Nginx

 

With Nginx in the picture, HTTPS traffic is typically received by Nginx and proxied to MailArchiva listening on another port (for example, port 8090). Likewise, Nginx may also be configured to receive SMTP traffic on port 25 and forward traffic to MailArchiva listening on a different port (for example, port 26). 

 

By leveraging Nginx to handle incoming TLS connections, MailArchiva is relieved of HTTPS load.  When configured correctly, MailArchiva will look for additional HTTP headers to determine a request's original IP Address, Server Name, Scheme, Host and Port. Refer to the table below.
 

Http Header Purpose
X-Real-IP Original ip address
X-Forwarded-For Original server name
X-Forwarded-Proto Original scheme (e.g. https)
X-Forwarded-Host Original host
X-Forwarded-Port Original port

 

MailArchiva Configuration

 

The headers in the table are parsed provided the property proxy=yes is added to the Tomcat startup environment. For example, on Linux, the file /opt/mailarchiva/server/startserver should be edited as follows:

 

export CATALINA_OPTS="-Dproxy=yes -Dversion=enterpriseedition -Xmx6140m -Xms256m -XX:+UseG1GC"

 

After setting the above, restart the MailArchiva service for the proxy mode to be enabled. For security reasons, care should be taken to ensure that Nginx sets values for all of the above headers on the request.

 

 Web console proxy

 

A sample Nginx proxy configuration is illustrated below. The virtual site below causes Nginx to redirect to HTTPS.

 

root@:/etc/nginx/sites-enabled# cat https
server {
  listen 80;
  rewrite ^ https://$host$request_uri? permanent;
}

 

The main virtual site is below. The setting of headers X-Forwarded-For, X-Forwarded-Proto, X-Forwarded-Host and X-Forwarded-Port are needed so that MailArchiva knows the original URL information and Ip Address (for logging and other purposes). When an empty file is written to /etc/nginx/service, Nginx will output a maintenance message indicating that the cloud service is temporarily down for maintenance.

 

root@:/etc/nginx/sites-enabled# cat mailarchivatest.net
server {
    listen 443 ssl default_server;
    server_name mailarchivatest.net www.mailarchivatest.net *.mailarchivatest.net;
    ssl on;
    ssl_certificate /etc/ssl/private/fullchain.pem;
    ssl_certificate_key /etc/ssl/private/privkey.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_protocols TLSv1.3;# Requires nginx >= 1.13.0 else use TLSv1.2
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096
    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
    ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
    ssl_session_timeout  10m;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off; # Requires nginx >= 1.5.9
    ssl_stapling on; # Requires nginx >= 1.3.7
    ssl_stapling_verify on; # Requires nginx => 1.3.7
    resolver valid=300s;
    resolver_timeout 5s;
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    if ($deny_connect) {
            return 403;
    }
    error_page 503 /under_maintenance.html;
                location = /under_maintenance.html {
     }
     location / {
            proxy_http_version 1.1;
            proxy_pass                 http://127.0.0.1:8090;
            proxy_redirect             off;
            proxy_buffering             off;
            if (-f /etc/nginx/service) {
                    return 503;
            }
            proxy_set_header           Host $http_host;
            proxy_set_header           X-Real-IP $remote_addr;
            proxy_set_header           X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header           X-Forwarded-Proto $scheme;
            proxy_set_header           X-Forwarded-Host $host;
            proxy_set_header           X-Forwarded-Port $server_port;
            client_max_body_size       10m;
            client_body_buffer_size    128k;
            client_body_temp_path      /var/nginx/client_body_temp;
            proxy_connect_timeout      60s;
            proxy_send_timeout         60s;
            proxy_read_timeout         60s;
            proxy_buffer_size          64k;
            proxy_buffers              4 32k;
            proxy_busy_buffers_size    64k;
            proxy_temp_file_write_size 64k;
            proxy_pass_header Set-Cookie;
            proxy_temp_path            /var/nginx/proxy_temp;
            charset  UTF-8;
            proxy_cache backcache;
            proxy_cache_key $proxy_host$request_uri$cookie_jessionid;
    }
    location /linkage {
            proxy_pass             http://127.0.0.1:8090;
            proxy_http_version         1.1;
            proxy_set_header Upgrade     $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_set_header Host $host;
    }
    location ~ /websocket/chat/* {
            proxy_pass                  http://127.0.0.1:8090;
            proxy_http_version          1.1;
            proxy_set_header Upgrade    $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_set_header Host $host;
    }

}

 

In addition to the above virtual host configuration, to protect against Http proxy tunneling to external servers, edit /etc/nginx/nginx.conf and insert a map directive after the start of http block as follows:

 

http {
        map $request_method $deny_connect {
                default 0;
                CONNECT 1;
        ...
}

 

 

 Smtp traffic proxy

 

Proxying SMTP traffic is optional, though useful if one needs to offload the handling of computationally expensive TLS negotiation to native code. The below virtual site is used as the authentication service for SMTP traffic:

 

root@:/etc/nginx/sites-enabled# cat auth
server {
        listen       127.0.0.1:9000;
        location = /authorize {
            set $reply OK;
            add_header Auth-Status $reply;
            add_header Auth-Server 127.0.0.1;
            add_header Auth-Port 26;
            add_header Auth-Wait 1;
            return 204;
        }
}

 

Note the configuration of mail below. It handles the proxying of mail traffic on the SMTP port.

 

root@:/etc/nginx# cat nginx.conf
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
    worker_connections 20000;
}
http {
    # Basic Settings
    ##
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;
    # server_tokens off;
    # server_names_hash_bucket_size 64;
    # server_name_in_redirect off;    include /etc/nginx/mime.types;
    default_type application/octet-stream;    ##
    # SSL Settings
    ##
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
    ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;
    ##
    # Logging Settings
    ##
    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;
    proxy_cache_path /var/nginx/cache levels=1:2 keys_zone=backcache:10m max_size=10g inactive=60m use_temp_path=off;    
    ##
    # Virtual Host Configs
    ##    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;
}
mail {
    server_name test.mailarchivatest.net;
    auth_http localhost:9000/authorize;
    proxy_pass_error_message on;
    starttls on;
    ssl_certificate /etc/ssl/private/fullchain.pem;
    ssl_certificate_key /etc/ssl/private/privkey.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096
    #ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK;
    ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
    ssl_session_timeout  10m;
    ssl_session_tickets off; # Requires nginx >= 1.5.9
    xclient off;
    server {
        listen 25;
        protocol smtp;
        smtp_auth none;
        #smtp_auth  login plain;
    }
}

 

Office 365 folder sync proxy

 

The site below is needed to setup folder synchronization with Office 365. It proxy's folder synchronization traffic from https://mailarchiva.mailarchivatest.net/o365 to MailArchiva listening on port 8888 on localhost.
 

server {
    listen 443 ssl;
    server_name mailarchiva.mailarchivatest.net;
    ssl on;
    #ssl_certificate /etc/ssl/private/mailarchivatest.pem;
    #ssl_certificate_key /etc/ssl/private/mailarchivatest.key;
    ssl_certificate /etc/letsencrypt/live/mailarchivatest.net/_.mailarchivatest.net.bundle;
    ssl_certificate_key /etc/letsencrypt/live/mailarchivatest.net/_.mailarchivatest.net.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_protocols TLSv1.3;# Requires nginx >= 1.13.0 else use TLSv1.2
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096
    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
    ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
    ssl_session_timeout  10m;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off; # Requires nginx >= 1.5.9
    ssl_stapling on; # Requires nginx >= 1.3.7
    ssl_stapling_verify on; # Requires nginx => 1.3.7
    resolver valid=300s;
    resolver_timeout 5s;
    #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
    #add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    location /o365 {
            proxy_http_version 1.1;
            proxy_pass                  http://127.0.0.1:8888;
            proxy_redirect              off;
            proxy_buffering             off;
           if (-f /etc/nginx/service) {
                    return 503;
            }
            proxy_set_header            Host $http_host;
            proxy_set_header            X-Real-IP $remote_addr;
            proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_f                                                                                                                                                                                                                                             or;
            proxy_set_header            X-Forwarded-Proto $scheme;
            proxy_set_header            X-Forwarded-Host $host;
            proxy_set_header            X-Forwarded-Port $server_port;
            client_max_body_size       10m;
            client_body_buffer_size    128k;
            client_body_temp_path      /var/nginx/client_body_temp;
            proxy_set_header Host      $http_host;
            proxy_connect_timeout      60s;
            proxy_send_timeout         60s;
            proxy_read_timeout         60s;
            proxy_buffer_size          64k;
            proxy_buffers              4 32k;
            proxy_busy_buffers_size    64k;
            proxy_temp_file_write_size 64k;
            proxy_pass_header Set-Cookie;
            proxy_temp_path            /var/nginx/proxy_temp;
            charset  UTF-8;
            proxy_cache backcache;
            proxy_cache_key $proxy_host$request_uri$cookie_jessionid;
    }
}

 

 

 

© 2005 - 2024 ProProfs

Found this information useful? Visit mailarchiva.com to learn more about MailArchiva.

-