# This nginx config file is part of the mailman3-web package. # # This nginx configuration file is a vhost configuration. Hence, it comes with # a server name which is set to mailman.example.com. You will have to change it # properly. # # Please also note that Mailman3 is configured to expect the web interface # at URL subdirectory '/mailman3' per default, but this Nginx configuration # provides Mailman3 under the root directory of the vhost. # # For the Nginx vhost configuration (without '/mailman3' subdomain) to # work, you will have to edit the URL in 'base-url' at # '/etc/mailman3/mailman-hyperkitty.cfg' and in 'MAILMAN_ARCHIVER_FROM' # at '/etc/mailman3/mailman-web.py' accordingly. upstream mailman3 { server unix:/run/mailman3-web/uwsgi.sock fail_timeout=0; } #server { # listen 80; # listen [::]:80; # server_name mailman.example.com; # server_tokens off; # # location / { # uwsgi_pass mailman3; # include /etc/nginx/uwsgi_params; # } # # location /mailman3/static { # alias /var/lib/mailman3/web/static; # } # # location /mailman3/static/favicon.ico { # alias /var/lib/mailman3/web/static/postorius/img/favicon.ico; # } # ## return 301 https://$server_name$request_uri; # access_log /var/log/nginx/mailman3/access.log combined; # error_log /var/log/nginx/mailman3/error.log; #} # Nginx SSL snippet. To enable it, please uncomment and update the server_name and the # ssl parameters for the certificate. # Then, remove all location statements from the above configuration and uncomment # the return 301 statement. server { listen 443 ssl http2; # listen [::]:443 ssl http2; server_name _; server_tokens off; ## Strong SSL Security ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/ # ssl on; ssl_certificate %%tls_cert_directory/revprox.crt; ssl_certificate_key %%tls_key_directory/revprox.key; ssl_client_certificate %%tls_ca_directory/InternalReverseProxy.crt; ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_session_timeout 5m; location / { uwsgi_pass mailman3; include /etc/nginx/uwsgi_params; } %set %%location = %%revprox_client_external_domainnames[0].revprox_client_location %if not %%location.endswith('/') %%location += '/' %end if location %%{location}static { alias /var/lib/mailman3/web/static; } location %%{location}static/favicon.ico { alias /var/lib/mailman3/web/static/postorius/img/favicon.ico; } # # access_log /var/log/nginx/mailman3/access.log combined; # error_log /var/log/nginx/mailman3/error.log; } #charset utf-8; #client_max_body_size 75M; #location /mailman/postorius_static { # alias /usr/lib/python3.10/site-packages/postorius/static; #} ##FIXME user-profile seems to be in hyperkitty redirect in existing page #location /mailman/user-profile { # proxy_pass http://127.0.0.1:8002/postorius/users; # proxy_set_header Host $http_host; # proxy_set_header X-Real-IP $remote_addr; # proxy_set_header X-Forwarded-Host $host; # proxy_set_header X-Forwarded-Port $server_port; # proxy_set_header X-Forwarded-Server $host; # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # proxy_set_header X-Forwarded-Proto $scheme; #} #%for %%location in ['accounts', 'admin', 'postorius'] #location /mailman/%%location { # proxy_pass http://127.0.0.1:8002/%%location; # proxy_set_header Host $http_host; # proxy_set_header X-Real-IP $remote_addr; # proxy_set_header X-Forwarded-Host $host; # proxy_set_header X-Forwarded-Port $server_port; # proxy_set_header X-Forwarded-Server $host; # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # proxy_set_header X-Forwarded-Proto $scheme; #} #%end for #location /mailman { # rewrite ^(/mailman/.*)$ /mailman/postorius/ permanent; #}