1

Topic: Nginx does not work with coudflare's ssl settings.

I have a DNS domain such as mail.example.com with cloudflare. After installing iRedMail, I changed the SSL settings in the nginx file with cloudflare keys as follows. Before i used this certicate files with apache2 it was working fine.

vim /etc/nginx/templates/ssl.tmpl;

ssl_certificate_key /etc/ssl/example.com/mydomain.com.key; ## cloudflare ssl key
ssl_certificate /etc/ssl/example.com/mydomain.com.pem; ## cloudflare ssl pem

Ssl Works fine with php and html files. I tested it.


But when i try to Access mail.example.com/iredadmin ==> i get this error. (502 gateway)

2024/05/28 09:33:37 [error] 35091#35091: *1 connect() failed (111: Unknown error) while connecting to upstream, client: 172.69.251.151, server: mail.example.com, request: "GET /iredadmin HTTP/2.0", upstream: "uwsgi://127.0.0.1:7791", host: "mail.example.com"

Besides, when i try to Access mail.example.com/ or mail.example.com/mail ==> i get this error. (403 Permission denied)

2024/05/28 09:23:40 [error] 31395#31395: *1 "/opt/www/roundcubemail/index.php" is forbidden (13: Permission denied), client: 172.69.251.131, server: mail.example.com, request: "GET /mail/ HTTP/2.0", host: "mail.example.com"

Here is my nginx server config:

#
# Note: This file must be loaded before other virtual host config files,
#
# HTTPS
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name mail.example.com;

    root /var/www/html;
    index index.php index.html;

    error_log /var/log/nginx/error.log warn;

    include /etc/nginx/templates/misc.tmpl;
    include /etc/nginx/templates/ssl.tmpl;
    include /etc/nginx/templates/iredadmin.tmpl;
    include /etc/nginx/templates/roundcube.tmpl;
    include /etc/nginx/templates/sogo.tmpl;
    include /etc/nginx/templates/netdata.tmpl;
    include /etc/nginx/templates/php-catchall.tmpl;
    include /etc/nginx/templates/stub_status.tmpl;
}

Help please. What i need to do ?

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Nginx does not work with coudflare's ssl settings.

eguvenc wrote:

But when i try to Access mail.example.com/iredadmin ==> i get this error. (502 gateway)

Is "iredadmin" service running?

eguvenc wrote:

Besides, when i try to Access mail.example.com/ or mail.example.com/mail ==> i get this error. (403 Permission denied)

What's the owner/group/permission of /opt/www/roundcubemail/ and /opt/www/roundcubemail-1.x.y/ directory?
Did you modify include /etc/nginx/templates/roundcube.tmpl?

3

Re: Nginx does not work with coudflare's ssl settings.

Is "iredadmin" service running?
- Yes

What's the owner/group/permission of /opt/www/roundcubemail/ ?

root@mail:/opt/www/roundcubemail# ll
total 408
drwxrwxr-x 13 root     root       4096 May 28 08:45 ./
drwx------  4 root     root       4096 May 28 07:58 ../
drwxrwxr-x  2 root     root       4096 Nov  5  2023 bin/
----------  1 root     root     212469 Nov  5  2023 CHANGELOG.md
-rw-rw-r--  1 root     root        994 Nov  5  2023 composer.json
-rw-rw-r--  1 root     root       1086 Nov  5  2023 composer.json-dist
-rw-rw-r--  1 root     root      56279 Nov  5  2023 composer.lock
drwxrwxr-x  2 root     root       4096 May 28 07:58 config/
-rw-rw-r--  1 root     root       2553 Nov  5  2023 .htaccess
-rw-rw-r--  1 root     root      11199 Nov  5  2023 index.php
----------  1 root     root      12661 Nov  5  2023 INSTALL
d---------  3 root     root       4096 Nov  5  2023 installer/
----------  1 root     root      35147 Nov  5  2023 LICENSE
drwxrwxr-x  2 www-data www-data   4096 Nov  5  2023 logs/
drwxrwxr-x 37 root     root       4096 Nov  5  2023 plugins/
drwxrwxr-x  8 root     root       4096 Nov  5  2023 program/
drwxrwxr-x  3 root     root       4096 Nov  5  2023 public_html/
----------  1 root     root       3853 Nov  5  2023 README.md
-rw-rw-r--  1 root     root        967 Nov  5  2023 SECURITY.md
drwxrwxr-x  3 root     root       4096 Nov  5  2023 skins/
d---------  7 root     root       4096 Nov  5  2023 SQL/
drwxrwxr-x  2 www-data www-data   4096 Nov  5  2023 temp/
----------  1 root     root       4657 Nov  5  2023 UPGRADING
drwxrwxr-x 14 root     root       4096 Nov  5  2023 vendor/

What's the owner/group/permission of /opt/www/roundcubemail-1.x.y/ directory?

root@mail:/opt/www/roundcubemail-1.6.5# ll
total 408
drwxrwxr-x 13 root     root       4096 May 28 08:45 ./
drwx------  4 root     root       4096 May 28 07:58 ../
drwxrwxr-x  2 root     root       4096 Nov  5  2023 bin/
----------  1 root     root     212469 Nov  5  2023 CHANGELOG.md
-rw-rw-r--  1 root     root        994 Nov  5  2023 composer.json
-rw-rw-r--  1 root     root       1086 Nov  5  2023 composer.json-dist
-rw-rw-r--  1 root     root      56279 Nov  5  2023 composer.lock
drwxrwxr-x  2 root     root       4096 May 28 07:58 config/
-rw-rw-r--  1 root     root       2553 Nov  5  2023 .htaccess
-rw-rw-r--  1 root     root      11199 Nov  5  2023 index.php
----------  1 root     root      12661 Nov  5  2023 INSTALL
d---------  3 root     root       4096 Nov  5  2023 installer/
----------  1 root     root      35147 Nov  5  2023 LICENSE
drwxrwxr-x  2 www-data www-data   4096 Nov  5  2023 logs/
drwxrwxr-x 37 root     root       4096 Nov  5  2023 plugins/
drwxrwxr-x  8 root     root       4096 Nov  5  2023 program/
drwxrwxr-x  3 root     root       4096 Nov  5  2023 public_html/
----------  1 root     root       3853 Nov  5  2023 README.md
-rw-rw-r--  1 root     root        967 Nov  5  2023 SECURITY.md
drwxrwxr-x  3 root     root       4096 Nov  5  2023 skins/
d---------  7 root     root       4096 Nov  5  2023 SQL/
drwxrwxr-x  2 www-data www-data   4096 Nov  5  2023 temp/
----------  1 root     root       4657 Nov  5  2023 UPGRADING
drwxrwxr-x 14 root     root       4096 Nov  5  2023 vendor/


Did you modify include /etc/nginx/templates/roundcube.tmpl ?
- No.

#
# Running Roundcube as a subfolder on an existing virtual host
#
# Block access to default directories and files under these directories
location ~ ^/mail/(bin|config|installer|logs|SQL|temp|vendor)($|/.*) { deny all; }

# Block access to default files under top-directory and files start with same name.
location ~ ^/mail/(CHANGELOG|composer.json|INSTALL|jsdeps.json|LICENSE|README|UPGRADING)($|.*) { deny all; }

# Block plugin config files and sample config files.
location ~ ^/mail/plugins/.*/config.inc.php.* { deny all; }

# Block access to plugin data
location ~ ^/mail/plugins/enigma/home($|/.*) { deny all; }

# Redirect URI `/mail` to `/mail/`.
location = /mail {
    return 301 /mail/;
}

location ~ ^/mail/(.*\.php)$ {
    include /etc/nginx/templates/hsts.tmpl;
    include /etc/nginx/templates/fastcgi_php.tmpl;
    fastcgi_param SCRIPT_FILENAME /opt/www/roundcubemail/$1;
}

location ~ ^/mail/(.*) {
    alias /opt/www/roundcubemail/$1;
    index index.php;
}

4

Re: Nginx does not work with coudflare's ssl settings.

What're the related log lines when you access /iredadmin/ and /mail/ via https?