Added availability to redirect HTTP to HTTPS and a variable "REDIREC…

[Scuruba]

…T_HTTP" to configure this option

Contribution Guidelines

• I've read the contribution guidelines and wholeheartedly agree them

What does this PR include?

Short Description

A updated NGINX config to redirect HTTP requests to HTTPS. This redirect should be activated/deactivated over the mailcow.conf, via the variable "REDIRECT_HTTP=y/n"

Affected Containers

• NGINX

Did you run tests?

What did you tested?

I tested and also actually run the NGINX config itself, like in the PR.
But I couldn't get the part with the variable configuration to work! I don't have enough knowledge for this, so I tried to use the variable “DISABLE_IPv6” as a guide.

What were the final results? (Awaited, got)

NGINX config itself was successfully tested, the variable part doesn't work.

[DerLinkman]

This would basically obsolete the Docs page here right?

https://docs.mailcow.email/manual-guides/u_e-80_to_443

@FreddleSpl0it what do you think?

[FreddleSpl0it]

https://docs.mailcow.email/manual-guides/u_e-80_to_443 should still work, so I don’t understand why we should change it. I don’t see any advantage.

[Clete2]

https://docs.mailcow.email/manual-guides/u_e-80_to_443 should still work, so I don’t understand why we should change it. I don’t see any advantage.

It doesn’t work for me. I didn’t look into it yet but can confirm that curl -v to the http endpoint returns a 200, not a 301. The docs at minimum need to be updated for the new NGINX config

[Scuruba]

https://docs.mailcow.email/manual-guides/u_e-80_to_443 should still work, so I don’t understand why we should change it. I don’t see any advantage.

I think redirect HTTP should be the standard, and not be an option.
But the config doesn't work because you call the port 80 two times, at first with the standard config, and then the second time in the redirect.conf. NGINX warn me every time, because I declared the sides two times. (with nginx -t). NGINX uses the first entry of the port 80 call, so the redirect will not work, you land on the http site.

[FreddleSpl0it]

I'm not sure if we should make it a standard, but I reviewed the issue with redirect.conf not working and can now confirm it.
After that, I agree that we should move it to the Jinja2 template and trigger it via an ENV variable.

Please add the new ENV variable to generate.sh and update.sh.

generate.sh

mailcow-dockerized/generate_config.sh

Lines 255 to 268 in f92ddd8

	# You should use HTTPS, but in case of SSL offloaded reverse proxies:
	# Might be important: This will also change the binding within the container.
	# If you use a proxy within Docker, point it to the ports you set below.
	# Do _not_ use IP:PORT in HTTP(S)_BIND or HTTP(S)_PORT
	# IMPORTANT: Do not use port 8081, 9081 or 65510!
	# Example: HTTP_BIND=1.2.3.4
	# For IPv4 leave it as it is: HTTP_BIND= & HTTPS_PORT=
	# For IPv6 see https://docs.mailcow.email/post_installation/firststeps-ip_bindings/
	HTTP_PORT=80
	HTTP_BIND=
	HTTPS_PORT=443
	HTTPS_BIND=

update.sh

mailcow-dockerized/update.sh

Lines 896 to 942 in f92ddd8

	CONFIG_ARRAY=(
	"SKIP_LETS_ENCRYPT"
	"SKIP_SOGO"
	"USE_WATCHDOG"
	"WATCHDOG_NOTIFY_EMAIL"
	"WATCHDOG_NOTIFY_WEBHOOK"
	"WATCHDOG_NOTIFY_WEBHOOK_BODY"
	"WATCHDOG_NOTIFY_BAN"
	"WATCHDOG_NOTIFY_START"
	"WATCHDOG_EXTERNAL_CHECKS"
	"WATCHDOG_SUBJECT"
	"SKIP_CLAMD"
	"SKIP_IP_CHECK"
	"ADDITIONAL_SAN"
	"AUTODISCOVER_SAN"
	"DOVEADM_PORT"
	"IPV4_NETWORK"
	"IPV6_NETWORK"
	"LOG_LINES"
	"SNAT_TO_SOURCE"
	"SNAT6_TO_SOURCE"
	"COMPOSE_PROJECT_NAME"
	"DOCKER_COMPOSE_VERSION"
	"SQL_PORT"
	"API_KEY"
	"API_KEY_READ_ONLY"
	"API_ALLOW_FROM"
	"MAILDIR_GC_TIME"
	"MAILDIR_SUB"
	"ACL_ANYONE"
	"ENABLE_SSL_SNI"
	"ALLOW_ADMIN_EMAIL_LOGIN"
	"SKIP_HTTP_VERIFICATION"
	"SOGO_EXPIRE_SESSION"
	"REDIS_PORT"
	"DOVECOT_MASTER_USER"
	"DOVECOT_MASTER_PASS"
	"MAILCOW_PASS_SCHEME"
	"ADDITIONAL_SERVER_NAMES"
	"ACME_CONTACT"
	"WATCHDOG_VERBOSE"
	"WEBAUTHN_ONLY_TRUSTED_VENDORS"
	"SPAMHAUS_DQS_KEY"
	"SKIP_UNBOUND_HEALTHCHECK"
	"DISABLE_NETFILTER_ISOLATION_RULE"
	"REDISPASS"
	)

[Scuruba]

Okay thanks @FreddleSpl0it, I added the variable to both scripts.
I made the default as no, for the ones who don't want it as a default.

But the problem that it does not work for me via the variable remains, does anyone have an idea what the problem could be?

[FreddleSpl0it]

Looks good at first sight. Did you rebuild the Nginx Docker image?

[Scuruba]

I removed the old data/Dockerfiles/nginx/bootstrap.py , docker-compose.yml and data/conf/nginx/templates/nginx.conf.j2 files, copied the new ones and added the variable REDIRECT_HTTP=y to mailcow.conf

Then recreated the containers with docker compose up --build --force-recreate --no-deps -d
Nothing changed.

[Scuruba]

I played a bit around, and the expression {% if REDIRECT_HTTP is defined %} is false!
But the expression {% if DISABLE_IPv6 is defined %} is true.

In portainer, in the nginx-container I see the ENVs are both listed and also follows the mailcow.conf entry (y/n). Looks like that not docker is the problem, but maybe Jinja2.
The bootstrap.py file looks correct for me.

And also

docker compose exec nginx-mailcow python3
>>> import os
>>> print(os.environ['REDIRECT_HTTP'])

print y or n as an answer