diff --git a/config.demo/docker-compose.override.yml b/config.demo/docker-compose.override.yml index 57d2728f..4df84875 100644 --- a/config.demo/docker-compose.override.yml +++ b/config.demo/docker-compose.override.yml @@ -1,200 +1,201 @@ version: '3' services: roundcube: environment: - MAIL_HOST=postfix - MAIL_PORT=10587 + - FILEAPI_WOPI_OFFICE=https://kolab.local proxy: depends_on: imap: condition: service_healthy postfix: condition: service_healthy webapp: condition: service_healthy build: context: ./docker/proxy/ healthcheck: interval: 10s test: "kill -0 $$(cat /run/nginx.pid)" timeout: 5s retries: 30 environment: - APP_WEBSITE_DOMAIN=${APP_WEBSITE_DOMAIN:?err} - SSL_CERTIFICATE=${PROXY_SSL_CERTIFICATE:?err} - SSL_CERTIFICATE_KEY=${PROXY_SSL_CERTIFICATE_KEY:?err} container_name: kolab-proxy restart: on-failure hostname: proxy image: kolab-proxy extra_hosts: - "meet:${MEET_LISTENING_HOST}" networks: kolab: ipv4_address: 172.18.0.7 tmpfs: - /run - /tmp - /var/run - /var/tmp tty: true volumes: - ./docker/certs/:/etc/certs/:ro - /etc/letsencrypt/:/etc/letsencrypt/:ro ports: # - "25:25" # - "80:80" - "443:443" - "465:465" - "587:587" - "143:143" - "993:993" imap: build: context: ./docker/imap/ environment: - APP_DOMAIN=${APP_DOMAIN} - SERVICES_PORT=8000 - IMAP_ADMIN_LOGIN=${IMAP_ADMIN_LOGIN} - IMAP_ADMIN_PASSWORD=${IMAP_ADMIN_PASSWORD} - SSL_CERTIFICATE=${KOLAB_SSL_CERTIFICATE:?"KOLAB_SSL_CERTIFICATE is missing"} - SSL_CERTIFICATE_FULLCHAIN=${KOLAB_SSL_CERTIFICATE_FULLCHAIN:?"KOLAB_SSL_CERTIFICATE_FULLCHAIN is missing"} - SSL_CERTIFICATE_KEY=${KOLAB_SSL_CERTIFICATE_KEY:?"KOLAB_SSL_CERTIFICATE_KEY is missing"} healthcheck: interval: 10s test: "kill -0 1" timeout: 5s retries: 30 container_name: kolab-imap restart: on-failure hostname: imap image: kolab-imap networks: kolab: ipv4_address: 172.18.0.12 extra_hosts: - "kolab.mgmt.com:127.0.0.1" - "services.${APP_DOMAIN}:172.18.0.4" tmpfs: - /run - /tmp - /var/run - /var/tmp tty: true volumes: - ./docker/certs/:/etc/certs/:ro - /etc/letsencrypt/:/etc/letsencrypt/:ro - imap-spool:/var/spool/imap - imap-lib:/var/lib/imap ports: - "11080:11080" - "11143:11143" - "11024:11024" postfix: build: context: ./docker/postfix/ healthcheck: interval: 10s test: "kill -0 1" timeout: 5s retries: 30 environment: - APP_DOMAIN=${APP_DOMAIN} - SERVICES_PORT=8000 - DB_HOST=mariadb - DB_USERNAME=${DB_USERNAME} - DB_PASSWORD=${DB_PASSWORD} - DB_DATABASE=${DB_DATABASE} - LMTP_DESTINATION=imap:11024 - SSL_CERTIFICATE=${KOLAB_SSL_CERTIFICATE:?"KOLAB_SSL_CERTIFICATE is missing"} - SSL_CERTIFICATE_FULLCHAIN=${KOLAB_SSL_CERTIFICATE_FULLCHAIN:?"KOLAB_SSL_CERTIFICATE_FULLCHAIN is missing"} - SSL_CERTIFICATE_KEY=${KOLAB_SSL_CERTIFICATE_KEY:?"KOLAB_SSL_CERTIFICATE_KEY is missing"} container_name: kolab-postfix restart: on-failure hostname: postfix image: kolab-postfix networks: kolab: ipv4_address: 172.18.0.13 extra_hosts: - "kolab.mgmt.com:127.0.0.1" - "services.${APP_DOMAIN}:172.18.0.4" tmpfs: - /run - /tmp - /var/run - /var/tmp tty: true volumes: - ./docker/certs/:/etc/certs/:ro - /etc/letsencrypt/:/etc/letsencrypt/:ro - postfix-spool:/var/spool/postfix - postfix-lib:/var/lib/postfix ports: - "10587:10587" - "10025:10025" amavis: build: context: ./docker/amavis/ # healthcheck: # interval: 10s # test: "$(echo | nc 127.0.0.1 10024) | grep "220"" # timeout: 5s # retries: 30 environment: - APP_DOMAIN=${APP_DOMAIN} - DB_HOST=mariadb - DB_USERNAME=${DB_USERNAME} - DB_PASSWORD=${DB_PASSWORD} - DB_DATABASE=${DB_DATABASE} container_name: kolab-amavis restart: on-failure hostname: amavis image: kolab-amavis networks: kolab: ipv4_address: 172.18.0.15 tmpfs: - /run - /tmp - /var/run - /var/tmp tty: true #Volumes for clamav and spamassassin? # volumes: # - postfix-spool:/var/spool/postfix # - postfix-lib:/var/lib/postfix ports: - "13024:13024" collabora: build: context: ./docker/collabora/ args: REPOSITORY: "https://www.collaboraoffice.com/repos/CollaboraOnline/23.05/customer-rpm-Kolab-7537e68e8a07cf290a8c6cfcf4205db05b560582/" # healthcheck: # interval: 10s # test: "$(echo | nc 127.0.0.1 10024) | grep "220"" # timeout: 5s # retries: 30 container_name: kolab-collabora restart: on-failure hostname: collabora image: kolab-collabora environment: - ALLOWED_HOSTS=${APP_DOMAIN} + extra_hosts: + - "${APP_DOMAIN}:172.18.0.7" networks: kolab: ipv4_address: 172.18.0.17 tmpfs: - /run - /tmp - /var/run - /var/tmp tty: true - # ports: - # - "13024:13024" volumes: postfix-spool: postfix-lib: imap-spool: imap-lib: diff --git a/docker/proxy/rootfs/etc/nginx/nginx.conf b/docker/proxy/rootfs/etc/nginx/nginx.conf index 27d7f951..0a4b4c41 100644 --- a/docker/proxy/rootfs/etc/nginx/nginx.conf +++ b/docker/proxy/rootfs/etc/nginx/nginx.conf @@ -1,259 +1,301 @@ # For more information on configuration, see: # * Official English Documentation: http://nginx.org/en/docs/ # * Official Russian Documentation: http://nginx.org/ru/docs/ user nginx; worker_processes auto; error_log /var/log/nginx/error.log; pid /run/nginx.pid; # Load dynamic modules. See /usr/share/doc/nginx/README.dynamic. include /usr/share/nginx/modules/*.conf; events { worker_connections 1024; } http { log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; include /etc/nginx/mime.types; default_type application/octet-stream; map $http_upgrade $connection_upgrade { default upgrade; '' close; } # Load modular configuration files from the /etc/nginx/conf.d directory. # See http://nginx.org/en/docs/ngx_core_module.html#include # for more information. include /etc/nginx/conf.d/*.conf; server { listen [::]:443 ssl ipv6only=on; listen 443 ssl; ssl_certificate SSL_CERTIFICATE_CERT; ssl_certificate_key SSL_CERTIFICATE_KEY; server_name APP_WEBSITE_DOMAIN; root /usr/share/nginx/html; # Load configuration files for the default server block. include /etc/nginx/default.d/*.conf; location / { proxy_pass http://webapp:8000; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Proto $scheme; proxy_no_cache 1; proxy_cache_bypass 1; # Mostly for files, swoole has a 10MB limit client_max_body_size 11m; } location /meetmedia { proxy_pass https://meet:12443; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header Host $host; } location /meetmedia/api { proxy_pass https://meet:12443; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Proto $scheme; proxy_no_cache 1; proxy_cache_bypass 1; } location /roundcubemail { proxy_pass http://roundcube:8080; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Proto $scheme; proxy_no_cache 1; proxy_cache_bypass 1; } location /chwala { proxy_pass http://roundcube:8080; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Proto $scheme; proxy_no_cache 1; proxy_cache_bypass 1; } location /Microsoft-Server-ActiveSync { auth_request /auth; #auth_request_set $auth_status $upstream_status; proxy_pass http://roundcube:8080; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_send_timeout 910s; proxy_read_timeout 910s; fastcgi_send_timeout 910s; fastcgi_read_timeout 910s; } location ~* ^/\\.well-known/autoconfig { proxy_pass http://roundcube:8080; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location ~* ^/\\autodiscover/autodiscover.xml { proxy_pass http://roundcube:8080; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location ~ ^/\\.well-known/(caldav|carddav)(.*)$ { return 301 /dav/$2; } location /dav { #auth_request_set $auth_status $upstream_status; proxy_pass http://imap:11080/dav; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } + # static files + location ^~ /browser { + proxy_pass http://collabora:9980; + proxy_set_header Host $http_host; + } + + # WOPI discovery URL + location ^~ /hosting/discovery { + proxy_pass http://collabora:9980; + proxy_set_header Host $http_host; + } + + # Capabilities + location ^~ /hosting/capabilities { + proxy_pass http://collabora:9980; + proxy_set_header Host $http_host; + } + + # main websocket + location ~ ^/cool/(.*)/ws$ { + proxy_pass http://collabora:9980; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Host $http_host; + proxy_read_timeout 36000s; + } + + # download, presentation and image upload + location ~ ^/(c|l)ool { + proxy_pass http://collabora:9980; + proxy_set_header Host $http_host; + } + + # Admin Console websocket + location ^~ /cool/adminws { + proxy_pass http://collabora:9980; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Host $http_host; + proxy_read_timeout 36000s; + } + location = /auth { internal; proxy_pass http://webapp:8000/api/webhooks/nginx-httpauth; proxy_pass_request_body off; proxy_set_header Host services.APP_WEBSITE_DOMAIN; proxy_set_header Content-Length ""; proxy_set_header X-Original-URI $request_uri; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } error_page 404 /404.html; location = /40x.html { } error_page 500 502 503 504 /50x.html; location = /50x.html { } } } mail { server_name imap.hosted.com; auth_http webapp:8000/api/webhooks/nginx; auth_http_header Host services.APP_WEBSITE_DOMAIN; proxy_pass_error_message on; proxy_smtp_auth on; xclient off; server { listen 143; protocol imap; proxy on; starttls on; ssl_certificate SSL_CERTIFICATE_CERT; ssl_certificate_key SSL_CERTIFICATE_KEY; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!MD5; } # Roundcube specific imap endpoint with proxy-protocol enabled server { listen 144 proxy_protocol; protocol imap; auth_http webapp:8000/api/webhooks/nginx-roundcube; proxy on; starttls on; ssl_certificate SSL_CERTIFICATE_CERT; ssl_certificate_key SSL_CERTIFICATE_KEY; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!MD5; } server { listen 465 ssl; protocol smtp; proxy on; ssl_certificate SSL_CERTIFICATE_CERT; ssl_certificate_key SSL_CERTIFICATE_KEY; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!MD5; } server { listen 587; protocol smtp; proxy on; starttls on; ssl_certificate SSL_CERTIFICATE_CERT; ssl_certificate_key SSL_CERTIFICATE_KEY; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!MD5; } server { listen 993 ssl; protocol imap; proxy on; ssl_certificate SSL_CERTIFICATE_CERT; ssl_certificate_key SSL_CERTIFICATE_KEY; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!MD5; } }