Page Menu
Home
Phorge
Search
Configure Global Search
Log In
Files
F2518239
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Flag For Later
Award Token
Size
16 KB
Referenced Files
None
Subscribers
None
View Options
diff --git a/docker/kolab/utils/05-adjust-configs.sh b/docker/kolab/utils/05-adjust-configs.sh
index 088d62eb..a841b8ed 100755
--- a/docker/kolab/utils/05-adjust-configs.sh
+++ b/docker/kolab/utils/05-adjust-configs.sh
@@ -1,166 +1,167 @@
#!/bin/bash
# Replace localhost
sed -i -e "/hosts/s/localhost/${LDAP_HOST}/" /etc/iRony/dav.inc.php
sed -i -e "/host/s/localhost/${LDAP_HOST}/g" \
-e "/fbsource/s/localhost/${IMAP_HOST}/g" /etc/kolab-freebusy/config.ini
#sed -i -e "s/server_host.*/server_host = ${LDAP_HOST}/g" /etc/postfix/ldap/*
sed -i -e "/password_ldap_host/s/localhost/${LDAP_HOST}/" /etc/roundcubemail/password.inc.php
sed -i -e "/hosts/s/localhost/${LDAP_HOST}/" /etc/roundcubemail/kolab_auth.inc.php
sed -i -e "s#.*db_dsnw.*# \$config['db_dsnw'] = 'mysql://${DB_RC_USERNAME}:${DB_RC_PASSWORD}@${DB_HOST}/roundcube';#" \
-e "/default_host/s|= .*$|= 'ssl://${IMAP_HOST}';|" \
-e "/default_port/s|= .*$|= ${IMAP_PORT};|" \
-e "/smtp_server/s|= .*$|= 'tls://${MAIL_HOST}';|" \
-e "/smtp_port/s/= .*$/= ${MAIL_PORT};/" \
-e "/hosts/s/localhost/${LDAP_HOST}/" /etc/roundcubemail/config.inc.php
sed -i -e "/hosts/s/localhost/${LDAP_HOST}/" /etc/roundcubemail/calendar.inc.php
. ./settings.sh
#Adjust basedn
sed -i -r \
-e "s/(\s+)base => '.*',$/\1base => '${hosted_domain_rootdn}',/g" \
-e "/\\\$mydomain = / a\
\$myhostname = '${HOSTNAME:-kolab}.${DOMAIN:-mgmt.com}';" \
-e "s/^base_dn = .*$/base_dn = ${hosted_domain_rootdn}/g" \
-e "s/^search_base = .*$/search_base = ${hosted_domain_rootdn}/g" \
-e "s/(\s+)'base_dn'(\s+)=> '.*',/\1'base_dn'\2=> '${hosted_domain_rootdn}',/g" \
-e "s/(\s+)'search_base_dn'(\s+)=> '.*',/\1'search_base_dn'\2=> '${hosted_domain_rootdn}',/g" \
-e "s/(\s+)'user_specific'(\s+)=> false,/\1'user_specific'\2=> true,/g" \
/etc/amavisd/amavisd.conf \
/etc/kolab-freebusy/config.ini \
/etc/postfix/ldap/*.cf \
/etc/roundcubemail/config.inc.php \
/etc/roundcubemail/calendar.inc.php \
/etc/roundcubemail/kolab_auth.inc.php
sed -i -r \
-e "s/^search_base = .*$/search_base = ${domain_base_dn}/g" \
/etc/postfix/ldap/mydestination.cf
#Disable amavisd
postconf -e content_filter='smtp-wallace:[127.0.0.1]:10026'
systemctl stop amavisd
systemctl disable amavisd
systemctl stop clamd@amavisd
systemctl disable clamd@amavisd
# Change port numbers
cat ${SSL_CERTIFICATE} ${SSL_CERTIFICATE_FULLCHAIN} ${SSL_CERTIFICATE_KEY} > /etc/pki/cyrus-imapd/cyrus-imapd.bundle.pem
chown cyrus:mail /etc/pki/cyrus-imapd/cyrus-imapd.bundle.pem
cp /etc/pki/cyrus-imapd/cyrus-imapd.bundle.pem /etc/pki/tls/private/postfix.pem
chown postfix:mail /etc/pki/tls/private/postfix.pem
chmod 655 /etc/pki/tls/private/postfix.pem
sed -i "s/smtpd_tls_key_file =.*/smtpd_tls_key_file = \/etc\/pki\/tls\/private\/postfix.pem/" /etc/postfix/main.cf
sed -i "s/smtpd_tls_cert_file =.*/smtpd_tls_cert_file = \/etc\/pki\/tls\/private\/postfix.pem/" /etc/postfix/main.cf
# Remove the submission block, by matching from submission until the next empty line
sed -i -e '/submission inet/,/^$/d' /etc/postfix/master.cf
# Insert a new submission block with a modified port
cat >> /etc/postfix/master.cf << EOF
127.0.0.1:10587 inet n - n - - smtpd
-o cleanup_service_name=cleanup_submission
-o syslog_name=postfix/submission
#-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_authenticated_header=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_data_restrictions=\$submission_data_restrictions
-o smtpd_recipient_restrictions=\$submission_recipient_restrictions
-o smtpd_sender_restrictions=\$submission_sender_restrictions
127.0.0.1:10465 inet n - n - - smtpd
-o cleanup_service_name=cleanup_submission
-o rewrite_service_name=rewrite_submission
-o syslog_name=postfix/smtps
-o mydestination=
-o local_recipient_maps=
-o relay_domains=
-o relay_recipient_maps=
#-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_authenticated_header=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_sender_restrictions=\$submission_sender_restrictions
-o smtpd_recipient_restrictions=\$submission_recipient_restrictions
-o smtpd_data_restrictions=\$submission_data_restrictions
EOF
sed -i -r \
-e "s/'vlv'(\s+)=> false,/'vlv'\1=> true,/g" \
-e "s/'vlv_search'(\s+)=> false,/'vlv_search'\1=> true,/g" \
-e "s/inetOrgPerson/inetorgperson/g" \
-e "s/kolabInetOrgPerson/inetorgperson/g" \
/etc/roundcubemail/*.inc.php
# Adjust postfix
# new: (inetdomainstatus:1.2.840.113556.1.4.803:=1)
# active: (inetdomainstatus:1.2.840.113556.1.4.803:=2)
# suspended: (inetdomainstatus:1.2.840.113556.1.4.803:=4)
# deleted: (inetdomainstatus:1.2.840.113556.1.4.803:=8)
# confirmed: (inetdomainstatus:1.2.840.113556.1.4.803:=16)
# verified: (inetdomainstatus:1.2.840.113556.1.4.803:=32)
# ready: (inetdomainstatus:1.2.840.113556.1.4.803:=64)
sed -i -r \
-e 's/^query_filter.*$/query_filter = (\&(associatedDomain=%s)(inetdomainstatus:1.2.840.113556.1.4.803:=18)(!(inetdomainstatus:1.2.840.113556.1.4.803:=4)))/g' \
/etc/postfix/ldap/mydestination.cf
# new: (inetuserstatus:1.2.840.113556.1.4.803:=1)
# active: (inetuserstatus:1.2.840.113556.1.4.803:=2)
# suspended: (inetuserstatus:1.2.840.113556.1.4.803:=4)
# deleted: (inetuserstatus:1.2.840.113556.1.4.803:=8)
# ldapready: (inetuserstatus:1.2.840.113556.1.4.803:=16)
# imapready: (inetuserstatus:1.2.840.113556.1.4.803:=32)
sed -i -r \
-e 's/^query_filter.*$/query_filter = (\&(|(mail=%s)(alias=%s))(|(objectclass=kolabinetorgperson)(|(objectclass=kolabgroupofuniquenames)(objectclass=kolabgroupofurls))(|(|(objectclass=groupofuniquenames)(objectclass=groupofurls))(objectclass=kolabsharedfolder))(objectclass=kolabsharedfolder))(!(inetuserstatus:1.2.840.113556.1.4.803:=4)))/g' \
/etc/postfix/ldap/local_recipient_maps.cf
systemctl restart postfix
sed -i -r -e "s|$config\['kolab_files_url'\] = .*$|$config['kolab_files_url'] = 'https://' \. \$_SERVER['HTTP_HOST'] . '/chwala/';|g" /etc/roundcubemail/kolab_files.inc.php
+sed -i -r -e "/^.*kolab_files_url.*/a \$config['kolab_files_server_url'] = 'http://127.0.0.1:9080/chwala/';" /etc/roundcubemail/kolab_files.inc.php
sed -i -r -e "s|$config\['kolab_invitation_calendars'\] = .*$|$config['kolab_invitation_calendars'] = true;|g" /etc/roundcubemail/calendar.inc.php
sed -i -r -e "/^.*'contextmenu',$/a 'enigma'," /etc/roundcubemail/config.inc.php
sed -i -r -e "s|$config\['enigma_passwordless'\] = .*$|$config['enigma_passwordless'] = true;|g" /etc/roundcubemail/enigma.inc.php
sed -i -r -e "s|$config\['enigma_multihost'\] = .*$|$config['enigma_multihost'] = true;|g" /etc/roundcubemail/enigma.inc.php
echo "\$config['enigma_woat'] = true;" >> /etc/roundcubemail/enigma.inc.php
# Run it over haproxy then nginx for 2fa. We need to use startls because otherwise the proxy protocol doesn't work.
sed -i -r -e "s|$config\['default_host'\] = .*$|$config['default_host'] = 'tls://haproxy';|g" /etc/roundcubemail/config.inc.php
sed -i -r -e "s|$config\['default_port'\] = .*$|$config['default_port'] = 145;|g" /etc/roundcubemail/config.inc.php
# So we can just append
sed -i "s/?>//g" /etc/roundcubemail/config.inc.php
# Enable the PROXY protocol
cat << EOF >> /etc/roundcubemail/config.inc.php
\$config['imap_conn_options'] = Array(
'ssl' => Array(
'verify_peer_name' => false,
'verify_peer' => false,
'allow_self_signed' => true
),
'proxy_protocol' => 2
);
\$config['proxy_whitelist'] = array('127.0.0.1', '172.18.0.7');
EOF
echo "?>" >> /etc/roundcubemail/config.inc.php
diff --git a/docker/proxy/rootfs/etc/nginx/nginx.conf b/docker/proxy/rootfs/etc/nginx/nginx.conf
index 74684026..92af1a75 100644
--- a/docker/proxy/rootfs/etc/nginx/nginx.conf
+++ b/docker/proxy/rootfs/etc/nginx/nginx.conf
@@ -1,256 +1,268 @@
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
server {
listen [::]:443 ssl ipv6only=on;
listen 443 ssl;
ssl_certificate SSL_CERTIFICATE_CERT;
ssl_certificate_key SSL_CERTIFICATE_KEY;
server_name APP_WEBSITE_DOMAIN;
root /usr/share/nginx/html;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
proxy_pass http://webapp:8000;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_no_cache 1;
proxy_cache_bypass 1;
# Mostly for files, swoole has a 10MB limit
client_max_body_size 11m;
}
location /meetmedia {
proxy_pass https://meet:12443;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
}
location /meetmedia/api {
proxy_pass https://meet:12443;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_no_cache 1;
proxy_cache_bypass 1;
}
location /roundcubemail {
proxy_pass http://kolab:9080;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_no_cache 1;
proxy_cache_bypass 1;
}
+ location /chwala {
+ proxy_pass http://kolab:9080;
+ proxy_redirect off;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Host $host;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_no_cache 1;
+ proxy_cache_bypass 1;
+ }
+
location /kolab-webadmin {
proxy_pass http://kolab:9080;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_no_cache 1;
proxy_cache_bypass 1;
}
location /Microsoft-Server-ActiveSync {
auth_request /auth;
#auth_request_set $auth_status $upstream_status;
proxy_pass http://kolab:9080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_send_timeout 910s;
proxy_read_timeout 910s;
fastcgi_send_timeout 910s;
fastcgi_read_timeout 910s;
}
location ~* ^/\\.well-known/autoconfig {
proxy_pass http://kolab:9080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location ~* ^/\\autodiscover/autodiscover.xml {
proxy_pass http://kolab:9080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
rewrite ^/\\.well-known/(caldav|carddav) https://\$server_name/iRony/ redirect;
location /iRony {
auth_request /auth;
#auth_request_set $auth_status $upstream_status;
proxy_pass http://kolab:9080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location = /auth {
internal;
proxy_pass http://webapp:8000/api/webhooks/nginx-httpauth;
proxy_pass_request_body off;
proxy_set_header Host services.APP_WEBSITE_DOMAIN;
proxy_set_header Content-Length "";
proxy_set_header X-Original-URI $request_uri;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
}
mail {
server_name imap.hosted.com;
auth_http webapp:8000/api/webhooks/nginx;
auth_http_header Host services.APP_WEBSITE_DOMAIN;
proxy_pass_error_message on;
server {
listen 143;
protocol imap;
proxy on;
starttls on;
ssl_certificate SSL_CERTIFICATE_CERT;
ssl_certificate_key SSL_CERTIFICATE_KEY;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
}
# Roundcube specific imap endpoint with proxy-protocol enabled
server {
listen 144 proxy_protocol;
protocol imap;
auth_http webapp:8000/api/webhooks/nginx-roundcube;
proxy on;
starttls on;
ssl_certificate SSL_CERTIFICATE_CERT;
ssl_certificate_key SSL_CERTIFICATE_KEY;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
}
server {
listen 465 ssl;
protocol smtp;
proxy on;
ssl_certificate SSL_CERTIFICATE_CERT;
ssl_certificate_key SSL_CERTIFICATE_KEY;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
}
server {
listen 587;
protocol smtp;
proxy on;
starttls on;
ssl_certificate SSL_CERTIFICATE_CERT;
ssl_certificate_key SSL_CERTIFICATE_KEY;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
}
server {
listen 993 ssl;
protocol imap;
proxy on;
ssl_certificate SSL_CERTIFICATE_CERT;
ssl_certificate_key SSL_CERTIFICATE_KEY;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
}
}
File Metadata
Details
Attached
Mime Type
text/x-diff
Expires
Thu, Dec 18, 10:39 AM (32 m, 22 s)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
418747
Default Alt Text
(16 KB)
Attached To
Mode
R2 kolab
Attached
Detach File
Event Timeline
Log In to Comment