[SSL] create individual domain certificates, add SNI configs for Postfix/Dovecot/Nginx

2019-10-19 12:48:56 +02:00
parent a95a3f6145
commit 2e35da6816
17 changed files with 540 additions and 344 deletions
--- a/data/conf/nginx/includes/site-defaults.conf
+++ b/data/conf/nginx/includes/site-defaults.conf
@@ -1,19 +1,8 @@
-server_tokens off;
-proxy_cache_path /tmp levels=1:2 keys_zone=sogo:10m inactive=24h  max_size=1g;
-server_names_hash_bucket_size 64;

-map $http_x_forwarded_proto $client_req_scheme {
-     default $scheme;
-     https https;
-}
-
-server {
  include /etc/nginx/mime.types;
  charset utf-8;
  override_charset on;

-  ssl_certificate /etc/ssl/mail/cert.pem;
-  ssl_certificate_key /etc/ssl/mail/key.pem;
  ssl_protocols TLSv1.2 TLSv1.3;
  ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
  ssl_prefer_server_ciphers on;
@@ -34,11 +23,6 @@ server {

  client_max_body_size 0;

-  listen 127.0.0.1:65510;
-  include /etc/nginx/conf.d/listen_plain.active;
-  include /etc/nginx/conf.d/listen_ssl.active;
-  include /etc/nginx/conf.d/server_name.active;
-
  gzip on;
  gzip_disable "msie6";

@@ -221,4 +205,3 @@ server {
  location @awaitingupstream {
    rewrite ^(.*)$ /_status.502.html break;
  }
-}
--- a/data/conf/nginx/templates/listen_plain.template
+++ b/data/conf/nginx/templates/listen_plain.template
@@ -1,2 +0,0 @@
-listen ${HTTP_PORT};
-listen [::]:${HTTP_PORT};
--- a/data/conf/nginx/templates/listen_ssl.template
+++ b/data/conf/nginx/templates/listen_ssl.template
@@ -1,2 +0,0 @@
-listen ${HTTPS_PORT} ssl http2;
-listen [::]:${HTTPS_PORT} ssl http2;
--- a/data/conf/nginx/templates/server_name.template
+++ b/data/conf/nginx/templates/server_name.template
@@ -1 +0,0 @@
-server_name ${MAILCOW_HOSTNAME} autodiscover.* autoconfig.*;
--- a/data/conf/nginx/templates/sites.template.sh
+++ b/data/conf/nginx/templates/sites.template.sh
@@ -0,0 +1,40 @@
+echo '
+server {
+  listen 127.0.0.1:65510;
+  listen '${HTTP_PORT}' default_server;
+  listen [::]:'${HTTP_PORT}' default_server;
+  listen '${HTTPS_PORT}' ssl http2 default_server;
+  listen [::]:'${HTTPS_PORT}' ssl http2 default_server;
+
+  ssl_certificate /etc/ssl/mail/cert.pem;
+  ssl_certificate_key /etc/ssl/mail/key.pem;
+
+  server_name '${MAILCOW_HOSTNAME}' autodiscover.* autoconfig.*;
+
+  include /etc/nginx/conf.d/includes/site-defaults.conf;
+}
+';
+for cert_dir in /etc/ssl/mail/*/ ; do
+  if [[ ! -f ${cert_dir}domains ]] || [[ ! -f ${cert_dir}cert.pem ]] || [[ ! -f ${cert_dir}key.pem ]]; then
+    continue
+  fi
+  # remove hostname to not cause nginx warnings (hostname is covered in default server listen)
+  domains="$(cat ${cert_dir}domains | sed -e "s/\(^\| \)\($(echo ${MAILCOW_HOSTNAME} | sed 's/\./\\./g')\)\( \|$\)/ /g" | sed -e 's/^[[:space:]]*//')"
+  if [[ "${domains}" == "" ]]; then
+    continue
+  fi
+  echo -n '
+server {
+  listen '${HTTPS_PORT}' ssl http2;
+  listen [::]:'${HTTPS_PORT}' ssl http2;
+
+  ssl_certificate '${cert_dir}'cert.pem;
+  ssl_certificate_key '${cert_dir}'key.pem;
+';
+  echo -n '
+  server_name '${domains}';
+
+  include /etc/nginx/conf.d/includes/site-defaults.conf;
+}
+';
+done
				`@@ -1 +0,0 @@`
				`server_name ${MAILCOW_HOSTNAME} autodiscover.* autoconfig.*;`