Page tree
Skip to end of metadata
Go to start of metadata


Install WebApp

Debian and Ubuntu RHEL and CentOS SUSE


Install  Nginx and php-fpm

Debian and Ubuntu RHEL and CentOS SUSE

PHP-FPM

Create a new pool in fpm for WebApp. Please check the paths in the examples so they matches your environment.

This is just an example. You need to adjust the child processes for you environment


/etc/php/7.2/fpm/pool.d/webapp.conf
[webapp]
listen = 127.0.0.1:9002
user = www-data
group = www-data
listen.allowed_clients = 127.0.0.1
pm = dynamic
pm.max_children = 150
pm.start_servers = 35
pm.min_spare_servers = 20
pm.max_spare_servers = 50
pm.max_requests = 200
listen.backlog = -1
request_terminate_timeout = 120s
rlimit_files = 131072
rlimit_core = unlimited
catch_workers_output = yes

After creating the pool configuration file, restart FPM. For example in Ubuntu 18.04:

$ sudo systemctl restart php7.2-fpm

Nginx site

Depending on your distribution you need to create a new file (we will assume webapp.conf in our examples below) in /etc/nginx/site-available or  /etc/nginx/conf.d. 

The following configuration file is an example - you need to update it to reflect your environment. Make sure you change the servername, ssl_certificate and ssl_certificate_key to your values.

upstream php-handler {
    server 127.0.0.1:9002;
    #server unix:/var/run/php5-fpm.sock;
	#server unix:/var/run/php7.2-fpm.sock;
}

server{
 	listen 80;
	charset utf-8;
  	listen [::]:80;
  	server_name _;

  	location / {
    	rewrite   ^(.*)   https://$server_name$1 permanent;
  	}	

}

server {
	charset utf-8;
    listen 443;
	listen [::]:443 ssl;
    server_name _;
    ssl on;
	client_max_body_size 1024m;
	ssl_certificate /path/to/fullchain.pem;
	ssl_certificate_key /path/to/privkey.pem;
    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
    ssl_prefer_server_ciphers on;
    #
    # ssl_dhparam require you to create a dhparam.pem, this takes a long time
    # ssl_dhparam /etc/ssl/certs/dhparam.pem;
    #

	# add headers
	server_tokens off;
	add_header X-Frame-Options SAMEORIGIN;
	add_header X-Content-Type-Options nosniff;
	add_header X-XSS-Protection "1; mode=block";


    location /webapp {
        alias /usr/share/kopano-webapp/;
        index index.php;
	
	location ~ /webapp/presence/ {
                rewrite ^/webapp/presence(/.*)$ $1 break;
                proxy_pass http://localhost:1234;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";
                proxy_http_version 1.1;
                }

    }

    location ~* ^/webapp/(.+\.php)$ {
        alias /usr/share/kopano-webapp/;

        # deny access to .htaccess files
        location ~ /\.ht {
                    deny all;
        }


        fastcgi_param PHP_VALUE "
            register_globals=off
            magic_quotes_gpc=off
            magic_quotes_runtime=off
            post_max_size=31M
            upload_max_filesize=30M
        ";
        fastcgi_param PHP_VALUE "post_max_size=31M
                 upload_max_filesize=30M
                 max_execution_time=3660
        ";

        include fastcgi_params;
        fastcgi_index index.php;
        #fastcgi_param HTTPS on;
        fastcgi_param SCRIPT_FILENAME $document_root$1;
        fastcgi_pass php-handler;
        access_log /var/log/nginx/kopano-webapp-access.log;
        error_log /var/log/nginx/kopano-webapp-error.log;

        # CSS and Javascript
        location ~* \.(?:css|js)$ {
            expires 1y;
            access_log off;
            add_header Cache-Control "public";
        }

        # All (static) resources set to 2 months expiration time.
        location ~* \.(?:jpg|gif|png)$ {
            expires 2M;
            access_log off;
            add_header Cache-Control "public";
        }

        # enable gzip compression
        gzip on;
        gzip_min_length  1100;
        gzip_buffers  4 32k;
        gzip_types    text/plain application/x-javascript text/xml text/css application/json;
        gzip_vary on;
        }

}

map $http_upgrade $connection_upgrade {
        default upgrade;
        '' close;
}


To generate self-signed SSL keys

$ sudo mkdir -p /etc/nginx/ssl
$ sudo openssl req -new -x509 -days 365 -nodes -out /etc/nginx/ssl/nginx.pem -keyout /etc/nginx/ssl/nginx.key


Then optionally generate a dhparam.pem file (this is going to take a long time):

$ sudo cd /etc/ssl/certs && sudo openssl dhparam -out dhparam.pem 4096


And then uncomment the following line in your configuration file:

/etc/nginx/sites-available/webapp.conf
ssl_dhparam /etc/ssl/certs/dhparam.pem;

Enable the WebApp site:

$ sudo ln -s /etc/nginx/sites-available/webapp.conf /etc/nginx/sites-enabled/


Check if the config is sane:

$ sudo nginx  -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Since WebApp 3.4.0 secure cookies are enabled by default this means that you can't access the WebApp without ssl certificates.

This can be turned off by enabling insecure cookies in /etc/kopano/webapp/config.php

/etc/kopano/webapp/config.php
 define("INSECURE_COOKIES", True);

Reload NGINX with the new site

$ sudo systemctl reload nginx


Go to the url entered in the WebApp site (server_name):


  • No labels