NGINX configuration file

Sebastian

Hi all,

are there people using nginx as server together with php-fpm?

We got contributions for a nginx config that could become a z-push-config package, but the configuration seems not fully sane.

Could you guys have a look at this config file and do a contribution that fits the following points:

• the config should be working when installed. Is it possible to listen on port 80 and comment the ssl settings (certificates)? This way when installing it “would work” and not fail with an error message (like certs not found). The SSL settings should be there, but inactive.
• once the fpm socket is /var/run/php5-fpm.sock the next time /run/php-fpm/php-fpm.sock. Which one is correct? How does this variate on different distributions? We could build different paths for different distros. We just need to know the correct locations for all supported distros.
• is a location / block really what we want here? Shouldn’t the ActiveSync & AutoDiscover locations be enough?
• how does the inclusion of fastcgi_params work? Once it has a full path then it doesn’t.
• can the autodiscover location be made case-insensitive? Because different mobiles use all kinds of different casings for this URL.
• is there a way of using variables? In line 9 rootis defined, but then fully declared again e.g. in line 33. Could this be made more generic (e.g. reusing root there)?

The latest version is here:
https://stash.z-hub.io/projects/ZP/repos/z-push/browse/config/nginx/z-push.conf?at=refs%2Fheads%2Ffeature%2FZP-1161-update-nginx-config-with-example

Changes could directly be pushed to the branch. :blush:

I would really like to have a default nginx config file in the repositories, but we depend on community input for this.

Cheers,
Sebastian

voleatech

Hi Sebastian,

here is what I use on my Debian Server:

upstream php-handler {
    server 127.0.0.1:9000;
    #server unix:/var/run/php5-fpm.sock;
}

server {

    server_name localhost; # Please edit me

    listen 80 default_server;
    listen [::]:80 default_server;

    #listen 443 ssl default_server;
    #listen [::]:443 ssl default_server;
    #ssl on;
    #ssl_certificate         /path/to/ssl.crt; # Please edit me
    #ssl_certificate_key     /path/to/ssl.key; # Please edit me

    client_max_body_size 1G;

    index index.php index.html;

    ##
    ## ActiveSync Settings
    ##
    location ~* ^/Microsoft-Server-ActiveSync {
        alias /usr/share/z-push/index.php;
        fastcgi_param PHP_FLAG "magic_quotes_gpc=off \n register_globals=off \n magic_quotes_runtime=off \n short_open_tag=on";
        fastcgi_param PHP_VALUE "post_max_size=31M \n upload_max_filesize=30M \n max_execution_time=3660";
        include fastcgi_params;
        fastcgi_index index.php;
        #fastcgi_param HTTPS on;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        # Z-Push Ping command will be alive for 3600s, but be safe;
        fastcgi_read_timeout 3660;
        fastcgi_pass php-handler;
        access_log /var/log/nginx/kopano-zpush-access.log;
        error_log /var/log/nginx/kopano-zpush-error.log;
    }

    ##
    ## AutoDiscovery
    ##
    location ~* ^/Autodiscover/Autodiscover.xml {
        alias /usr/share/z-push/autodiscover/autodiscover.php;
        fastcgi_param PHP_FLAG "magic_quotes_gpc=off \n register_globals=off \n magic_quotes_runtime=off \n short_open_tag=on";
        fastcgi_param PHP_VALUE "post_max_size=31M \n upload_max_filesize=30M";
        include fastcgi_params;
        fastcgi_index index.php;
        #fastcgi_param HTTPS on;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_pass php-handler;
        access_log /var/log/nginx/kopano-zpush-access.log;
        error_log /var/log/nginx/kopano-zpush-error.log;
    }

}

but we also handle the webapp with that configuration as well so it might be a bad idea to use / or to set root globally.

Variables can be set with:

set $foo bar; 

fastcgi_params parameters will be passed along to the PHP FPM process. They are not unset though when the request is done. Only when the PHP Process is restarted.

Case sensitivity can be achieved with location ~* .

Best
Sven

robgnu

Hi,

we use Z-Push and WebApp on Debian 8 with Nginx for about 2 years now. It is a dedicated mailserver VM. There are about 20-25 clients connected. ~20 Outlooks, about six Androids and two iPhones.
Beacause of the lack of public information about Zarafa/Kopano/Z-Push in combination with Nginx, I solved this this way:

Folder structure:

root@mailserver:~# ls -l /var/www/
insgesamt 4
-rw-r--r-- 1 www-data www-data 177 Jun 30  2015 index.html
lrwxrwxrwx 1 www-data www-data  24 Jan 17 21:22 webapp -> /usr/share/kopano-webapp
lrwxrwxrwx 1 www-data www-data  18 Jan 17 21:55 z-push -> /usr/share/z-push/

• webapp is is a symlink.
• z-push is is a symlink.
• index.html is just a simple redirect in case users don’t enter the /webapp path.

/etc/nginx/nginx.conf:
Some security tweaks are made in this file.

server_tokens off;
[...]
ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA';
add_header Strict-Transport-Security max-age=15768000; # six months

/etc/nginx/sites-available/default:

Don’t use https on public networks like the internet. :-) This is only for requesting a Let’s encrypt certificate. The firewall opens port 80 for renewal, afterwards port 80 is closed again.

server {
       listen 80;
       listen [::]:80;
       server_name _;
       root /var/www;
       index index.html;
       location / {
               try_files $uri $uri/ =404;
       }
}

server {
        listen 443 ssl default_server;
        listen [::]:443 ssl default_server;

        ssl on;
        ssl_certificate /etc/ssl/example.com/fullchain.pem;
        ssl_certificate_key /etc/ssl/example.com/key.pem;

        root /var/www;
        index index.php index.html;

        server_name _;

        location / {
                try_files $uri $uri/ =404;
                proxy_read_timeout 3660s;
        }

        location /Microsoft-Server-ActiveSync {
                rewrite ^(.*)$  /z-push/index.php last;
        }

        location ~ \.php$ {
                include snippets/fastcgi-php.conf;
                fastcgi_pass unix:/var/run/php5-fpm.sock;
                fastcgi_read_timeout 3660s;
        }

        location ~ /\.ht {
                deny all;
        }
}

/etc/php5/fpm/php.ini:

max_execution_time=3600
short_open_tag=On

I hope these information are helpful for anybody and it helps to have a good nginx template afterwards.

Greetings

Manfred

Hi all,

first of all thanks to Sven and robgnu for posting their config.

Based on your input I came up with the following:
/etc/nginx/sites-available/z-push.conf

server {
    server_name localhost; # Put your server name

    # Uncomment the following lines to enable SSL support if not configured yet
    #listen 443 ssl;
    #listen [::]:443 ssl;
    #ssl on;
    #ssl_certificate     /path/to/ssl.crt; # Put in the correct path
    #ssl_certificate_key /path/to/ssl.key; # Put in the correct path

    # If you're using PHP-FPM uncomment the following lines.
    #include         fastcgi_params;
    #fastcgi_index   index.php;
    #fastcgi_param   SCRIPT_FILENAME $document_root$fastcgi_script_name;
    #fastcgi_param   REQUEST_URI $1;
    #fastcgi_param   PHP_FLAG "magic_quotes_gpc=off \n register_globals=off \n magic_quotes_runtime=off \n short_open_tag=on";
    #fastcgi_param   PHP_VALUE "post_max_size=20M \n upload_max_filesize=20M \n max_execution_time=3660";
    #fastcgi_param   HTTP_PROXY ""; # Mitigate https://httpoxy.org/ vulnerabilities
    #fastcgi_read_timeout 3660; # Z-Push Ping might run 3600s, but to be safe

    location ~* /Microsoft-Server-ActiveSync {
        alias       /usr/share/z-push/index.php;

        access_log  /var/log/nginx/z-push-access.log;
        error_log   /var/log/nginx/z-push-error.log;

        # Attachments ca 15MB max (since binary data needs to be base64 encoded in mine, which results in in about 33% overhead)
        client_max_body_size 20m;
        client_body_buffer_size 128k;

        # Select one of the fastcgi_pass values or adapt to your configuration
        #fastcgi_pass    unix:/var/run/php5-fpm.sock; # for PHP 5.X Debian/Ubuntu
        #fastcgi_pass    unix:/var/run/php/php7.0-fpm.sock; # for PHP 7.X Debian/Ubuntu
        #fastcgi_pass    unix:/var/run/php-fpm/php-fpm.sock; # usually RedHat and its derivatives
        #fastcgi_pass    127.0.0.1:9000; # default php-fpm config
    }

    location ~* /AutoDiscover/AutoDiscover.xml {
        alias       /usr/share/z-push/autodiscover/autodiscover.php;

        access_log  /var/log/nginx/z-push-autodiscover-access.log;
        error_log   /var/log/nginx/z-push-autodiscover-error.log;

        # Select one of the fastcgi_pass values or adapt to your configuration
        #fastcgi_pass    unix:/var/run/php5-fpm.sock; # for PHP 5.X Debian/Ubuntu
        #fastcgi_pass    unix:/var/run/php/php7.0-fpm.sock; # for PHP 7.X Debian/Ubuntu
        #fastcgi_pass    unix:/var/run/php-fpm/php-fpm.sock; # usually RedHat and its derivatives
        #fastcgi_pass    127.0.0.1:9000; # default php-fpm config

        #fastcgi_index   autodiscover.php;
    }
}

Any comments, suggestions, improvements on this?

My idea was that even if someone enables this config file as is, it won’t break nginx config, so that nginx wouldn’t even start. The admin would only need to configure ssl_certificate, ssl_certificate_key and fastcgi_pass parameters according to his settings.

Manfred