nginx

Optional: Offizielles nginx-Repo hinzufügen

Datei /etc/apt/sources.list.d/nginx.list erstellen mit folgendem Inhalt (“bullseye” durch entsprechendes Release ersetzen) erstellen:

deb https://nginx.org/packages/debian/ bullseye nginx
deb-src https://nginx.org/packages/debian/ bullseye nginx

Ggf. muss der NGNINX-GPG-Key noch installiert werden:

sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys <Key ID aus Fehlermeldung>

Installation von nginx

sudo apt update
sudo apt install nginx

sudo systemctl enable --now nginx

Dateien für die Grundkonfiguration

/etc/nginx/conf.d/default.conf
/etc/nginx/nginx.conf

server_tokens off;

/etc/nginx/nginx.conf

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    server_tokens off;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    include /etc/nginx/conf.d/*.conf;
}

stream {
  server {
    listen 636 ssl;

    ssl_certificate /etc/nginx/certs/chain.crt;
    ssl_certificate_key /etc/nginx/certs/private/certificate.key;

    proxy_pass 192.168.1.123:636;
    proxy_ssl on;
    proxy_ssl_verify off;
  }
}

default.conf (docker)

# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
# scheme used to connect to this server
map $http_x_forwarded_proto $proxy_x_forwarded_proto {
  default $http_x_forwarded_proto;
  ''      $scheme;
}
# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
# server port the client connected to
map $http_x_forwarded_port $proxy_x_forwarded_port {
  default $http_x_forwarded_port;
  ''      $server_port;
}
# If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any
# Connection header that may have been passed to this server
map $http_upgrade $proxy_connection {
  default upgrade;
  '' close;
}
# Apply fix for very long server names
server_names_hash_bucket_size 128;
# Default dhparam
ssl_dhparam /etc/nginx/dhparam/dhparam.pem;
# Set appropriate X-Forwarded-Ssl header
map $scheme $proxy_x_forwarded_ssl {
  default off;
  https on;
}
gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
log_format vhost '$host $remote_addr - $remote_user [$time_local] '
                 '"$request" $status $body_bytes_sent '
                 '"$http_referer" "$http_user_agent"';
access_log off;
                ssl_protocols TLSv1.2 TLSv1.3;
                ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
                ssl_prefer_server_ciphers off;
resolver 127.0.0.11;
# HTTP 1.1 support
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
# Mitigate httpoxy attack (see README for details)
proxy_set_header Proxy "";


server {
    listen       80;
    listen  [::]:80;
    server_name  localhost;

    #charset koi8-r;
    #access_log  /var/log/nginx/host.access.log  main;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }

    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }
}

# mail.example.org
upstream mail.example.org {
                                ## Can be connected with "nginx-net-prod" network
                        # mail.example.org
                        server mail.example.org:443;
}
server {
        server_name mail.example.org autodiscover.example.org;
        listen 80 ;
        access_log /var/log/nginx/access.log;
        # Do not HTTPS redirect Let'sEncrypt ACME challenge
        #location ^~ /.well-known/acme-challenge/ {
        #       auth_basic off;
        #       auth_request off;
        #       allow all;
        #       root /usr/share/nginx/html;
        #       try_files $uri =404;
        #       break;
        #}
        location / {
                return 301 https://$host$request_uri;
        }
}

server {
        server_name mail.example.org autodiscover.example.org;
        listen 443 ssl http2 ;
        access_log /var/log/nginx/access.log;
        ssl_session_timeout 5m;
        ssl_session_cache shared:SSL:50m;
        ssl_session_tickets off;
        ssl_certificate /etc/nginx/certs/mail.example.org.crt;
        ssl_certificate_key /etc/nginx/certs/mail.example.org.key;
        ssl_dhparam /etc/nginx/dhparam/dhparam.pem;
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_trusted_certificate /etc/nginx/certs/mail.example.org.ocsp-chain.crt;
        add_header Strict-Transport-Security "max-age=31536000" always;
        
        location /             { return 301 https://$host/owa; }
        location /owa          { proxy_pass https://mail.example.org; }
        location /OWA          { proxy_pass https://mail.example.org; }        
        location /EWS          { proxy_pass https://mail.example.org; }
        location /ews          { proxy_pass https://mail.example.org; }        
        location /Microsoft-Server-ActiveSync { proxy_pass https://mail.example.org; }
        location /mapi         { proxy_pass https://mail.example.org; }
        location /MAPI         { proxy_pass https://mail.example.org; }        
        location /rpc          { proxy_pass https://mail.example.org; }
        location /RPC          { proxy_pass https://mail.example.org; }        
        location /oab          { proxy_pass https://mail.example.org; }
        location /OAB          { proxy_pass https://mail.example.org; }        
        location /autodiscover { proxy_pass https://mail.example.org; }
        location /Autodiscover { proxy_pass https://mail.example.org; }
}

upstream cloud.example.com-upstream {
                        server 192.168.1.234:80;
}
server {
        server_name cloud.example.com;
        listen 80 ;
        listen [::]:80 ;
        access_log /var/log/nginx/access.cloud.example.com.log vhost;
        location / {
                return 301 https://$host$request_uri;
        }
}
server {
        server_name cloud.example.com;
        listen 443 ssl http2 ;
        listen [::]:443 ssl http2 ;
        access_log /var/log/nginx/access.cloud.example.com.log vhost;
        ssl_session_timeout 5m;
        ssl_session_cache shared:SSL:50m;
        ssl_session_tickets off;
        ssl_certificate /etc/nginx/certs/cloud.example.com.crt;
        ssl_certificate_key /etc/nginx/certs/private/cloud.example.com.key;
        ssl_dhparam /etc/nginx/certs/dhparam/dhparam.pem;
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_trusted_certificate /etc/nginx/certs/cloud.example.com-fullchain.crt;
        add_header Strict-Transport-Security "max-age=31536000" always;
        proxy_buffering off;
        client_max_body_size 64m;
        location / {
                proxy_pass http://cloud.example.com-upstream;
        }
        location = /.well-known/carddav {
                return 301 $scheme://$host:$server_port/remote.php/dav;
        }
        location = /.well-known/caldav {
                return 301 $scheme://$host:$server_port/remote.php/dav;
        }
}

https://github.com/nginx/nginx/blob/master/docs/html/index.html