dataset/seed/mailman/templates/config-nginx.conf

# This nginx config file is part of the mailman3-web package.
#
# This nginx configuration file is a vhost configuration. Hence, it comes with
# a server name which is set to mailman.example.com. You will have to change it
# properly.
#
# Please also note that Mailman3 is configured to expect the web interface
# at URL subdirectory '/mailman3' per default, but this Nginx configuration
# provides Mailman3 under the root directory of the vhost.
#
# For the Nginx vhost configuration (without '/mailman3' subdomain) to
# work, you will have to edit the URL in 'base-url' at
# '/etc/mailman3/mailman-hyperkitty.cfg' and in 'MAILMAN_ARCHIVER_FROM'
# at '/etc/mailman3/mailman-web.py' accordingly.

upstream mailman3 {
    server unix:/run/mailman3-web/uwsgi.sock fail_timeout=0;
}

#server {
#    listen 80;
#    listen [::]:80;
#    server_name mailman.example.com;
#    server_tokens off;
#
#    location / {
#        uwsgi_pass mailman3;
#        include /etc/nginx/uwsgi_params;
#    }
#
#    location /mailman3/static {
#        alias /var/lib/mailman3/web/static;
#    }
#
#    location /mailman3/static/favicon.ico {
#        alias /var/lib/mailman3/web/static/postorius/img/favicon.ico;
#    }
#
##    return 301 https://$server_name$request_uri;
#    access_log /var/log/nginx/mailman3/access.log combined;
#    error_log /var/log/nginx/mailman3/error.log;
#}

# Nginx SSL snippet. To enable it, please uncomment and update the server_name and the
# ssl parameters for the certificate.
# Then, remove all location statements from the above configuration and uncomment
# the return 301 statement.
server {
    listen 443 ssl http2;
#    listen [::]:443 ssl http2;
    server_name _;
    server_tokens off;

    ## Strong SSL Security
    ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
#    ssl on;
    ssl_certificate              %%tls_cert_directory/revprox.crt;
    ssl_certificate_key          %%tls_key_directory/revprox.key;
    ssl_client_certificate       %%tls_ca_directory/InternalReverseProxy.crt;

    ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 5m;

    location / {
        uwsgi_pass mailman3;
        include /etc/nginx/uwsgi_params;
    }

%set %%location = %%revprox_client_external_domainnames[0].revprox_client_location
%if not %%location.endswith('/')
%%location += '/'
%end if
    location %%{location}static {
        alias /var/lib/mailman3/web/static;
    }

    location %%{location}static/favicon.ico {
        alias /var/lib/mailman3/web/static/postorius/img/favicon.ico;
    }
#
#    access_log /var/log/nginx/mailman3/access.log combined;
#    error_log /var/log/nginx/mailman3/error.log;
}


#charset utf-8;
#client_max_body_size 75M;
#location /mailman/postorius_static {
#    alias /usr/lib/python3.10/site-packages/postorius/static;
#}
##FIXME user-profile seems to be in hyperkitty redirect in existing page
#location /mailman/user-profile {
#    proxy_pass http://127.0.0.1:8002/postorius/users;
#    proxy_set_header        Host                    $http_host;
#    proxy_set_header        X-Real-IP               $remote_addr;
#    proxy_set_header        X-Forwarded-Host        $host;
#    proxy_set_header        X-Forwarded-Port        $server_port;
#    proxy_set_header        X-Forwarded-Server      $host;
#    proxy_set_header        X-Forwarded-For         $proxy_add_x_forwarded_for;
#    proxy_set_header        X-Forwarded-Proto       $scheme;
#}
#%for %%location in ['accounts', 'admin', 'postorius']
#location /mailman/%%location {
#    proxy_pass http://127.0.0.1:8002/%%location;
#    proxy_set_header        Host                    $http_host;
#    proxy_set_header        X-Real-IP               $remote_addr;
#    proxy_set_header        X-Forwarded-Host        $host;
#    proxy_set_header        X-Forwarded-Port        $server_port;
#    proxy_set_header        X-Forwarded-Server      $host;
#    proxy_set_header        X-Forwarded-For         $proxy_add_x_forwarded_for;
#    proxy_set_header        X-Forwarded-Proto       $scheme;
#}
#%end for
#location /mailman {
#    rewrite ^(/mailman/.*)$ /mailman/postorius/ permanent;
#}
TLS 2023-02-14 14:24:16 +01:00			`# This nginx config file is part of the mailman3-web package.`
			`#`
			`# This nginx configuration file is a vhost configuration. Hence, it comes with`
			`# a server name which is set to mailman.example.com. You will have to change it`
			`# properly.`
			`#`
			`# Please also note that Mailman3 is configured to expect the web interface`
			`# at URL subdirectory '/mailman3' per default, but this Nginx configuration`
			`# provides Mailman3 under the root directory of the vhost.`
			`#`
			`# For the Nginx vhost configuration (without '/mailman3' subdomain) to`
			`# work, you will have to edit the URL in 'base-url' at`
			`# '/etc/mailman3/mailman-hyperkitty.cfg' and in 'MAILMAN_ARCHIVER_FROM'`
			`# at '/etc/mailman3/mailman-web.py' accordingly.`

			`upstream mailman3 {`
			`server unix:/run/mailman3-web/uwsgi.sock fail_timeout=0;`
simplify nginx configuration 2022-08-19 20:30:13 +02:00			`}`
TLS 2023-02-14 14:24:16 +01:00
			`#server {`
			`# listen 80;`
			`# listen [::]:80;`
			`# server_name mailman.example.com;`
			`# server_tokens off;`
			`#`
			`# location / {`
			`# uwsgi_pass mailman3;`
			`# include /etc/nginx/uwsgi_params;`
			`# }`
			`#`
			`# location /mailman3/static {`
			`# alias /var/lib/mailman3/web/static;`
			`# }`
			`#`
			`# location /mailman3/static/favicon.ico {`
			`# alias /var/lib/mailman3/web/static/postorius/img/favicon.ico;`
			`# }`
			`#`
			`## return 301 https://$server_name$request_uri;`
			`# access_log /var/log/nginx/mailman3/access.log combined;`
			`# error_log /var/log/nginx/mailman3/error.log;`
			`#}`

			`# Nginx SSL snippet. To enable it, please uncomment and update the server_name and the`
			`# ssl parameters for the certificate.`
			`# Then, remove all location statements from the above configuration and uncomment`
			`# the return 301 statement.`
			`server {`
			`listen 443 ssl http2;`
			`# listen [::]:443 ssl http2;`
			`server_name _;`
			`server_tokens off;`

			`## Strong SSL Security`
			`## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/`
			`# ssl on;`
			`ssl_certificate %%tls_cert_directory/revprox.crt;`
			`ssl_certificate_key %%tls_key_directory/revprox.key;`
			`ssl_client_certificate %%tls_ca_directory/InternalReverseProxy.crt;`

			`ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";`
			`ssl_protocols TLSv1 TLSv1.1 TLSv1.2;`
			`ssl_prefer_server_ciphers on;`
			`ssl_session_cache shared:SSL:10m;`
			`ssl_session_timeout 5m;`

			`location / {`
			`uwsgi_pass mailman3;`
			`include /etc/nginx/uwsgi_params;`
			`}`

			`%set %%location = %%revprox_client_external_domainnames[0].revprox_client_location`
			`%if not %%location.endswith('/')`
			`%%location += '/'`
			`%end if`
			`location %%{location}static {`
			`alias /var/lib/mailman3/web/static;`
			`}`

			`location %%{location}static/favicon.ico {`
			`alias /var/lib/mailman3/web/static/postorius/img/favicon.ico;`
			`}`
			`#`
			`# access_log /var/log/nginx/mailman3/access.log combined;`
			`# error_log /var/log/nginx/mailman3/error.log;`
fork from cadoles' risotto-dataset 2022-03-08 19:42:28 +01:00			`}`
TLS 2023-02-14 14:24:16 +01:00



			`#charset utf-8;`
			`#client_max_body_size 75M;`
			`#location /mailman/postorius_static {`
			`# alias /usr/lib/python3.10/site-packages/postorius/static;`
			`#}`
			`##FIXME user-profile seems to be in hyperkitty redirect in existing page`
			`#location /mailman/user-profile {`
			`# proxy_pass http://127.0.0.1:8002/postorius/users;`
			`# proxy_set_header Host $http_host;`
			`# proxy_set_header X-Real-IP $remote_addr;`
			`# proxy_set_header X-Forwarded-Host $host;`
			`# proxy_set_header X-Forwarded-Port $server_port;`
			`# proxy_set_header X-Forwarded-Server $host;`
			`# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`# proxy_set_header X-Forwarded-Proto $scheme;`
			`#}`
			`#%for %%location in ['accounts', 'admin', 'postorius']`
			`#location /mailman/%%location {`
			`# proxy_pass http://127.0.0.1:8002/%%location;`
			`# proxy_set_header Host $http_host;`
			`# proxy_set_header X-Real-IP $remote_addr;`
			`# proxy_set_header X-Forwarded-Host $host;`
			`# proxy_set_header X-Forwarded-Port $server_port;`
			`# proxy_set_header X-Forwarded-Server $host;`
			`# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`# proxy_set_header X-Forwarded-Proto $scheme;`
			`#}`
			`#%end for`
			`#location /mailman {`
			`# rewrite ^(/mailman/.*)$ /mailman/postorius/ permanent;`
			`#}`