Page tree
Skip to end of metadata
Go to start of metadata


Install WebApp

Debian and Ubuntu RHEL and CentOS SUSE


Install  Nginx and php-fpm

Debian Ubuntu RHEL and CentOS SUSE

PHP-FPM

Add a new pool in fpm for webapp

This is just an example. You need to adjust the child processes for you environment


/etc/php5/fpm/pool.d/webapp.conf
[webapp]
listen = 127.0.0.1:9002
user = www-data
group = www-data
listen.allowed_clients = 127.0.0.1
pm = dynamic
pm.max_children = 150
pm.start_servers = 35
pm.min_spare_servers = 20
pm.max_spare_servers = 50
pm.max_requests = 200
listen.backlog = -1
request_terminate_timeout = 120s
rlimit_files = 131072
rlimit_core = unlimited
catch_workers_output = yes

Restart FPM

PHP 5

$ sudo systemctl restart php5-fpm

PHP 7

$ sudo systemctl restart php-fpm

Nginx site

Depending on your distribution you need to create a new file in /etc/nginx/site-available or  /etc/nginx/conf.d

Change the servername, ssl_certificate and ssl_certificate_key

upstream php-handler {
    server 127.0.0.1:9000;
    #server unix:/var/run/php5-fpm.sock;
	#server unix:/var/run/php7-fpm.sock;
}

server{
 	listen 80;
	charset utf-8;
  	listen [::]:80;
  	server_name _;

  	location / {
    	rewrite   ^(.*)   https://$server_name$1 permanent;
  	}	

}

server {
	charset utf-8;
    listen 443;
	listen [::]:443 ssl;
    server_name _;
    ssl on;
	client_max_body_size 1024m;
	ssl_certificate /path/to/fullchain.pem;
	ssl_certificate_key /path/to/privkey.pem;
    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
    ssl_prefer_server_ciphers on;
    #
    # ssl_dhparam require you to create a dhparam.pem, this takes a long time
    # ssl_dhparam /etc/ssl/certs/dhparam.pem;
    #

	# add headers
	server_tokens off;
	add_header X-Frame-Options SAMEORIGIN;
	add_header X-Content-Type-Options nosniff;
	add_header X-XSS-Protection "1; mode=block";


    location /webapp {
        alias /usr/share/kopano-webapp/;
        index index.php;
	
	location ~ /webapp/presence/ {
                rewrite ^/webapp/presence(/.*)$ $1 break;
                proxy_pass http://localhost:1234;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";
                proxy_http_version 1.1;
                }

    }

    location ~* ^/webapp/(.+\.php)$ {
        alias /usr/share/kopano-webapp/;

        # deny access to .htaccess files
        location ~ /\.ht {
                    deny all;
        }


        fastcgi_param PHP_VALUE "
            register_globals=off
            magic_quotes_gpc=off
            magic_quotes_runtime=off
            post_max_size=31M
            upload_max_filesize=30M
        ";
        fastcgi_param PHP_VALUE "post_max_size=31M
                 upload_max_filesize=30M
                 max_execution_time=3660
        ";

        include fastcgi_params;
        fastcgi_index index.php;
        #fastcgi_param HTTPS on;
        fastcgi_param SCRIPT_FILENAME $document_root$1;
        fastcgi_pass php-handler;
        access_log /var/log/nginx/kopano-webapp-access.log;
        error_log /var/log/nginx/kopano-webapp-error.log;

        # CSS and Javascript
        location ~* \.(?:css|js)$ {
            expires 1y;
            access_log off;
            add_header Cache-Control "public";
        }

        # All (static) resources set to 2 months expiration time.
        location ~* \.(?:jpg|gif|png)$ {
            expires 2M;
            access_log off;
            add_header Cache-Control "public";
        }

        # enable gzip compression
        gzip on;
        gzip_min_length  1100;
        gzip_buffers  4 32k;
        gzip_types    text/plain application/x-javascript text/xml text/css application/json;
        gzip_vary on;
        }

}

map $http_upgrade $connection_upgrade {
        default upgrade;
        '' close;
}


To generate self-signed SSL keys

$ sudo mkdir -p /etc/nginx/ssl
$ sudo openssl req -new -x509 -days 365 -nodes -out /etc/nginx/ssl/nginx.pem -keyout /etc/nginx/ssl/nginx.key


Then optionally generate a dhparam.pem file (this is going to take a long time):

$ sudo cd /etc/ssl/certs && sudo openssl dhparam -out dhparam.pem 4096


And then uncomment the following line in your configuration file:

/etc/nginx/sites-available/webapp.conf
ssl_dhparam /etc/ssl/certs/dhparam.pem;

Enable the WebApp site

$ sudo ln -s /etc/nginx/sites-available/webapp.conf /etc/nginx/sites-enabled/


Check if the config is sane

$ sudo nginx  -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Since WebApp 3.4.0 secure cookies are enabled by default this means that you can't access the WebApp without ssl certificates.

This can be turned off by enabling insecure cookies in /etc/kopano/webapp/config.php

/etc/kopano/webapp/config.php
 define("INSECURE_COOKIES", True);

Reload NGINX with the new site

$ sudo systemctl reload nginx

 

Go to the url entered in the WebApp site (server_name)


  • No labels