feat(web): increase max upload filesize for mail attachments

jeboehm · May 3, 2022 · 15ea2e3 · 15ea2e3
1 parent 2bc068d
commit 15ea2e3
Show file tree

Hide file tree

Showing 4 changed files with 107 additions and 69 deletions.
diff --git a/web/rootfs/etc/nginx/http.d/default.conf.templ b/web/rootfs/etc/nginx/http.d/default.conf.templ
diff --git a/web/rootfs/etc/nginx/nginx.conf.templ b/web/rootfs/etc/nginx/nginx.conf.templ
@@ -0,0 +1,103 @@
+user nginx;
+worker_processes auto;
+pcre_jit on;
+error_log /var/log/nginx/error.log warn;
+
+events {
+	worker_connections 1024;
+}
+
+http {
+	include /etc/nginx/mime.types;
+	default_type application/octet-stream;
+	server_tokens off;
+	client_max_body_size 64m;
+	sendfile on;
+	tcp_nopush on;
+	ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
+	ssl_prefer_server_ciphers on;
+	ssl_session_cache shared:SSL:2m;
+	ssl_session_timeout 1h;
+	ssl_session_tickets off;
+	gzip_vary on;
+
+	map $http_upgrade $connection_upgrade {
+		default upgrade;
+		'' close;
+	}
+
+	log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+			'$status $body_bytes_sent "$http_referer" '
+			'"$http_user_agent" "$http_x_forwarded_for"';
+
+	access_log /var/log/nginx/access.log main;
+
+    server {
+        listen 80;
+        absolute_redirect off;
+
+        root /var/www/html/manager;
+
+        location = /favicon.ico {
+            log_not_found off;
+            access_log off;
+        }
+
+        location /manager {
+            return 301 /;
+        }
+
+        location ~ /\. {
+            deny all;
+            access_log off;
+            log_not_found off;
+        }
+
+        location ~ \.(tpl|yml|ini|log)$ {
+            deny all;
+        }
+
+        location / {
+            try_files $uri /index.php$is_args$args;
+        }
+
+        location /webmail {
+            alias /var/www/html/webmail;
+            index index.php;
+            try_files $uri $uri/ @webmail;
+
+            location ~ \.php$ {
+                include fastcgi_params;
+                # Mitigate httpoxy vulnerability, see: https://httpoxy.org/
+                fastcgi_param HTTP_PROXY "";
+
+                fastcgi_buffers 8 16k;
+                fastcgi_buffer_size 32k;
+
+                client_max_body_size 64M;
+                client_body_buffer_size 128k;
+                fastcgi_param SCRIPT_FILENAME $request_filename;
+                fastcgi_pass 127.0.0.1:9000;
+            }
+        }
+
+        location @webmail {
+            rewrite /webmail/(.*)$ /webmail/index.php?/$1 last;
+        }
+
+        location ~ ^/index\.php(/|$) {
+            fastcgi_pass 127.0.0.1:9000;
+            fastcgi_split_path_info ^(.+\.php)(/.*)$;
+            include fastcgi_params;
+            fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
+            fastcgi_param DOCUMENT_ROOT $realpath_root;
+            internal;
+        }
+
+        location /rspamd/ {
+            proxy_pass http://{{ .Env.FILTER_HOST }}:11334/;
+            proxy_set_header Host $host;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        }
+    }
+}
diff --git a/web/rootfs/usr/local/bin/entrypoint.sh b/web/rootfs/usr/local/bin/entrypoint.sh
@@ -33,7 +33,7 @@ dockerize \
   -wait tcp://${FILTER_HOST}:11334 \
   -wait file:///media/dkim/ \
   -timeout ${WAITSTART_TIMEOUT} \
-  -template /etc/nginx/http.d/default.conf.templ:/etc/nginx/http.d/default.conf
+  -template /etc/nginx/nginx.conf.templ:/etc/nginx/nginx.conf
 
 manager_init
 roundcube_init

diff --git a/web/rootfs/usr/local/etc/php/conf.d/zzz_app.ini b/web/rootfs/usr/local/etc/php/conf.d/zzz_app.ini
@@ -7,3 +7,6 @@ realpath_cache_ttl = 600
 
 expose_php = Off
 display_errors = Off
+
+upload_max_filesize = 50M
+post_max_size = 50M