Page tree
Skip to end of metadata
Go to start of metadata

Install WebApp

Debian and Ubuntu RHEL and CentOS SUSE

Install  Nginx and php-fpm

Debian Ubuntu RHEL and CentOS SUSE


Add a new pool in fpm for webapp

This is just an example. You need to adjust the child processes for you environment

listen =
user = www-data
group = www-data
listen.allowed_clients =
pm = dynamic
pm.max_children = 150
pm.start_servers = 35
pm.min_spare_servers = 20
pm.max_spare_servers = 50
pm.max_requests = 200
listen.backlog = -1
request_terminate_timeout = 120s
rlimit_files = 131072
rlimit_core = unlimited
catch_workers_output = yes

Restart FPM


$ sudo systemctl restart php5-fpm


$ sudo systemctl restart php-fpm

Nginx site

Depending on your distribution you need to create a new file in /etc/nginx/site-available or  /etc/nginx/conf.d

Change the servername, ssl_certificate and ssl_certificate_key

upstream php-handler {
    #server unix:/var/run/php5-fpm.sock;
	#server unix:/var/run/php7-fpm.sock;

 	listen 80;
	charset utf-8;
  	listen [::]:80;
  	server_name _;

  	location / {
    	rewrite   ^(.*)   https://$server_name$1 permanent;


server {
	charset utf-8;
    listen 443;
	listen [::]:443 ssl;
    server_name _;
    ssl on;
	client_max_body_size 1024m;
	ssl_certificate /path/to/fullchain.pem;
	ssl_certificate_key /path/to/privkey.pem;
    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    # ssl_dhparam require you to create a dhparam.pem, this takes a long time
    # ssl_dhparam /etc/ssl/certs/dhparam.pem;

	# add headers
	server_tokens off;
	add_header X-Frame-Options SAMEORIGIN;
	add_header X-Content-Type-Options nosniff;
	add_header X-XSS-Protection "1; mode=block";

    location /webapp {
        alias /usr/share/kopano-webapp/;
        index index.php;
	location ~ /webapp/presence/ {
                rewrite ^/webapp/presence(/.*)$ $1 break;
                proxy_pass http://localhost:1234;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";
                proxy_http_version 1.1;


    location ~* ^/webapp/(.+\.php)$ {
        alias /usr/share/kopano-webapp/;

        # deny access to .htaccess files
        location ~ /\.ht {
                    deny all;

        fastcgi_param PHP_VALUE "
        fastcgi_param PHP_VALUE "post_max_size=31M

        include fastcgi_params;
        fastcgi_index index.php;
        #fastcgi_param HTTPS on;
        fastcgi_param SCRIPT_FILENAME $document_root$1;
        fastcgi_pass php-handler;
        access_log /var/log/nginx/kopano-webapp-access.log;
        error_log /var/log/nginx/kopano-webapp-error.log;

        # CSS and Javascript
        location ~* \.(?:css|js)$ {
            expires 1y;
            access_log off;
            add_header Cache-Control "public";

        # All (static) resources set to 2 months expiration time.
        location ~* \.(?:jpg|gif|png)$ {
            expires 2M;
            access_log off;
            add_header Cache-Control "public";

        # enable gzip compression
        gzip on;
        gzip_min_length  1100;
        gzip_buffers  4 32k;
        gzip_types    text/plain application/x-javascript text/xml text/css application/json;
        gzip_vary on;


map $http_upgrade $connection_upgrade {
        default upgrade;
        '' close;

To generate self-signed SSL keys

$ sudo mkdir -p /etc/nginx/ssl
$ sudo openssl req -new -x509 -days 365 -nodes -out /etc/nginx/ssl/nginx.pem -keyout /etc/nginx/ssl/nginx.key

Then optionally generate a dhparam.pem file (this is going to take a long time):

$ sudo cd /etc/ssl/certs && sudo openssl dhparam -out dhparam.pem 4096

And then uncomment the following line in your configuration file:

ssl_dhparam /etc/ssl/certs/dhparam.pem;

Enable the WebApp site

$ sudo ln -s /etc/nginx/sites-available/webapp.conf /etc/nginx/sites-enabled/

Check if the config is sane

$ sudo nginx  -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Since WebApp 3.4.0 secure cookies are enabled by default this means that you can't access the WebApp without ssl certificates.

This can be turned off by enabling insecure cookies in /etc/kopano/webapp/config.php

 define("INSECURE_COOKIES", True);

Reload NGINX with the new site

$ sudo systemctl reload nginx


Go to the url entered in the WebApp site (server_name)

  • No labels