installation nginx - martinschaible/rspamd-installation-for-smartermail GitHub Wiki

Installation nginx

Let's install nginx with this:

dnf install nginx

Allow nginx to start after a reboot of the server:

systemctl enable nginx

We need a configuration file for a reverse proxy. I created the file partially by using content from the example of the Rspamd Documentation. Then the Certbot added his configuration to the file.

Create the file /etc/nginx/conf.d/RspamdProxy.conf, add the content below and replace the value rspamd.netfusion.ch with your domain:

server {
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-XSS-Protection "1; mode=block";

    server_name rspamd.netfusion.ch;
    
    location / {
        root /usr/share/rspamd/www/;
        try_files $uri @proxy;
    }

    location @proxy {
        proxy_pass  http://127.0.0.1:11334;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
    }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/rspamd.netfusion.ch/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/rspamd.netfusion.ch/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

server {
    if ($host = rspamd.netfusion.ch) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
        
    server_name rspamd.netfusion.ch;
    return 404; # managed by Certbot
}

Start nginx now:

systemctl start nginx

Certificate

We need to have a certificate or we use Let's Encrypt. I'm to lazy to replace a certificate on yearly base, so i go for Let's Encrypt. We install for that the package certbot with a support packeh for nginx:

dnf install certbot python3-certbot-nginx

The client for Let's Encrypt is installed and we are ready to get a SSL certificate:

certbot --nginx -d rspamd.netfusion.ch

The cerbot will aks you for the domain name and a email address. Then the certificate will be generated and the configuration file will also be updated.

Firewall

Firewalls like iptables and nftables allow outgoing traffic for all ports.

• The client for Let's Encrypt needs to have inbound traffic for http.
• Rspamd needs to have inbound traffic for https.

This is the rule for nftables:

tcp dport {http, https} ct state new accept comment "Permit inbound TCP traffic for Rspamd"

Restart your firewall now.