upstream php_workers {
    server unix:/var/run/php-fpm.socket;
}

server {
    listen       80;
    server_name  localhost;

     location / {
        root   /usr/share/nginx/html;
    }

    error_page  404              /404.html;
}

server {
    server_name  www.server.com;
    return 301 https://mail.server.com$request_uri;
}

server {
    listen 80;
    server_name mail.server.com;
    rewrite ^ https://$server_name$request_uri? permanent;

    root /var/www/mail/www;
    index index.php index.html index.htm;

    location / {
        root /var/www/mail/www;
    }

    # Normal PHP scripts
    location ~ \.php$ {
        include fastcgi_params;
        fastcgi_pass php_workers;
        fastcgi_param SCRIPT_FILENAME /var/www/mail/www$fastcgi_script_name;
    }

    # Redirect webmail/SOGo/iredadmin to HTTPS
    location ~ ^/mail { rewrite ^ https://$host$request_uri?; }
    location ~* ^/sogo { rewrite ^ https://$host/SOGo; }
    location ~ ^/iredadmin { rewrite ^ https://$host$request_uri?; }

    # Deny all attempts to access hidden files such as .htaccess.
    location ~ /\. { deny all; }

    # Handling noisy favicon.ico messages
    location = ^/favicon.ico { access_log off; log_not_found off; }
}

# HTTPS
server {
    listen 443;
    server_name mail.server.com;

    ssl on;
    ssl_certificate /etc/ssl/certs/iRedMail.crt;
    ssl_certificate_key /etc/ssl/private/iRedMail.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
   
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/ssl/dhparams.pem;

    index index.php index.html index.htm;
   
    # Use HTTP Strict Transport Security to force client to use secure connections only.
    add_header Strict-Transport-Security "max-age=15768000; includeSubdomains";
    add_header  X-Content-Type-Options  nosniff;
    add_header  X-Frame-Options  "SAMEORIGIN";
    add_header  X-XSS-Protection  "1;  mode=block";
    add_header  X-Robots-Tag  none;

    # Deny all attempts to access hidden files such as .htaccess.
    location ~ /\. { deny all; }

    # Handling noisy favicon.ico messages
    location = ^/favicon.ico { access_log off; log_not_found off; }

    # Roundcube webmail
    location ~ ^/mail(.*)\.php$ {
        include fastcgi_params;
        fastcgi_pass php_workers;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME /opt/www/roundcubemail$1.php;
    }

    location ~ ^/mail(.*) {
        alias /opt/www/roundcubemail$1;
        index index.php;
    }

    location ~ ^/mail/(bin|SQL|README|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ { deny all; }

    # Normal PHP scripts
    location ~ \.php$ {
        include fastcgi_params;
        fastcgi_pass php_workers;
        fastcgi_param SCRIPT_FILENAME /var/www/mail/www$fastcgi_script_name;
    }

    # iRedAdmin: static files under /iredadmin/static
    location ~ ^/iredadmin/static/(.*)\.(png|jpg|gif|css|js) {
        alias /opt/www/iredadmin/static/$1.$2;
    }

    # iRedAdmin: Python scripts
    location ~ ^/iredadmin(.*) {
        rewrite ^/iredadmin(/.*)$ $1 break;
        include uwsgi_params;
        uwsgi_pass unix:/var/run/uwsgi_iredadmin.socket;
        uwsgi_param UWSGI_CHDIR /opt/www/iredadmin;
        uwsgi_param UWSGI_SCRIPT iredadmin;
        uwsgi_param SCRIPT_NAME /iredadmin;
    }
    # iRedAdmin: redirect /iredadmin to /iredadmin/
    location = /iredadmin {
        rewrite ^ /iredadmin/;
    }

    # SOGo
    location ~ ^/sogo { rewrite ^ https://$host/SOGo; }
    location ~ ^/SOGO { rewrite ^ https://$host/SOGo; }
   rewrite ^/.well-known/caldav    /SOGo/dav permanent;
    rewrite ^/.well-known/carddav   /SOGo/dav permanent;

    # For IOS 7
    location = /principals/ {
        rewrite ^ https://$server_name/SOGo/dav;
        allow all;
    }

    location ^~ /SOGo {
        proxy_pass http://127.0.0.1:20000;
        #proxy_redirect http://127.0.0.1:20000/SOGo/ /SOGo;
        # forward user's IP address
        #proxy_set_header X-Real-IP $remote_addr;
        #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        #proxy_set_header Host $host;
        proxy_set_header x-webobjects-server-protocol HTTP/1.0;
        #proxy_set_header x-webobjects-remote-host 127.0.0.1;
        #proxy_set_header x-webobjects-server-name $server_name;
        #proxy_set_header x-webobjects-server-url $scheme://$host;
    }

    location ^~ /Microsoft-Server-ActiveSync {
        proxy_pass http://127.0.0.1:20000/SOGo/Microsoft-S … ctiveSync;
        proxy_redirect http://127.0.0.1:20000/Microsoft-Server-ActiveSync /;
    }

    location ^~ /SOGo/Microsoft-Server-ActiveSync {
        proxy_pass http://127.0.0.1:20000/SOGo/Microsoft-S … ctiveSync;
        proxy_redirect http://127.0.0.1:20000/SOGo/Microsoft-Server-ActiveSync /;
    }

    location /SOGo.woa/WebServerResources/ {
        alias /usr/lib/GNUstep/SOGo/WebServerResources/;
    }
    location /SOGo/WebServerResources/ {
        alias /usr/lib/GNUstep/SOGo/WebServerResources/;
    }
    location ^/SOGo/so/ControlPanel/Products/([^/]*)/Resources/(.*)$ {
        alias /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2;
    }
}

# ls -l /opt/www/
total 8
dr-xr-xr-x  9 iredadmin iredadmin 4096 Feb 11 02:01 iRedAdmin-0.5
lrwxrwxrwx  1 root      root        13 Feb 10 18:01 iredadmin -> iRedAdmin-0.5
lrwxrwxrwx  1 root      root        28 May 23  2015 roundcubemail -> /opt/www/roundcubemail-1.1.1
drwxr-xr-x 12 root      root      4096 Dec 29 17:51 roundcubemail-1.1.1

# ls -l /opt/www/iredadmin/
total 96
-r-xr-xr-x  1 iredadmin iredadmin    49 Feb 10 18:01 AUTHORS
-r-xr-xr-x  1 iredadmin iredadmin  7431 Feb 10 18:01 ChangeLog
-r-xr-xr-x  1 iredadmin iredadmin 18092 Feb 10 18:01 LICENSE
-r-xr-xr-x  1 iredadmin iredadmin   439 Feb 10 18:01 README
dr-xr-xr-x  6 iredadmin iredadmin  4096 Feb 10 18:01 controllers
dr-xr-xr-x  3 iredadmin iredadmin  4096 Feb 10 18:01 docs
dr-xr-xr-x 18 iredadmin iredadmin  4096 Feb 10 18:01 i18n
-r-xr-xr-x  1 iredadmin iredadmin   402 Feb 10 18:01 iredadmin.py
dr-xr-xr-x  6 iredadmin iredadmin  4096 Feb 10 18:01 libs
-r--------  1 iredadmin iredadmin  4279 Feb 10 18:01 settings.py
-r-xr-xr-x  1 iredadmin iredadmin  4138 Feb 10 18:01 settings.py.ldap.sample
-r-xr-xr-x  1 iredadmin iredadmin  3512 Feb 10 18:01 settings.py.mysql.sample
-r-xr-xr-x  1 iredadmin iredadmin  3494 Feb 10 18:01 settings.py.pgsql.sample
-r--------  1 root      root       1729 Feb 11 02:01 settings.pyc
dr-xr-xr-x  4 iredadmin iredadmin  4096 Feb 10 18:01 static
dr-xr-xr-x  3 iredadmin iredadmin  4096 Feb 10 18:01 templates
dr-xr-xr-x  2 iredadmin iredadmin  4096 Feb 10 18:01 tools