Merge pull request #3068 from mhofer117/tls-sni

Fix custom nginx sites with tls-sni
2019-10-20 17:58:15 +02:00 · 2019-10-20 17:58:15 +02:00 · caf57e86b5
commit caf57e86b5
parent 24e1293e72 05e7c95829
5 changed files with 20 additions and 13 deletions
--- a/data/conf/nginx/templates/listen_plain.template
+++ b/data/conf/nginx/templates/listen_plain.template
@ -0,0 +1,2 @@
 listen ${HTTP_PORT};
 listen [::]:${HTTP_PORT};
--- a/data/conf/nginx/templates/listen_ssl.template
+++ b/data/conf/nginx/templates/listen_ssl.template
@ -0,0 +1,2 @@
 listen ${HTTPS_PORT} ssl http2;
 listen [::]:${HTTPS_PORT} ssl http2;
--- a/data/conf/nginx/templates/server_name.template
+++ b/data/conf/nginx/templates/server_name.template
@ -0,0 +1 @@
 server_name ${MAILCOW_HOSTNAME} autodiscover.* autoconfig.*;
--- a/data/conf/nginx/templates/sites.template.sh
+++ b/data/conf/nginx/templates/sites.template.sh
@ -1,15 +1,13 @@
 echo '
 server {
  listen 127.0.0.1:65510;
-  listen '${HTTP_PORT}' default_server;
+  include /etc/nginx/conf.d/listen_plain.active;
-  listen [::]:'${HTTP_PORT}' default_server;
+  include /etc/nginx/conf.d/listen_ssl.active;
  listen '${HTTPS_PORT}' ssl http2 default_server;
  listen [::]:'${HTTPS_PORT}' ssl http2 default_server;
  ssl_certificate /etc/ssl/mail/cert.pem;
  ssl_certificate_key /etc/ssl/mail/key.pem;
-  server_name '${MAILCOW_HOSTNAME}' autodiscover.* autoconfig.*;
+  include /etc/nginx/conf.d/server_name.active;
  include /etc/nginx/conf.d/includes/site-defaults.conf;
 }
@ -18,15 +16,16 @@ for cert_dir in /etc/ssl/mail/*/ ; do
  if [[ ! -f ${cert_dir}domains ]] || [[ ! -f ${cert_dir}cert.pem ]] || [[ ! -f ${cert_dir}key.pem ]]; then
    continue
  fi
-  # remove hostname to not cause nginx warnings (hostname is covered in default server listen)
+  # do not create vhost for default-certificate. the cert is already in the default server listen
-  domains="$(cat ${cert_dir}domains | sed -e "s/\(^\| \)\($(echo ${MAILCOW_HOSTNAME} | sed 's/\./\\./g')\)\( \|$\)/ /g" | sed -e 's/^[[:space:]]*//')"
+  domains="$(cat ${cert_dir}domains | sed -e 's/^[[:space:]]*//')"
-  if [[ "${domains}" == "" ]]; then
+  case "${domains}" in
-    continue
+    "") continue;;
-  fi
+    "${MAILCOW_HOSTNAME}"*) continue;;
  esac
  echo -n '
 server {
-  listen '${HTTPS_PORT}' ssl http2;
+  include /etc/nginx/conf.d/listen_plain.active;
-  listen [::]:'${HTTPS_PORT}' ssl http2;
+  include /etc/nginx/conf.d/listen_ssl.active;
  ssl_certificate '${cert_dir}'cert.pem;
  ssl_certificate_key '${cert_dir}'key.pem;
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -275,7 +275,10 @@ services:
      image: nginx:mainline-alpine
      dns:
        - ${IPV4_NETWORK:-172.22.1}.254
-      command: /bin/sh -c "envsubst < /etc/nginx/conf.d/templates/sogo.template > /etc/nginx/conf.d/sogo.active &&
+      command: /bin/sh -c "envsubst < /etc/nginx/conf.d/templates/listen_plain.template > /etc/nginx/conf.d/listen_plain.active &&
        envsubst < /etc/nginx/conf.d/templates/listen_ssl.template > /etc/nginx/conf.d/listen_ssl.active &&
        envsubst < /etc/nginx/conf.d/templates/server_name.template > /etc/nginx/conf.d/server_name.active &&
        envsubst < /etc/nginx/conf.d/templates/sogo.template > /etc/nginx/conf.d/sogo.active &&
        envsubst < /etc/nginx/conf.d/templates/sogo_eas.template > /etc/nginx/conf.d/sogo_eas.active &&
        . /etc/nginx/conf.d/templates/sogo.auth_request.template.sh > /etc/nginx/conf.d/sogo_proxy_auth.active &&
        . /etc/nginx/conf.d/templates/sites.template.sh > /etc/nginx/conf.d/sites.active &&
		`@ -0,0 +1,2 @@`
							`listen ${HTTP_PORT};`
							`listen [::]:${HTTP_PORT};`
		`@ -0,0 +1,2 @@`
							`listen ${HTTPS_PORT} ssl http2;`
							`listen [::]:${HTTPS_PORT} ssl http2;`
		`@ -0,0 +1 @@`
							`server_name ${MAILCOW_HOSTNAME} autodiscover.* autoconfig.*;`