21600 php_value[session.gc_divisor] = 500 php_value[session.gc_probability] = 1 # http://bugs.php.net/bug.php?id=30766 php_value[mbstring.func_overload] = 0 EOF + .. note:: + + On Debian the pool configuration folder is located here: + ``/etc/php5/fpm/pool.d/`` + + Also there's no explizit folder for php5-fpm socket folders. This is + how you can take of it and make it reboot safe. + + Adjust the file: :file:`/etc/default/php5-fpm` + + .. parsed-literal:: + + # create /var/run/php5-fpm for all sockets + # could be deleted during boot + test -e /var/run/php5-fpm || install -m 755 -o root -g root -d /var/run/php5-fpm + + Now you can adjust all your socket files to: + + .. parsed-literal:: + + listen = /var/run/php5-fpm/kolab.example.org_.sock + + Or fix the files above with this quick command: + + .. parsed-literal:: + + # :command:`sed -i -e 's|/var/run/php-fpm/|/var/run/php5-fpm/|g' /etc/php5/fpm/pool.d/kolab*` + +#. Backup your nginx configuration + + .. parsed-literal:: + + # :command:`cp /etc/nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf.bak` + +Single Domain Configuration +--------------------------- + +If you've only one domain, one ssl certificate or for whatever reason get all +the kolab services under one host/domainname this is your configuration. The +iRony service will provide all 3 dav services on a single endpoint. ActiveSync +devices can be pointed to the main url. They'll find them Microsoft Url +automatically. + ++---------------------------+-----------------------------------------------+ +| Application / Service | URL | ++===========================+===============================================+ +| Roundcubemail | ``https://kolab.example.org`` | ++---------------------------+-----------------------------------------------+ +| CardDAV, CalDAV, WebDAV | ``https://kolab.example.org/iRony`` | ++---------------------------+-----------------------------------------------+ +| FreeBusy | ``https://kolab.example.org/freebusy`` | ++---------------------------+-----------------------------------------------+ +| Chwala API / WebUI | ``https://kolab.example.org/chwala`` | ++---------------------------+-----------------------------------------------+ +| Kolab Web Admin Panel | ``https://kolab.example.org/kolab-webadmin`` | ++---------------------------+-----------------------------------------------+ +| ActiveSync Host | ``https://kolab.example.org`` | ++---------------------------+-----------------------------------------------+ + #. Replace the contents of :file:`/etc/nginx/conf.d/default.conf`: .. parsed-literal:: - # :command:`cat > /etc/nginx/conf.d/default.conf` << EOF + # + # Force HTTP Redirect + # server { - listen 8080 default_server; + listen 80 default_server; + server_name _; + server_name_in_redirect off; + rewrite ^ https://$http_host$request_uri permanent; # enforce https redirect + } + + # + # Full Kolab Stack + # + server { + listen 443 ssl default_server; server_name kolab.example.org; - rewrite ^ https://$server_name:8443$uri permanent; # enforce https redirect + access_log /var/log/nginx/kolab.example.org-access_log; + error_log /var/log/nginx/kolab.example.org-error_log; + + # enable ssl + + ssl on; + ssl_certificate /etc/pki/tls/private/localhost.pem; + ssl_certificate_key /etc/pki/tls/private/localhost.pem; + + # Start common Kolab config + + ## + ## Chwala + ## + location /chwala { + index index.php; + alias /usr/share/chwala/public_html; + + client_max_body_size 30M; # set maximum upload size + + # enable php + location ~ \.php$ { + include fastcgi_params; + fastcgi_param HTTPS on; + fastcgi_pass unix:/var/run/php-fpm/kolab.example.org_chwala.sock; + fastcgi_param SCRIPT_FILENAME $request_filename; + # Without this, PHPSESSION is replaced by webadmin-api X-Session-Token + fastcgi_param PHP_VALUE "session.auto_start=0 + session.use_cookies=0"; + fastcgi_pass_header X-Session-Token; + } + } + + ## + ## iRony + ## + location /iRony { + alias /usr/share/iRony/public_html/index.php; + + client_max_body_size 30M; # set maximum upload size + + # If Nginx was built with http_dav_module: + dav_methods PUT DELETE MKCOL COPY MOVE; + # Required Nginx to be built with nginx-dav-ext-module: + # dav_ext_methods PROPFIND OPTIONS; + + include fastcgi_params; + # fastcgi_param DAVBROWSER 1; + fastcgi_param HTTPS on; + fastcgi_index index.php; + fastcgi_pass unix:/var/run/php-fpm/kolab.example.org_iRony.sock; + fastcgi_param SCRIPT_FILENAME $request_filename; + } + location ~* /.well-known/(cal|card)dav { + rewrite ^ /iRony/ permanent; + } + + ## + ## Kolab Webclient + ## + location / { + index index.php; + root /usr/share/roundcubemail/public_html; + + # support for csrf token + rewrite "^/[a-f0-9]{16}/(.*)" /$1 break; + + # maximum upload size for mail attachments + client_max_body_size 30M; + + # enable php + location ~ \.php$ { + include fastcgi_params; + fastcgi_param HTTPS on; + fastcgi_split_path_info ^(.+\.php)(/.*)$; + fastcgi_pass unix:/var/run/php-fpm/kolab.example.org_roundcubemail.sock; + fastcgi_param SCRIPT_FILENAME $request_filename; + } + } + + ## + ## Kolab Web Administration Panel (WAP) and API + ## + location /kolab-webadmin { + index index.php; + alias /usr/share/kolab-webadmin/public_html; + try_files $uri $uri/ @kolab-wapapi; + + # enable php + location ~ \.php$ { + include fastcgi_params; + fastcgi_param HTTPS on; + fastcgi_pass unix:/var/run/php-fpm/kolab.example.org_kolab-webadmin.sock; + fastcgi_param SCRIPT_FILENAME $request_filename; + # Without this, PHPSESSION is replaced by webadmin-api X-Session-Token + fastcgi_param PHP_VALUE "session.auto_start=0 + session.use_cookies=0"; + fastcgi_pass_header X-Session-Token; + } + } + # kolab-webadmin api + location @kolab-wapapi { + rewrite ^/kolab-webadmin/api/([^\.]*)\.([^\.]*)$ /kolab-webadmin/api/index.php?service=$1&method=$2; + } + + ## + ## Kolab syncroton ActiveSync + ## + location /Microsoft-Server-ActiveSync { + alias /usr/share/kolab-syncroton/index.php; + + client_max_body_size 30M; # maximum upload size for mail attachments + + include fastcgi_params; + fastcgi_param HTTPS on; + fastcgi_read_timeout 1200; + fastcgi_index index.php; + fastcgi_pass unix:/var/run/php-fpm/kolab.example.org_kolab-syncroton.sock; + fastcgi_param SCRIPT_FILENAME /usr/share/kolab-syncroton/index.php; + } + + ## + ## Kolab Free/Busy + ## + location /freebusy { + alias /usr/share/kolab-freebusy/public_html/index.php; + + include fastcgi_params; + fastcgi_param HTTPS on; + fastcgi_index index.php; + fastcgi_pass unix:/var/run/php-fpm/kolab.example.org_kolab-freebusy.sock; + fastcgi_param SCRIPT_FILENAME /usr/share/kolab-freebusy/public_html/index.php; + } + # End common Kolab config } + .. note:: + + On Debian you can use the site configuration found at + + * ``/etc/nginx/sites-available/`` + * ``/etc/nginx/sites-enabled/`` + +#. Adjust your kolab webadmin api url in the :file:`/etc/kolab/kolab.conf` + configuration, otherwise webadmin or commandline tools will not work. + + .. parsed-literal:: + + [kolab_wap] + api_url = https://kolab.example.org/kolab-webadmin/api + + +Multi Subdomain Configuration +----------------------------- + +Sometimes it's nice to create seperate host/domainnames for every service that +kolab offers. You can limit iRony to only provide a single dav-service on each +url endpoint. The Chwala API should be located on the webmail domain to not +create any cross-domain api call problems. + +mtch the default configuration. If you like change your config +files you also move those to their url. But usually people don't often need +direct access to this url. + +.. note:: + + It helps to have a wildcard ssl certificate or a certificate that + includes all needed hostnames as *SubjectAltNames*. + +**URL Scheme** + ++---------------------------+-----------------------------------------------+ +| Application / Service | URL | ++===========================+===============================================+ +| Roundcubemail | ``https://webmail.example.org`` | ++---------------------------+-----------------------------------------------+ +| CardDAV | ``https://carddav.example.org`` | ++---------------------------+-----------------------------------------------+ +| CalDAV | ``https://caldav.example.org`` | ++---------------------------+-----------------------------------------------+ +| WebDAV | ``https://webdav.example.org`` | ++---------------------------+-----------------------------------------------+ +| FreeBusy | ``https://freebusy.example.org`` | ++---------------------------+-----------------------------------------------+ +| Chwala API / WebUI | ``https://webmail.example.org/chwala`` | ++---------------------------+-----------------------------------------------+ +| Kolab Web Admin Panel | ``https://kolab.example.org`` | ++---------------------------+-----------------------------------------------+ +| ActiveSync Host | ``https://activesync.example.org`` | ++---------------------------+-----------------------------------------------+ + +You can also let the users use the serparte host/domain names for the non-web +services. + +* ``imap.example.org`` +* ``smtp.example.org`` +* etc. + +But this all depends on you and your communication with your end users. + +#. Replace the contents of :file:`/etc/nginx/conf.d/default.conf`: + + .. parsed-literal:: + + # + # Force HTTP Redirect + # + server { + listen 80 default_server; + server_name _; + server_name_in_redirect off; + rewrite ^ https://$http_host$request_uri permanent; # enforce https redirect + } + + # + # Webmail + Chwala + Freebusy + # server { - listen 8443 ssl; + listen 443 ssl default_server; + server_name webmail.example.org; + access_log /var/log/nginx/webmail.example.org-access_log; + error_log /var/log/nginx/webmail.example.org-error_log; + + # enable ssl + + ssl on; + ssl_certificate /etc/pki/tls/private/localhost.pem; + ssl_certificate_key /etc/pki/tls/private/localhost.pem; + + # Start common Kolab config + + ## + ## Chwala + ## + location /chwala { + index index.php; + alias /usr/share/chwala/public_html; + + client_max_body_size 30M; # set maximum upload size + + # enable php + location ~ \.php$ { + include fastcgi_params; + fastcgi_param HTTPS on; + fastcgi_pass unix:/var/run/php-fpm/kolab.example.org_chwala.sock; + fastcgi_param SCRIPT_FILENAME $request_filename; + # Without this, PHPSESSION is replaced by webadmin-api X-Session-Token + fastcgi_param PHP_VALUE "session.auto_start=0 + session.use_cookies=0"; + fastcgi_pass_header X-Session-Token; + } + } + + ## + ## Kolab Webclient + ## + index index.php; + root /usr/share/roundcubemail/public_html; + + # support for csrf token + rewrite "^/[a-f0-9]{16}/(.*)" /$1 break; + + # maximum upload size for mail attachments + client_max_body_size 30M; + + # enable php + location ~ \.php$ { + include fastcgi_params; + fastcgi_param HTTPS on; + fastcgi_split_path_info ^(.+\.php)(/.*)$; + fastcgi_pass unix:/var/run/php-fpm/kolab.example.org_roundcubemail.sock; + fastcgi_param SCRIPT_FILENAME $request_filename; + } + } + + # + # CardDAV + # + server { + listen 443 ssl; + server_name carddav.example.org; + access_log /var/log/nginx/carddav.example.org-access_log; + error_log /var/log/nginx/carddav.example.org-error_log; + + # enable ssl + + ssl on; + ssl_certificate /etc/pki/tls/private/localhost.pem; + ssl_certificate_key /etc/pki/tls/private/localhost.pem; + + # Start common Kolab config + + ## + ## DAV Discovery redirect + ## + location ~* /.well-known/carddav { + rewrite ^ / permanent; + } + + ## + ## iRony + ## + root /usr/share/iRony/public_html; + index index.php; + try_files $uri $uri/ /index.php?$args; + + client_max_body_size 30M; # set maximum upload size + + # If Nginx was built with http_dav_module: + dav_methods PUT DELETE MKCOL COPY MOVE; + # Required Nginx to be built with nginx-dav-ext-module: + # dav_ext_methods PROPFIND OPTIONS; + + location ~ \.php$ { + include fastcgi_params; + fastcgi_param CARDDAV 1; + # fastcgi_param DAVBROWSER 1; + + fastcgi_param HTTPS on; + fastcgi_index index.php; + fastcgi_pass unix:/var/run/php-fpm/kolab.example.org_iRony.sock; + fastcgi_param SCRIPT_FILENAME $request_filename; + } + } + + # + # CalDAV + # + server { + listen 443 ssl; + server_name caldav.example.org; + access_log /var/log/nginx/caldav.example.org-access_log; + error_log /var/log/nginx/caldav.example.org-error_log; + + # enable ssl + + ssl on; + ssl_certificate /etc/pki/tls/private/localhost.pem; + ssl_certificate_key /etc/pki/tls/private/localhost.pem; + + # Start common Kolab config + + ## + ## DAV Discovery redirect + ## + location ~* /.well-known/caldav { + rewrite ^ / permanent; + } + + ## + ## iRony + ## + root /usr/share/iRony/public_html; + index index.php; + try_files $uri $uri/ /index.php?$args; + + client_max_body_size 30M; # set maximum upload size + + # If Nginx was built with http_dav_module: + dav_methods PUT DELETE MKCOL COPY MOVE; + # Required Nginx to be built with nginx-dav-ext-module: + # dav_ext_methods PROPFIND OPTIONS; + + location ~ \.php$ { + include fastcgi_params; + fastcgi_param CALDAV 1; + # fastcgi_param DAVBROWSER 1; + + fastcgi_param HTTPS on; + fastcgi_index index.php; + fastcgi_pass unix:/var/run/php-fpm/kolab.example.org_iRony.sock; + fastcgi_param SCRIPT_FILENAME $request_filename; + } + } + + # + # WebDAV + # + server { + listen 443 ssl; + server_name webadv.example.org; + access_log /var/log/nginx/webadv.example.org-access_log; + error_log /var/log/nginx/webadv.example.org-error_log; + + # enable ssl + + ssl on; + ssl_certificate /etc/pki/tls/private/localhost.pem; + ssl_certificate_key /etc/pki/tls/private/localhost.pem; + + # Start common Kolab config + + ## + ## iRony + ## + root /usr/share/iRony/public_html; + index index.php; + try_files $uri $uri/ /index.php?$args; + + client_max_body_size 30M; # set maximum upload size + + # If Nginx was built with http_dav_module: + dav_methods PUT DELETE MKCOL COPY MOVE; + # Required Nginx to be built with nginx-dav-ext-module: + # dav_ext_methods PROPFIND OPTIONS; + + location ~ \.php$ { + include fastcgi_params; + fastcgi_param WEBDAV 1; + # fastcgi_param DAVBROWSER 1; + + fastcgi_param HTTPS on; + fastcgi_index index.php; + fastcgi_pass unix:/var/run/php-fpm/kolab.example.org_iRony.sock; + fastcgi_param SCRIPT_FILENAME $request_filename; + } + } + + # + # Kolab Web Admin Panel + API + # + server { + listen 443 ssl; server_name kolab.example.org; access_log /var/log/nginx/kolab.example.org-access_log; error_log /var/log/nginx/kolab.example.org-error_log; + # enable ssl + ssl on; - ssl_certificate /etc/pki/tls/certs/localhost.pem; - ssl_certificate_key /etc/pki/tls/certs/localhost.pem; - - # Tell supporting clients to always connect over HTTPS - add_header Strict-Transport-Security "max-age=15768000;includeSubDomains"; - - fastcgi_param HTTPS on; - - # Start common Kolab config - ## - ## Chwala - ## - location /chwala { - index index.php; - alias /usr/share/chwala/public_html; - - client_max_body_size 1000M; # set maximum upload size - - # enable php - location ~ \.php$ { - include fastcgi_params; - fastcgi_pass unix:/var/run/php-fpm/kolab_chwala.sock; - fastcgi_param SCRIPT_FILENAME $request_filename; - # Without this, PHPSESSION is replaced by webadmin-api X-Session-Token - fastcgi_param PHP_VALUE "session.auto_start=0 - session.use_cookies=0"; - fastcgi_pass_header X-Session-Token; - } - } - - ## - ## iRony - ## - location /iRony { - alias /usr/share/iRony/public_html/index.php; - - client_max_body_size 1000M; # set maximum upload size for webdav - # adjust along with upload_max_filesize and post_max_size in /etc/php.ini - - # If Nginx was built with http_dav_module: - dav_methods PUT DELETE MKCOL COPY MOVE; - # Required Nginx to be built with nginx-dav-ext-module: - # dav_ext_methods PROPFIND OPTIONS; - - include fastcgi_params; - fastcgi_index index.php; - fastcgi_pass unix:/var/run/php-fpm/kolab_iRony.sock; - fastcgi_param SCRIPT_FILENAME $request_filename; - } - location ~* /.well-known/(cal|card)dav { - rewrite ^ /iRony/ permanent; - } - - ## - ## Kolab Webclient - ## - location / { - index index.php; - root /usr/share/roundcubemail/public_html; - - client_max_body_size 30M; # maximum upload size for mail attachments - - # Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac). - location ~ /(README(.md)?|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ { - deny all; - } - location ~ /(bin|SQL|config|logs)/ { - deny all; - } - location ~ /program/(include|lib|localization|steps)/ { - deny all; - } - - # enable php - location ~ \.php$ { - include fastcgi_params; - fastcgi_split_path_info ^(.+\.php)(/.*)$; - fastcgi_pass unix:/var/run/php-fpm/kolab_roundcubemail.sock; - fastcgi_param SCRIPT_FILENAME $request_filename; - } - } - - ## - ## Kolab Web Administration Panel (WAP) and API - ## - location /kolab-webadmin { - index index.php; - alias /usr/share/kolab-webadmin/public_html; - try_files $uri $uri/ @kolab-wapapi; - - # enable php - location ~ \.php$ { - include fastcgi_params; - fastcgi_pass unix:/var/run/php-fpm/kolab_webadmin.sock; - fastcgi_param SCRIPT_FILENAME $request_filename; - # Without this, PHPSESSION is replaced by webadmin-api X-Session-Token - fastcgi_param PHP_VALUE "session.auto_start=0 - session.use_cookies=0"; - fastcgi_pass_header X-Session-Token; - } - } - # kolab-webadmin api - location @kolab-wapapi { - rewrite ^/kolab-webadmin/api/(.*)\.(.*)$ /kolab-webadmin/api/index.php?service=$1&method=$2; - } - - ## - ## Kolab syncroton ActiveSync - ## - location /Microsoft-Server-ActiveSync { - alias /usr/share/kolab-syncroton/index.php; - - client_max_body_size 30M; # maximum upload size for mail attachments - - include fastcgi_params; - fastcgi_index index.php; - fastcgi_pass unix:/var/run/php-fpm/kolab_syncroton.sock; - fastcgi_param SCRIPT_FILENAME /usr/share/kolab-syncroton/index.php; - } - - ## - ## Kolab Free/Busy - ## - location /freebusy { - alias /usr/share/kolab-freebusy/public_html/index.php; - - include fastcgi_params; - fastcgi_index index.php; - fastcgi_pass unix:/var/run/php-fpm/kolab_freebusy.sock; - fastcgi_param SCRIPT_FILENAME /usr/share/kolab-freebusy/public_html/index.php; - } - # End common Kolab config + ssl_certificate /etc/pki/tls/private/localhost.pem; + ssl_certificate_key /etc/pki/tls/private/localhost.pem; + + # Start common Kolab config + + ## + ## Kolab Web Administration Panel (WAP) and API + ## + root /usr/share/kolab-webadmin/public_html; + index index.php; + try_files $uri $uri/ @kolab-wapapi; + + # enable php + location ~ \.php$ { + include fastcgi_params; + fastcgi_param HTTPS on; + fastcgi_pass unix:/var/run/php-fpm/kolab.example.org_kolab-webadmin.sock; + fastcgi_param SCRIPT_FILENAME $request_filename; + # Without this, PHPSESSION is replaced by webadmin-api X-Session-Token + fastcgi_param PHP_VALUE "session.auto_start=0 + session.use_cookies=0"; + fastcgi_pass_header X-Session-Token; + } + + # kolab-webadmin api + location @kolab-wapapi { + rewrite ^/api/([^\.]*)\.([^\.]*)$ /api/index.php?service=$1&method=$2; + } } - EOF -#. For this demonstrative configuration, make sure the following setting is in - :file:`/etc/roundcubemail/config.inc.php`: + # + # Syncroton / ActiveSync + # + server { + listen 443 ssl; + server_name activesync.example.org; + + access_log /var/log/nginx/kolab.example.org-access_log; + error_log /var/log/nginx/kolab.example.org-error_log; + + # enable ssl + + ssl on; + ssl_certificate /etc/pki/tls/private/localhost.pem; + ssl_certificate_key /etc/pki/tls/private/localhost.pem; + + ## + ## Kolab syncroton ActiveSync + ## + location /Microsoft-Server-ActiveSync { + alias /usr/share/kolab-syncroton/index.php; + + client_max_body_size 30M; # maximum upload size for mail attachments + + include fastcgi_params; + fastcgi_param HTTPS on; + fastcgi_read_timeout 1200; + fastcgi_index index.php; + fastcgi_pass unix:/var/run/php-fpm/kolab.example.org_kolab-syncroton.sock; + fastcgi_param SCRIPT_FILENAME /usr/share/kolab-syncroton/index.php; + } + + ## + ## Return to Webmail any other invalid request + ## + location / { + rewrite ^ https://webmail.example.org permanent; + } + } + + # + # FreeBusy + # + server { + listen 443 ssl; + server_name freebusy.example.org; + + access_log /var/log/nginx/freebusy.example.org-access_log; + error_log /var/log/nginx/freebusy.example.org-error_log; + + # enable ssl + + ssl on; + ssl_certificate /etc/pki/tls/private/localhost.pem; + ssl_certificate_key /etc/pki/tls/private/localhost.pem; + + # Start common Kolab config + + ## + ## Kolab Free/Busy + ## + root /usr/share/kolab-freebusy/public_html/index.php; + index index.php; + try_files $uri $uri/ /index.php?$args; + + location ~ \.php$ { + include fastcgi_params; + fastcgi_param HTTPS on; + fastcgi_index index.php; + fastcgi_pass unix:/var/run/php-fpm/kolab.example.org_kolab-freebusy.sock; + fastcgi_param SCRIPT_FILENAME /usr/share/kolab-freebusy/public_html/index.php; + } + } + + .. note:: + + On Debian you can use the site configuration found at + + * ``/etc/nginx/sites-available/`` + * ``/etc/nginx/sites-enabled/`` + + +#. Adjust your kolab webadmin api url in the :file:`/etc/kolab/kolab.conf` + configuration, otherwise webadmin or commandline tools will not work. + + .. parsed-literal:: + + [kolab_wap] + api_url = https://kolab.example.org/api + +#. Since Freebusy has moved to a different location we've to adjust the api + endpoint in :file:`/etc/roundcubemail/libkolab.inc.php` + + .. parsed-literal:: + + $config['kolab_freebusy_server'] = 'https://freebusy.example.org'; + +#. iRony basedir has to be adjusted in :file:`/etc/iRony/dav.inc.php` + + .. parsed-literal:: + + $config['base_uri'] = '/'; + +#. We can now set the absolute urls for the CalDAV/CardDAV integration + + :file:`/etc/roundcubemail/calendar.inc.php` .. parsed-literal:: - $config['file_api_url'] = 'https://kolab.example.org:8443/chwala/api/'; + $config['calendar_caldav_url'] = "https://caldav.example.org/calendars/%u/%i"; -#. Ensure, if you are using HTTPS, that the Chwala URL (``kolab_files_url``) - in :file:`/etc/roundcubemail/kolab_files.inc.php` is also set to - ``https`` rather than ``http``, and port set to 8443, or most browsers will be unable to access - the files component in Roundcube. + :file:`/etc/roundcubemail/kolab_addressbook.inc.php` + + .. parsed-literal:: + + $config['kolab_addressbook_carddav_url'] = "https://carddav.example.org/addressbooks/%u/%i"; + +Finalize / Common +----------------- + +#. Since we run Roundcube in the base directory ``/`` of the server, we've to + set the correct asset path + + .. parsed-literal:: + + $config['assets_path'] = '/assets/'; #. For configurations that use SSL, make sure to work around a known issue in PHP pear module HTTP_Request2, and include in :file:`/etc/roundcubemail/config.inc.php`: .. parsed-literal:: $config['ssl_verify_host'] = false; $config['ssl_verify_peer'] = false; #. Start the **php-fpm** service and configure the service to start on boot: .. parsed-literal:: # :command:`service php-fpm start` # :command:`chkconfig php-fpm on` #. Start the **nginx** service and configure the service to start on boot: .. parsed-literal:: # :command:`service nginx start` # :command:`chkconfig nginx on` Tips, tweaks and optimizations ============================== Tweaking ssl cipher settings ---------------------------- To ensure Perfect Forward Secrecy is enabled when possible #. Add the following into **http** section of :file:`/etc/nginx/nginx.conf`: .. parsed-literal:: - # These cipher settings should ensure Perfect Forward Secrecy is - # enabled when possible. - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_prefer_server_ciphers on; - - ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM - EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 - EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL - !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"; - - ssl_session_cache shared:SSL:10m; + # These cipher settings should ensure Perfect Forward Secrecy is + # enabled when possible. + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_prefer_server_ciphers on; + + ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM + EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 + EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL + !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"; + + ssl_session_cache shared:SSL:10m; #. Restart the **nginx** service: .. parsed-literal:: # :command:`service nginx restart` - Adding open file cache to nginx ------------------------------- Open file cache will make nginx cache static files, that were accessed ``open_file_cache_min_uses`` times. #. Add the following into **http** section of :file:`/etc/nginx/nginx.conf`: .. parsed-literal:: open_file_cache max=16384 inactive=5m; open_file_cache_valid 90s; open_file_cache_min_uses 2; open_file_cache_errors on; #. Restart the **nginx** service: .. parsed-literal:: # :command:`service nginx restart` Adding fastcgi_cache to nginx ----------------------------- #. Create and set ownership on the following directories: * :file:`/var/lib/nginx/fastcgi/` .. parsed-literal:: # :command:`mkdir -p /var/lib/nginx/fastcgi/` # :command:`chown -R nginx:nginx /var/lib/nginx/fastcgi/` # :command:`chmod -R 700 /var/lib/nginx/fastcgi/` #. Add the following into **http** section of :file:`/etc/nginx/nginx.conf`: .. parsed-literal:: fastcgi_cache_key "$scheme$request_method$host$request_uri"; fastcgi_cache_use_stale error timeout invalid_header http_500; - fastcgi_cache_valid 200 302 304 10m; - fastcgi_cache_valid 301 1h; - fastcgi_cache_min_uses 2; + fastcgi_cache_valid 200 302 304 10m; + fastcgi_cache_valid 301 1h; + fastcgi_cache_min_uses 2; #. Add the following outside **server** sections of :file:`/etc/nginx/conf.d/default.conf`: .. parsed-literal:: fastcgi_cache_path /var/lib/nginx/fastcgi/ levels=1:2 keys_zone=key-zone-name:16m max_size=256m inactive=1d; #. Add the following into **ssl server** section of :file:`/etc/nginx/conf.d/default.conf`: - + .. parsed-literal:: - fastcgi_cache key-zone-name; - + fastcgi_cache key-zone-name; + #. Restart the **nginx** service: .. parsed-literal:: # :command:`service nginx restart` +Browse CalDAV/CardDAV/WebDAV with your browser +---------------------------------------------- + +In the default configuration iRony only supports the default DAV commands. If +you want to use GET to browse through your DAV instance to make sure everything +is working, just uncomment the ``fastcgi_param DAVBROWSER 1`` option in the php +section and point your browser to it. + Splitting Kolab nginx config for use with multi-domain ------------------------------------------------------ You can put common Kolab config into separate file and include it into server configurations, if you need different settings for different domains in a multi-domain setup (eg. different ssl certificates). This way you wount have to keep up to date lines common to all Kolab servers in multitude of server configurations. -#. Common Kolab config is between lines: +#. Common Kolab config is between lines: .. parsed-literal:: - # Start common Kolab config - ... - # End common Kolab config + # Start common Kolab config + ... + # End common Kolab config move it into separate file (eg. :file:`/etc/nginx/kolab_common.conf`) -#. Use ``include`` directive to include the new file into configuration: +#. Use ``include`` directive to include the new file into configuration: - .. parsed-literal:: - - # Start common Kolab config - include /etc/nginx/kolab_common.conf - # End common Kolab config + .. parsed-literal:: + # Start common Kolab config + include /etc/nginx/kolab_common.conf + # End common Kolab config So your server configuration file can look like similar to this: .. parsed-literal:: fastcgi_cache_path /var/lib/nginx/fastcgi/ levels=1:2 keys_zone=kolab1-key-zone-name:16m max_size=256m inactive=1d; server { - listen 8080 default_server; + listen 80 default_server; server_name kolab1.example.org; - rewrite ^ https://$server_name:8443$uri permanent; # enforce https redirect + rewrite ^ https://$http_hosts$request_uri permanent; # enforce https redirect } server { - listen 8443 ssl; + listen 443 ssl; server_name kolab1.example.org; access_log /var/log/nginx/kolab1.example.org-access_log; error_log /var/log/nginx/kolab1.example.org-error_log; ssl on; ssl_certificate /etc/pki/tls/certs/kolab1.example.org.pem; ssl_certificate_key /etc/pki/tls/certs/kolab1.example.org.pem; - fastcgi_cache kolab1-key-zone-name; + fastcgi_cache kolab1-key-zone-name; + + # Start common Kolab config + include /etc/nginx/kolab_common.conf + # End common Kolab config + } - # Start common Kolab config - include /etc/nginx/kolab_common.conf - # End common Kolab config - } - .. rubric:: Footnotes .. [#fpm_pools] Values for fpm servers are taken from a - moderately loaded virtual server with 4x3.5GHz CPU - and 4GB RAM, feel free to adjust them according to - your setup. + moderately loaded virtual server with 4x3.5GHz CPU + and 4GB RAM, feel free to adjust them according to + your setup.