# more or less zeroconf for squirrelmail/roundcube, within lxc container
# assuming the rest is ok
# (php fastcgi or php-fpm spawned)
#
# make sure socket match your current PHP version in /etc/nginx/php-handler.conf
include php-handler.conf;

server {
       listen 443 ssl http2;
       listen [::]:443 ssl http2;
       
       # catch all based on the domain name
       server_name ~^mx ~^e\d+\.;
       # send away to http request on irrelevant domain
       #if ( $http_host !~* ^(mx|e\d+\.)) { return 301 http://$host$request_uri; }

       # proxy_pass within lxc container
       set_real_ip_from  10.0.0.0/24;
       real_ip_header    X-Forwarded-For;
       real_ip_recursive on;

       # localhost symlink must be added to the relevant directory
       ssl_certificate  certs/https.pem;
       ssl_certificate_key  certs/https.key;

       # set for generic path
       # could point to   /usr/share/squirrelmail;
       #                  /usr/share/roundcube;
       #                  /usr/local/share/rainloop;
       #		 /usr/share/snappymail
       # or the following symlink pointing to the real directory
       root /var/lib/roundcube/public_html;
       index index.php;
       autoindex off;
       allow all;

       # set max upload size
       # (requires PHP wrapper to be set accordingly:
       # for instance
       #     post_max_size = 52M
       #     upload_max_filesize = 50M
       # in /etc/php/7.x/fpm/conf.d/00-file_upload_limit.ini
       # or /etc/php/7.x/cgi/conf.d/00-file_upload_limit.ini
       client_max_body_size 52M;


       # Security headers
       add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
       add_header X-Content-Type-Options "nosniff" always;
       add_header X-XSS-Protection "1; mode=block" always;
       add_header X-Robots-Tag "none" always;
       add_header X-Download-Options "noopen" always;
       add_header X-Permitted-Cross-Domain-Policies "none" always;
       add_header Referrer-Policy "no-referrer" always;
       add_header X-Frame-Options "SAMEORIGIN" always;
       fastcgi_hide_header X-Powered-By;
												  
       location /data { deny all; }
       location /config { deny all; }
       location /functions { deny all; }
       location /help { deny all; }
       location /temp { deny all; }
       location /logs { deny all; }
       location /bin { deny all; }
       location /SQL { deny all; }
       location ~ ^/(?:README|INSTALL|LICENSE|CHANGELOG|UPGRADING) { deny all; }
       location ~ /\. { deny all; }

       # GZIP / compression settings
       gzip on;
       gzip_vary on;
       gzip_comp_level 4;
       gzip_min_length 256;
       gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
       gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;


       # The actual root location
       location / {
                try_files $uri $uri/ /index.php?$args;
       }

       location ~ \.php(?:$|/) {
         # http://forum.nginx.org/read.php?2,88845,page=3
	 try_files $uri =404;
         fastcgi_split_path_info ^(.+\.php)(/.+)$;
	 include fastcgi.conf;
	 fastcgi_pass php-handler;
	 fastcgi_index  index.php;
       }
}

# EOF

