Nginx Proxy for CommuniGate with SPDY and OSCP Stapling
For quite a long time now I have running CommuniGate web interfaces behind a nginx proxy. Thus it is possible to accelerate the web interface and deny attackers in the first place.
I use nginx 1.3.x with some addational modules like naxsi (WAF) and ngx_log_if (suppress logs in certain cases).
This sample configuration allows you to host the webmail interface and the webadmin part as a nginx vhost.
So you can use modern technics like SPDY and OSCP before they have been integrated into CommuniGate itself (if ever).
# HTTP server
server {
listen 80;
listen [::]:80;
server_name example.example.com;
rewrite ^(.*) https://$server_name$1 permanent;
}
# HTTPS server
#
server {
listen 443 ssl spdy;
listen [::]:443 ssl spdy;
server_name mail.example.com;
# SSL
ssl on;
ssl_certificate /etc/ssl/private/mail.example.com.pem;
ssl_certificate_key /etc/ssl/private/mail.example.com.key;
ssl_trusted_certificate /etc/ssl/private/mail.example.com.trust;
## OCSP Stapling
resolver 127.0.0.1;
ssl_stapling on;
ssl_stapling_verify on;
include /etc/nginx/proxy_params;
# Forbids crawling
location /robots.txt {
alias /var/www/stuff/norobots.txt;
}
# Forbids dot files
location ~ /\. {
deny all;
}
# Webmail
location / {
proxy_pass http://localhost:8100;
# WAF
include /etc/nginx/naxsi.rules;
}
# Webmail Skins
location /SkinFiles {
access_log_bypass_if ($status = 200);
expires 24h;
proxy_cache_valid 24h;
proxy_pass http://localhost:8100;
# WAF
include /etc/nginx/naxsi.rules;
}
# Webadmin
location /admin {
proxy_pass http://localhost:8010/Master;
proxy_set_header Host localhost;
proxy_redirect http://localhost/Master https://mail.example.com/admin;
# WAF
include /etc/nginx/naxsi.rules;
}
# WAF
location /RequestDenied {
proxy_pass http://127.0.0.1:8082;
}
}