Proxy server_Nginx configuration - SomethingWithHorizons/mailserver GitHub Wiki

  1. Generate a dhparam.pem file required to setup SSL connections:

    openssl dhparam -out /etc/nginx/dhparam.pem 2048

    💡 Grab a cup of coffee, this can take a while (how long depends on your CPU power).

    ℹī¸ Please see: dhparam.pem specific information and/or keyless-ssl details.

  2. Create /etc/nginx/ssl_params:

    + # Path to the PUBLIC and PRIVATE KEYS to enable SSL connections to this server:
+ ssl_certificate /etc/certs/example.org/fullchain.pem;
+ ssl_certificate_key /etc/certs/example.org/privkey.pem;
+
+ # SSL PROTOCLS TO USE (the ones still considered safe):
+ ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;
+
+ # Specify that server ciphers should be preferred over client ciphers:
+ ssl_prefer_server_ciphers on;
+ ssl_session_cache shared:SSL:10m;
+
+ # Specify the file with DH parameters for DHE ciphers (made in step 1):
+ ssl_dhparam dhparam.pem;

    ⚠ī¸ Replace example.org by your domain (2x).

  3. Edit /etc/nginx/nginx.conf to increase hash-tables size to prepare Nginx for more salient configuration settings than it has space for by default:

    - # server_names_hash_bucket_size 64;
+ server_names_hash_bucket_size 64;

  4. Disable nginx' default vhost so it can be redefined in the next step:

    unlink /etc/nginx/sites-enabled/default

  5. Create a new default vhost /etc/nginx/sites-enabled/default:

    + server {
+
+    listen 80 default_server;
+
+    location / {
+         return 301 https://$host$request_uri;
+    }
+ }
+
+ server {
+     listen 443 ssl http2 default_server;
+     include ssl_params;
+ 
+     location / {
+         root /var/www/html;
+         index index.nginx-debian.html;
+     }
+ }

  6. Create a new vhost for webmail /etc/nginx/sites-enabled/webmail:

    + server {
+     listen 443 ssl http2;
+     include ssl_params;

+     server_name webmail.example.org;
+ 
+     location / {
+         include proxy_params;
+         proxy_pass http://<WEBMAIL IP>:80;
+     }
+ }

    ⚠ī¸ Replace example.org by your domain.

    ⚠ī¸ Replace <WEBMAIL IP> to the IP of your webmail server/container/vm.

    💡 Repeate this step for each HTTP/HTTPS service to be hosted.

  7. Reload nginx service to have the changes effectuated:

    service nginx reload

  8. Create a weekly cron job reloading nginx to automate inclusion of renewed certificates by issuing crontab -e:

    @weekly service nginx reload
⚠ī¸ **GitHub.com Fallback** ⚠ī¸