Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Possible to run under an existant nginx ? #70

Open
m333w opened this issue Apr 29, 2020 · 12 comments
Open

Possible to run under an existant nginx ? #70

m333w opened this issue Apr 29, 2020 · 12 comments

Comments

@m333w
Copy link

m333w commented Apr 29, 2020

Hi all,

First thank's for this image :)

I would like to run the container under an existant nginx, so i run the contener like this :

docker run -p 666:80 -p 999:443 \
           -h email.domain.tld \
           -e "MYSQL_ROOT_PASSWORD=strongpassword" \
           -e "SOGO_WORKERS=2" \
           -e "TZ=Europe/Paris" \
           -e "POSTMASTER_PASSWORD=strongpassword" \
           -e "IREDAPD_PLUGINS=['reject_null_sender', 'reject_sender_login_mismatch', 'greylisting', 'throttle', 'amavisd_wblist', 'sql_alias_access_policy']" \
           -v /srv/docker.app/iredmail/mysql:/var/lib/mysql \
           -v /srv/docker.app/iredmail/vmail:/var/vmail \
           -v /srv/docker.app/iredmail/clamav:/var/lib/clamav \
           --name=iredmail lejmr/iredmail:mysql-latest

My email.conf in nginx :

server {
    listen         80;
    server_name    email.domain.tld;
    return         301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    server_name email.domain.tld;
	
    ssl on;
    ssl_certificate /etc/nginx/ssl/fullchain.pem;
    ssl_certificate_key /etc/nginx/ssl/privkey.pem;
	
    access_log /var/log/nginx/iredmail-access.log combined;
    error_log /var/log/nginx/iredmail-error.log error;
  
    client_max_body_size 512M;

    location / {
        proxy_pass http://email.domain.tld:666/mail;
    }
  
    location /mail {
        proxy_pass http://email.domain.tld:666/mail;
    }
  
    location /iredadmin {
        proxy_pass http://email.domain.tld:666/iredadmin;
    }
    location /sogo {
        proxy_pass http://email.domain.tld:666/sogo;
    }
}

But when i go on email.domain.tld any browser say "bad redirection"
What i am missing ?

Hope someone can help me

Best regards.
@TitanFighter
Copy link
Contributor

TitanFighter commented Apr 29, 2020
edited
Loading

Instead of

    location / {
        proxy_pass http://email.domain.tld:666/mail;
    }
  
    location /mail {
        proxy_pass http://email.domain.tld:666/mail;
    }
  
    location /iredadmin {
        proxy_pass http://email.domain.tld:666/iredadmin;
    }
    location /sogo {
        proxy_pass http://email.domain.tld:666/sogo;
    }

try

location /sogo {
    proxy_pass http://iredmail;
}

And probably you do not need this

-p 666:80 -p 999:443

because nginx directly communicates with container.

@lejmr
Copy link
Owner

lejmr commented May 4, 2020
edited
Loading

Totally agree with @TitanFighter. I do have Nginx as a reverse proxy dealing with SSL on my server.

I am exporting the 443 port as 8443

-p 8443:443

then my nginx locaton section is as follows:

    location / {
        proxy_pass https://127.0.0.1:8443;
        proxy_set_header Host $http_host;
        proxy_redirect off;
        proxy_set_header        X-Real-IP       $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header        X-Forwarded-Proto https;
        proxy_set_header        X-Forwarded-Port 443;
    }

Hope this helps

BTW this is my full configuraton:

server {
    listen       80;
    listen       [::]:80;
        server_name mail.example.com;

        location / {
        return 301 https://$server_name$request_uri;
    }
    }

server {
    listen       127.0.0.1:10443 ssl;

        server_name mail.example.com;
        client_max_body_size 500M;

    # Logs
    error_log /var/log/nginx/mail.example.com.error.log warn;
    access_log  /var/log/nginx/mail.example.com.access.log combined;

    # SSLv2 and SSLv3
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    # Configuration of certificates
    ssl_certificate /etc/letsencrypt/live/mail.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/mail.example.com/privkey.pem;

    # The Cipher Suite
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:1m;

    ssl_session_timeout  10m;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";


    # enable ocsp stapling (mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving, scalable manner)
    # http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/letsencrypt/live/mail.example.com/fullchain.pem;

    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
    # ssl_dhparam /etc/ssl/certs/dhparam.pem;

    #6Months of HSTS
    add_header Strict-Transport-Security max-age=15768000;


    location / {
        proxy_pass https://127.0.0.1:8443;
        proxy_set_header Host $http_host;
        proxy_redirect off;
        proxy_set_header        X-Real-IP       $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header        X-Forwarded-Proto https;
        proxy_set_header        X-Forwarded-Port 443;
    }
}

@uwla
Copy link

uwla commented Jul 24, 2020
edited
Loading

Can yo u say where the configuration file is? I'd like to register iRedmail on mail.mydomainexample.com but I'm having trouble with that.

I tried the following:

docker run -d --expose 80 --expose 443 \
            -e VIRTUAL_HOST=mail.mydomainexample.com\
           -e "MYSQL_ROOT_PASSWORD=strongpassword" \
           -e "SOGO_WORKERS=1" \
           -e "TZ=Europe/Prague" \
           -e "POSTMASTER_PASSWORD=strongpassword" \
           -e "IREDAPD_PLUGINS=['reject_null_sender', 'reject_sender_login_mismatch', 'greylisting', 'throttle', 'amavisd_wblist', 'sql_alias_access_policy']" \
           -v /srv/iredmail/mysql:/var/lib/mysql \
           -v /srv/iredmail/vmail:/var/vmail \
           -v /srv/iredmail/clamav:/var/lib/clamav \
           --name=iredmail lejmr/iredmail:mysql-latest

but did not work. Any help would be appreciated :)

Totally agree with @TitanFighter. I do have Nginx as a reverse proxy dealing with SSL on my server.

I am exporting the 443 port as 8443

-p 8443:443

then my nginx locaton section is as follows:

    location / {
        proxy_pass https://127.0.0.1:8443;
        proxy_set_header Host $http_host;
        proxy_redirect off;
        proxy_set_header        X-Real-IP       $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header        X-Forwarded-Proto https;
        proxy_set_header        X-Forwarded-Port 443;
    }

Hope this helps

BTW this is my full configuraton:

server {
    listen       80;
    listen       [::]:80;
        server_name mail.example.com;

        location / {
        return 301 https://$server_name$request_uri;
    }
    }

server {
    listen       127.0.0.1:10443 ssl;

        server_name mail.example.com;
        client_max_body_size 500M;

    # Logs
    error_log /var/log/nginx/mail.example.com.error.log warn;
    access_log  /var/log/nginx/mail.example.com.access.log combined;

    # SSLv2 and SSLv3
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    # Configuration of certificates
    ssl_certificate /etc/letsencrypt/live/mail.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/mail.example.com/privkey.pem;

    # The Cipher Suite
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:1m;

    ssl_session_timeout  10m;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";


    # enable ocsp stapling (mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving, scalable manner)
    # http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/letsencrypt/live/mail.example.com/fullchain.pem;

    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
    # ssl_dhparam /etc/ssl/certs/dhparam.pem;

    #6Months of HSTS
    add_header Strict-Transport-Security max-age=15768000;


    location / {
        proxy_pass https://127.0.0.1:8443;
        proxy_set_header Host $http_host;
        proxy_redirect off;
        proxy_set_header        X-Real-IP       $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header        X-Forwarded-Proto https;
        proxy_set_header        X-Forwarded-Port 443;
    }
}

@lejmr
Copy link
Owner

lejmr commented Jul 25, 2020

With what you got you already have all you need. I mean running that command you will propagate internal nginx to your host system, so if you point DNS over there you are done.

However, you also need to propagate other ports, e.g., 25, 587 for email server itself.

To the configuration. The docker image contains nginx already with following configuration

[root@mail iredmail]# cat /etc/nginx/sites-enabled/00-default.conf
#
# Note: This file must be loaded before other virtual host config files,
#
# HTTP
server {
    # Listen on ipv4
    listen 80;
    #listen [::]:80;

    server_name _;

    # Redirect all insecure http:// requests to https://
    return 301 https://$host$request_uri;
}
[root@mail iredmail]# cat /etc/nginx/sites-enabled/00-default-ssl.conf
#
# Note: This file must be loaded before other virtual host config files,
#
# HTTPS
server {
    listen 443 ssl;
    #listen [::]:443 ssl;
    server_name _;

    root /var/www/html;
    index index.php index.html;

    include /etc/nginx/templates/misc.tmpl;
    include /etc/nginx/templates/ssl.tmpl;
    include /etc/nginx/templates/iredadmin.tmpl;
    include /etc/nginx/templates/roundcube.tmpl;
    include /etc/nginx/templates/sogo.tmpl;
    include /etc/nginx/templates/netdata.tmpl;
    include /etc/nginx/templates/php-catchall.tmpl;
    include /etc/nginx/templates/stub_status.tmpl;
}

@uwla
Copy link

uwla commented Jul 25, 2020
edited
Loading

The DNS records are already pointing to the desirable subdomain, but iRedMail is still not working.

My goal is to have subdomains like mail.example.com, cloud.example.com, gitlab.example.com, and so on. So, I followed this tutorial and set a nginx proxy container. The nginx proxy listens to traffic on ports 80 and 443 and redirects it to the correct container (but is not working for iRedMail only).

iRedmail does work if, for example, I configure docker to redirect ports 8080 and 8443 in the host to ports 80 and 443 in the container, respectively.

I guess the problem is that there are two nginx: one in the nginx proxy, and the other in your iRedMail docker image. Could you help to tackle this? I'm quite lost because I've just started using Docker and Nginx three days ago (before, I used to use the traditional LAMP setup).

@TitanFighter
Copy link
Contributor

TitanFighter commented Jul 25, 2020
edited
Loading

I also use mail.domain.com. If you wish I can share docker compose settings tomorrow. If you do not want to use docker compose then at least you can see how it works and can convert docker compose settings back to just simple docker yourself.

@uwla
Copy link

uwla commented Jul 26, 2020

Yes, please share the compose settings :) that will be helpful

@TitanFighter
Copy link
Contributor

TitanFighter commented Jul 26, 2020
edited
Loading

@AndreSouzaAbreu

docker-compose.nginx-proxy-w-le.yml

# HOW TO USE:

# 1. Download latest nginx.tmpl (save next to this docker-compose file):
#    curl https://raw.githubusercontent.com/jwilder/nginx-proxy/master/nginx.tmpl > ./nginx.tmpl
# 2. Run docker-compose: docker-compose -f ./docker-compose.nginx-proxy-w-le.yml up -d

# Based on: https://github.com/buchdag/letsencrypt-nginx-proxy-companion-compose

version: '3.5'
services:
  nginx-proxy:
    image: nginx
    container_name: nginx-proxy-container
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - conf:/etc/nginx/conf.d
      - vhost:/etc/nginx/vhost.d
      - html:/usr/share/nginx/html
      - certs:/etc/nginx/certs:ro
    labels:
      - "com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy"
    restart: always

  docker-gen:
    image: jwilder/docker-gen
    container_name: nginx-proxy-gen-container
    command: -notify-sighup nginx-proxy-container -watch /etc/docker-gen/templates/nginx.tmpl /etc/nginx/conf.d/default.conf
    depends_on:
      - nginx-proxy
    volumes:
      - conf:/etc/nginx/conf.d
      - vhost:/etc/nginx/vhost.d
      - certs:/etc/nginx/certs:ro
      - /var/run/docker.sock:/tmp/docker.sock:ro
      - ./nginx.tmpl:/etc/docker-gen/templates/nginx.tmpl:ro
    labels:
      - "com.github.jrcs.letsencrypt_nginx_proxy_companion.docker_gen"
    restart: always

  letsencrypt:
    image: jrcs/letsencrypt-nginx-proxy-companion
    container_name: nginx-proxy-le-container
    depends_on:
      - nginx-proxy
      - docker-gen
    volumes:
      - vhost:/etc/nginx/vhost.d
      - html:/usr/share/nginx/html
      - certs:/etc/nginx/certs
      - /var/run/docker.sock:/var/run/docker.sock:ro
    restart: always

volumes:
  conf:
  vhost:
  html:
  certs:

networks:
  default:
    name: nginx-proxy

docker-compose.iredmail_lejmr.yml

version: '3.5'
services:
  iredmail:
    image: lejmr/iredmail:mysql-latest
    container_name: iredmail-container
    restart: unless-stopped
    hostname: mail.yourdomain.com
    privileged: yes
    ports:
      - "25:25"
      - "587:587"
    volumes:
      - /var/www/mail/mysql:/var/lib/mysql
      - /var/www/mail/vmail:/var/vmail
      - /var/www/mail/clamav:/var/lib/clamav
      - /etc/localtime:/etc/localtime:ro
    environment:
      - MYSQL_ROOT_PASSWORD=SuperSecretMySQLPassword
      - POSTMASTER_PASSWORD={PLAIN}SuperSecretPassword
      - IREDAPD_PLUGINS="['reject_null_sender', 'reject_sender_login_mismatch', 'greylisting', 'throttle', 'amavisd_wblist', 'sql_alias_access_policy']"
      - VIRTUAL_HOST=mail.yourdomain.com
      - VIRTUAL_PORT=443
      - VIRTUAL_PROTO=https
      - SSL_POLICY=Mozilla-Modern
      - LETSENCRYPT_HOST=mail.yourdomain.com
      - [email protected]

networks:
  default:
    external:
      name: nginx-proxy

Run both, the 1st one is docker-compose.nginx-proxy-w-le.yml and then docker-compose.iredmail_lejmr.yml. As a result you will get iredmail encrypted by LetsEncrypt.

Using nginx-proxy network you can use proxy from docker-compose.nginx-proxy-w-le.yml for any other dockerized container, so next to iredmail container you can add for example your web-server container.

Change mail.yourdomain.com, [email protected], SuperSecretMySQLPassword and SuperSecretPassword to the ones you need.

@TitanFighter TitanFighter mentioned this issue Jul 29, 2020
Closed
@uwla
Copy link

uwla commented Aug 1, 2020
edited
Loading

@TitanFighter thank you! that worked! But for some reason I cann't login into [email protected] .. could you send me a message (andresouzaabreu.dev at gmail.com) for us to discuss it elsewhere? To avoid flooding here

@TitanFighter
Copy link
Contributor

I have just one idea - from this example POSTMASTER_PASSWORD={PLAIN}SuperSecretPassword - you removed {PLAIN} part. You should leave this part unchanged and should change just SuperSecretPassword

@TitanFighter
Copy link
Contributor

TitanFighter commented Aug 9, 2020
edited
Loading

@AndreSouzaAbreu just had your problem for some reason.

Here is the instruction how to reset password.

Basically you need to docker exec -it iredmail-container-name bash, then mysql -u root in order to open sql terminal and continue with steps from the link above.

@uwla
Copy link

uwla commented Aug 10, 2020
edited
Loading

Thanks @TitanFighter , I will try that out.

I have a guess about why this is happening. I had a similar problem with passwords when seeding a database of a webserver. The passwords were stored in plain text in the databse. When the user tried to login, the password the user entered would be hashed and then compared to the value in the database. If the values were different, the user wouldn't login. Since the values seeded into the database were not hashed, the user accounts that were created in the seeding process would never be able to login. I think that a similar thing is happening here with iRedMail. In the case of my webserver, I was able to solve this by hashing the passwords in the seeding process.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@lejmr @TitanFighter @m333w @uwla