Virtual Mail Server reverse proxy

How to setup a reverse proxy for Virtual Mail Server




Prepare server block for certbot

/etc/nginx/sites-available/mail.wildw1ng.com
server {
    listen 80;

    server_name mail.wildw1ng.com;

    rewrite     https://$host$request_uri?  permanent;

    error_log   /var/log/nginx/mail.wildw1ng.com.error.log;
    access_log  /var/log/nginx/mail.wildw1ng.com.access.log;

    location / {
        # IP address of mail server
        proxy_pass         http://10.0.1.18/;
        proxy_set_header X-Real-IP $remote_addr;    
        }

        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   /usr/share/nginx/html;
        }
}

ln -s /etc/nginx/sites-available/mail.wildw1ng.com /etc/nginx/sites-enabled/mail.wildw1ng.com

Get SSL certificates with Certbot via Let’s Encrypt

certbot --nginx --staple-ocsp

Server block configuration

/etc/nginx/sites-available/mail.wildw1ng.com
server {
    listen 443 ssl http2;

    server_name mail.wildw1ng.com;

    rewrite     https://$host$request_uri?  permanent;

    error_log   /var/log/nginx/mail.wildw1ng.com.error.log;
    access_log  /var/log/nginx/mail.wildw1ng.com.access.log;

    # These are the paths to your generated Let's Encrypt SSL certificates.
    ssl_certificate /etc/letsencrypt/live/mail.wildw1ng.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/mail.wildw1ng.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_session_cache   shared:SSL:60m;

    location / {
        # IP address of mail server
        proxy_pass         http://10.0.1.18/;
        proxy_set_header X-Real-IP $remote_addr;

        }

        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   /usr/share/nginx/html;
        }

    # Anti-MIME-Sniffing header
    add_header X-Content-Type-Options nosniff;

    # Anti-ClickJacking Header
    add_header  X-Frame-Options "SAMEORIGIN" always;

    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
    add_header Strict-Transport-Security "max-age=63072000" always;

    # verify chain of trust of OCSP response using Root CA and Intermediate certs
    ssl_trusted_certificate /etc/letsencrypt/live/mail.wildw1ng.com/chain.pem; # managed by Certbot

    # OCSP stapling
    ssl_stapling on; # managed by Certbot
    ssl_stapling_verify on; # managed by Certbot
}

server {
    if ($host = mail.wildw1ng.com) {
    return 301 https://$host$request_uri;
    } # managed by Certbot
    listen       80;
    server_name  mail.wildw1ng.com;
    return 404; # managed by Certbot
}

Restart service

systemctl restart nginx.service

unlink ln -s /etc/nginx/sites-enabled/plex.wildw1ng.com