HOWTO: Use NGINX as the Web Server

This HOWTO consists of two separate approaches.

Simple Installation

The simple configuration is supposed to provide only the webclient. This simple setup only includes the webmail part (roundcubemail) and doesn’t provide the full experience (file browser, freebusy, caldav/carddav, etc).

If you look for a more complete setup including webadmin, irony, etc. take a look on the complex setup.

  1. Install NGINX and PHP FPM:

    # yum -y install nginx php-fpm
    
  2. Configure php-fpm to listen on a local UNIX socket:

    # sed -r -i \
        -e 's|^listen = 127.0.0.1.*$|listen = /var/run/php-fpm/php-fpm.sock|g' \
        /etc/php-fpm.d/www.conf
    
  3. Replace the contents of /etc/nginx/conf.d/default.conf:

    # cat > /etc/nginx/conf.d/default.conf << EOF
    server {
        listen              8080 default_server;
        server_name         localhost:8080;
    
        # support roundcubemail secure urls
        rewrite "^/roundcubemail/[a-zA-Z0-9]{16}/(.*)" /roundcubemail/$1;
    
        # roundcube
        location /roundcubemail {
            alias /usr/share/roundcubemail/public_html;
            index index.php;
    
            location ~ \.php$ {
                include fastcgi_params;
                fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
                fastcgi_split_path_info ^(.+.php)(/.*)$;
                fastcgi_index index.php;
                fastcgi_param SCRIPT_FILENAME $request_filename;
            }
        }
    }
    EOF
    

    Note

    On debian based systems you might want to take a look at the configuration /etc/nginx/sites-enabled/default and a the the default php-fpm socket: /var/run/php5-fpm.sock

  4. Start the php-fpm service and configure the service to start on boot:

    # service php-fpm start
    # chkconfig php-fpm on
    
  5. Start the nginx service and configure the service to start on boot:

    # service nginx start
    # chkconfig nginx on
    

More Complex Installation

The following configuration is tested for Kolab 3.4 on CentOS6. It should also work under Debian and Ubuntu, provided you adjust paths and filenames according to their defaults.

Warning

To not create conflicts with the default apache configuration (which is installed due to dependencies) we should move the apache default port from 80 to 8080.

# sed -i -e 's/^Listen 80$/Listen 8080/g' /etc/httpd/conf/httpd.conf
# service httpd restart

In theory we don’t need the apache daemon anymore. We can turn it off.

# service httpd stop
# chkconfig httpd off

Preperation and PHP-FPM

  1. Install NGINX and PHP FPM:

    # yum -y install nginx php-fpm
    

    Note that to get full WebDAV support, an additional module is needed for nginx. It’s available from https://github.com/arut/nginx-dav-ext-module/, but requires a rebuild of nginx from source. Some clients work without it, others don’t.

    Note

    On Debian just install the nginx-full package to get the full WebDAV support of nginx (adjust your configuration accordingly.

  2. Disable the default php-fpm configuration (optional):

    # mv /etc/php-fpm.d/www.conf /etc/php-fpm.d/www.conf.bak
    

    Note

    On Debian the pool configuration folder is located here: /etc/php5/fpm/pool.d/

  3. Create the PHP FPM Pools [1]:

    # cat > /etc/php-fpm.d/kolab.example.org_chwala.conf << EOF
    [kolab.example.org_chwala]
    user = apache
    group = apache
    listen = /var/run/php-fpm/kolab.example.org_chwala.sock
    pm = dynamic
    pm.max_children = 40
    pm.start_servers = 15
    pm.min_spare_servers = 10
    pm.max_spare_servers = 20
    chdir = /
    php_value[upload_max_filesize] = 30M
    php_value[post_max_size] = 30M
    EOF
    # cat > /etc/php-fpm.d/kolab.example.org_iRony.conf << EOF
    [kolab.example.org_iRony]
    user = apache
    group = apache
    listen = /var/run/php-fpm/kolab.example.org_iRony.sock
    pm = dynamic
    pm.max_children = 40
    pm.start_servers = 15
    pm.min_spare_servers = 10
    pm.max_spare_servers = 20
    chdir = /
    php_value[upload_max_filesize] = 30M
    php_value[post_max_size] = 30M
    EOF
    # cat > /etc/php-fpm.d/kolab.example.org_kolab-freebusy.conf << EOF
    [kolab.example.org_kolab-freebusy]
    user = apache
    group = apache
    listen = /var/run/php-fpm/kolab.example.org_kolab-freebusy.sock
    pm = dynamic
    pm.max_children = 40
    pm.start_servers = 15
    pm.min_spare_servers = 10
    pm.max_spare_servers = 20
    chdir = /
    EOF
    # cat > /etc/php-fpm.d/kolab.example.org_kolab-syncroton.conf << EOF
    [kolab.example.org_kolab-syncroton]
    user = apache
    group = apache
    listen = /var/run/php-fpm/kolab.example.org_kolab-syncroton.sock
    pm = dynamic
    pm.max_children = 40
    pm.start_servers = 15
    pm.min_spare_servers = 10
    pm.max_spare_servers = 20
    chdir = /
    php_flag[suhosin.session.encrypt] = Off
    EOF
    # cat > /etc/php-fpm.d/kolab.example.org_kolab-webadmin.conf << EOF
    [kolab.example.org_kolab-webadmin]
    user = apache
    group = apache
    listen = /var/run/php-fpm/kolab.example.org_kolab-webadmin.sock
    pm = dynamic
    pm.max_children = 40
    pm.start_servers = 15
    pm.min_spare_servers = 10
    pm.max_spare_servers = 20
    chdir = /
    EOF
    # cat > /etc/php-fpm.d/kolab.example.org_roundcubemail.conf << EOF
    [roundcubemail]
    user = apache
    group = apache
    listen = /var/run/php-fpm/kolab.example.org_roundcubemail.sock
    pm = dynamic
    pm.max_children = 40
    pm.start_servers = 15
    pm.min_spare_servers = 10
    pm.max_spare_servers = 20
    chdir = /
    # Derived from .htaccess of roundcube
    php_flag[display_errors] = Off
    php_flag[log_errors] = On
    
    php_value[upload_max_filesize] = 30M
    php_value[post_max_size] = 30M
    
    php_flag[zlib.output_compression] = Off
    php_flag[magic_quotes_gpc] = Off
    php_flag[magic_quotes_runtime] = Off
    php_flag[zend.ze1_compatibility_mode] = Off
    php_flag[suhosin.session.encrypt] = Off
    
    php_flag[session.auto_start] = Off
    php_value[session.gc_maxlifetime] = 21600
    php_value[session.gc_divisor] = 500
    php_value[session.gc_probability] = 1
    
    # http://bugs.php.net/bug.php?id=30766
    php_value[mbstring.func_overload] = 0
    EOF
    

    Note

    On Debian the pool configuration folder is located here: /etc/php5/fpm/pool.d/

    Also there’s no explizit folder for php5-fpm socket folders. This is how you can take of it and make it reboot safe.

    Adjust the file: /etc/default/php5-fpm

    # create /var/run/php5-fpm for all sockets
    # could be deleted during boot
    test -e /var/run/php5-fpm || install -m 755 -o root -g root -d /var/run/php5-fpm
    

    Now you can adjust all your socket files to:

    listen = /var/run/php5-fpm/kolab.example.org_<app>.sock
    

    Or fix the files above with this quick command:

    # sed -i -e 's|/var/run/php-fpm/|/var/run/php5-fpm/|g' /etc/php5/fpm/pool.d/kolab*
    
  4. Backup your nginx configuration

    # cp /etc/nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf.bak
    

Single Domain Configuration

If you’ve only one domain, one ssl certificate or for whatever reason get all the kolab services under one host/domainname this is your configuration. The iRony service will provide all 3 dav services on a single endpoint. ActiveSync devices can be pointed to the main url. They’ll find them Microsoft Url automatically.

Application / Service URL
Roundcubemail https://kolab.example.org
CardDAV, CalDAV, WebDAV https://kolab.example.org/iRony
FreeBusy https://kolab.example.org/freebusy
Chwala API / WebUI https://kolab.example.org/chwala
Kolab Web Admin Panel https://kolab.example.org/kolab-webadmin
ActiveSync Host https://kolab.example.org
  1. Replace the contents of /etc/nginx/conf.d/default.conf:

    #
    # Force HTTP Redirect
    #
    server {
        listen 80 default_server;
        server_name _;
        server_name_in_redirect off;
        rewrite ^ https://$http_host$request_uri permanent; # enforce https redirect
    }
    
    #
    # Full Kolab Stack
    #
    server {
        listen 443 ssl default_server;
        server_name kolab.example.org;
        access_log /var/log/nginx/kolab.example.org-access_log;
        error_log /var/log/nginx/kolab.example.org-error_log;
    
        # enable ssl
    
        ssl on;
        ssl_certificate /etc/pki/tls/private/localhost.pem;
        ssl_certificate_key /etc/pki/tls/private/localhost.pem;
    
        # Start common Kolab config
    
        ##
        ## Chwala
        ##
        location /chwala {
            index index.php;
            alias /usr/share/chwala/public_html;
    
            client_max_body_size 30M; # set maximum upload size
    
            # enable php
            location ~ .php$ {
                include fastcgi_params;
                fastcgi_param HTTPS on;
                fastcgi_pass unix:/var/run/php-fpm/kolab.example.org_chwala.sock;
                fastcgi_param SCRIPT_FILENAME $request_filename;
                # Without this, PHPSESSION is replaced by webadmin-api X-Session-Token
                fastcgi_param PHP_VALUE "session.auto_start=0
                    session.use_cookies=0";
                fastcgi_pass_header X-Session-Token;
            }
        }
    
        ##
        ## iRony
        ##
        location /iRony {
            alias  /usr/share/iRony/public_html/index.php;
    
            client_max_body_size 30M; # set maximum upload size
    
            # If Nginx was built with http_dav_module:
            dav_methods  PUT DELETE MKCOL COPY MOVE;
            # Required Nginx to be built with nginx-dav-ext-module:
            # dav_ext_methods PROPFIND OPTIONS;
    
            include fastcgi_params;
            # fastcgi_param DAVBROWSER 1;
            fastcgi_param HTTPS on;
            fastcgi_index index.php;
            fastcgi_pass unix:/var/run/php-fpm/kolab.example.org_iRony.sock;
            fastcgi_param SCRIPT_FILENAME $request_filename;
        }
        location ~* /.well-known/(cal|card)dav {
            rewrite ^ /iRony/ permanent;
        }
    
        ##
        ## Kolab Webclient
        ##
        location / {
            index index.php;
            root /usr/share/roundcubemail/public_html;
    
            # support for csrf token
            rewrite "^/[a-zA-Z0-9]{16}/(.*)" /$1 break;
    
            # maximum upload size for mail attachments
            client_max_body_size 30M;
    
            # enable php
            location ~ .php$ {
                include fastcgi_params;
                fastcgi_param HTTPS on;
                fastcgi_split_path_info ^(.+.php)(/.*)$;
                fastcgi_pass unix:/var/run/php-fpm/kolab.example.org_roundcubemail.sock;
                fastcgi_param SCRIPT_FILENAME $request_filename;
            }
        }
    
        ##
        ## Kolab Web Administration Panel (WAP) and API
        ##
        location /kolab-webadmin {
            index index.php;
            alias /usr/share/kolab-webadmin/public_html;
            try_files $uri $uri/ @kolab-wapapi;
    
            # enable php
            location ~ .php$ {
                include fastcgi_params;
                fastcgi_param HTTPS on;
                fastcgi_pass unix:/var/run/php-fpm/kolab.example.org_kolab-webadmin.sock;
                fastcgi_param SCRIPT_FILENAME $request_filename;
                # Without this, PHPSESSION is replaced by webadmin-api X-Session-Token
                fastcgi_param PHP_VALUE "session.auto_start=0
                    session.use_cookies=0";
                fastcgi_pass_header X-Session-Token;
            }
        }
        # kolab-webadmin api
        location @kolab-wapapi {
            rewrite ^/kolab-webadmin/api/([^.]*).([^.]*)$ /kolab-webadmin/api/index.php?service=$1&method=$2;
        }
    
        ##
        ## Kolab syncroton ActiveSync
        ##
        location /Microsoft-Server-ActiveSync {
            alias  /usr/share/kolab-syncroton/index.php;
    
            client_max_body_size 30M; # maximum upload size for mail attachments
    
            include fastcgi_params;
            fastcgi_param HTTPS on;
            fastcgi_read_timeout 1200;
            fastcgi_index index.php;
            fastcgi_pass unix:/var/run/php-fpm/kolab.example.org_kolab-syncroton.sock;
            fastcgi_param SCRIPT_FILENAME /usr/share/kolab-syncroton/index.php;
        }
    
        ##
        ## Kolab Free/Busy
        ##
        location /freebusy {
            alias  /usr/share/kolab-freebusy/public_html/index.php;
    
            include fastcgi_params;
            fastcgi_param HTTPS on;
            fastcgi_index index.php;
            fastcgi_pass unix:/var/run/php-fpm/kolab.example.org_kolab-freebusy.sock;
            fastcgi_param SCRIPT_FILENAME /usr/share/kolab-freebusy/public_html/index.php;
        }
        # End common Kolab config
    }
    

    Note

    On Debian you can use the site configuration found at

    • /etc/nginx/sites-available/
    • /etc/nginx/sites-enabled/
  2. Adjust your kolab webadmin api url in the /etc/kolab/kolab.conf configuration, otherwise webadmin or commandline tools will not work.

    [kolab_wap]
    api_url = https://kolab.example.org/kolab-webadmin/api
    

Multi Subdomain Configuration

Sometimes it’s nice to create seperate host/domainnames for every service that kolab offers. You can limit iRony to only provide a single dav-service on each url endpoint. The Chwala API should be located on the webmail domain to not create any cross-domain api call problems.

mtch the default configuration. If you like change your config files you also move those to their url. But usually people don’t often need direct access to this url.

Note

It helps to have a wildcard ssl certificate or a certificate that includes all needed hostnames as SubjectAltNames.

URL Scheme

Application / Service URL
Roundcubemail https://webmail.example.org
CardDAV https://carddav.example.org
CalDAV https://caldav.example.org
WebDAV https://webdav.example.org
FreeBusy https://freebusy.example.org
Chwala API / WebUI https://webmail.example.org/chwala
Kolab Web Admin Panel https://kolab.example.org
ActiveSync Host https://activesync.example.org

You can also let the users use the serparte host/domain names for the non-web services.

  • imap.example.org
  • smtp.example.org
  • etc.

But this all depends on you and your communication with your end users.

  1. Replace the contents of /etc/nginx/conf.d/default.conf:

    #
    # Force HTTP Redirect
    #
    server {
        listen 80 default_server;
        server_name _;
        server_name_in_redirect off;
        rewrite ^ https://$http_host$request_uri permanent; # enforce https redirect
    }
    
    #
    # Webmail + Chwala + Freebusy
    #
    server {
        listen 443 ssl default_server;
        server_name webmail.example.org;
        access_log /var/log/nginx/webmail.example.org-access_log;
        error_log /var/log/nginx/webmail.example.org-error_log;
    
        # enable ssl
    
        ssl on;
        ssl_certificate /etc/pki/tls/private/localhost.pem;
        ssl_certificate_key /etc/pki/tls/private/localhost.pem;
    
        # Start common Kolab config
    
        ##
        ## Chwala
        ##
        location /chwala {
            index index.php;
            alias /usr/share/chwala/public_html;
    
            client_max_body_size 30M; # set maximum upload size
    
            # enable php
            location ~ .php$ {
                include fastcgi_params;
                fastcgi_param HTTPS on;
                fastcgi_pass unix:/var/run/php-fpm/kolab.example.org_chwala.sock;
                fastcgi_param SCRIPT_FILENAME $request_filename;
                # Without this, PHPSESSION is replaced by webadmin-api X-Session-Token
                fastcgi_param PHP_VALUE "session.auto_start=0
                    session.use_cookies=0";
                fastcgi_pass_header X-Session-Token;
            }
        }
    
        ##
        ## Kolab Webclient
        ##
        index index.php;
        root /usr/share/roundcubemail/public_html;
    
        # support for csrf token
        rewrite "^/[a-zA-Z0-9]{16}/(.*)" /$1 break;
    
        # maximum upload size for mail attachments
        client_max_body_size 30M;
    
        # enable php
        location ~ .php$ {
            include fastcgi_params;
            fastcgi_param HTTPS on;
            fastcgi_split_path_info ^(.+.php)(/.*)$;
            fastcgi_pass unix:/var/run/php-fpm/kolab.example.org_roundcubemail.sock;
            fastcgi_param SCRIPT_FILENAME $request_filename;
        }
    }
    
    #
    # CardDAV
    #
    server {
        listen 443 ssl;
        server_name carddav.example.org;
        access_log /var/log/nginx/carddav.example.org-access_log;
        error_log /var/log/nginx/carddav.example.org-error_log;
    
        # enable ssl
    
        ssl on;
        ssl_certificate /etc/pki/tls/private/localhost.pem;
        ssl_certificate_key /etc/pki/tls/private/localhost.pem;
    
        # Start common Kolab config
    
        ##
        ## DAV Discovery redirect
        ##
        location ~* /.well-known/carddav {
            rewrite ^ / permanent;
        }
    
        ##
        ## iRony
        ##
        root  /usr/share/iRony/public_html;
        index index.php;
        try_files $uri $uri/ /index.php?$args;
    
        client_max_body_size 30M; # set maximum upload size
    
        # If Nginx was built with http_dav_module:
        dav_methods  PUT DELETE MKCOL COPY MOVE;
        # Required Nginx to be built with nginx-dav-ext-module:
        # dav_ext_methods PROPFIND OPTIONS;
    
        location ~ .php$ {
            include fastcgi_params;
            fastcgi_param CARDDAV 1;
            # fastcgi_param DAVBROWSER 1;
    
            fastcgi_param HTTPS on;
            fastcgi_index index.php;
            fastcgi_pass unix:/var/run/php-fpm/kolab.example.org_iRony.sock;
            fastcgi_param SCRIPT_FILENAME $request_filename;
        }
    }
    
    #
    # CalDAV
    #
    server {
        listen 443 ssl;
        server_name caldav.example.org;
        access_log /var/log/nginx/caldav.example.org-access_log;
        error_log /var/log/nginx/caldav.example.org-error_log;
    
        # enable ssl
    
        ssl on;
        ssl_certificate /etc/pki/tls/private/localhost.pem;
        ssl_certificate_key /etc/pki/tls/private/localhost.pem;
    
        # Start common Kolab config
    
        ##
        ## DAV Discovery redirect
        ##
        location ~* /.well-known/caldav {
            rewrite ^ / permanent;
        }
    
        ##
        ## iRony
        ##
        root  /usr/share/iRony/public_html;
        index index.php;
        try_files $uri $uri/ /index.php?$args;
    
        client_max_body_size 30M; # set maximum upload size
    
        # If Nginx was built with http_dav_module:
        dav_methods  PUT DELETE MKCOL COPY MOVE;
        # Required Nginx to be built with nginx-dav-ext-module:
        # dav_ext_methods PROPFIND OPTIONS;
    
        location ~ .php$ {
            include fastcgi_params;
            fastcgi_param CALDAV 1;
            # fastcgi_param DAVBROWSER 1;
    
            fastcgi_param HTTPS on;
            fastcgi_index index.php;
            fastcgi_pass unix:/var/run/php-fpm/kolab.example.org_iRony.sock;
            fastcgi_param SCRIPT_FILENAME $request_filename;
        }
    }
    
    #
    # WebDAV
    #
    server {
        listen 443 ssl;
        server_name webadv.example.org;
        access_log /var/log/nginx/webadv.example.org-access_log;
        error_log /var/log/nginx/webadv.example.org-error_log;
    
        # enable ssl
    
        ssl on;
        ssl_certificate /etc/pki/tls/private/localhost.pem;
        ssl_certificate_key /etc/pki/tls/private/localhost.pem;
    
        # Start common Kolab config
    
        ##
        ## iRony
        ##
        root  /usr/share/iRony/public_html;
        index index.php;
        try_files $uri $uri/ /index.php?$args;
    
        client_max_body_size 30M; # set maximum upload size
    
        # If Nginx was built with http_dav_module:
        dav_methods  PUT DELETE MKCOL COPY MOVE;
        # Required Nginx to be built with nginx-dav-ext-module:
        # dav_ext_methods PROPFIND OPTIONS;
    
        location ~ .php$ {
            include fastcgi_params;
            fastcgi_param WEBDAV 1;
            # fastcgi_param DAVBROWSER 1;
    
            fastcgi_param HTTPS on;
            fastcgi_index index.php;
            fastcgi_pass unix:/var/run/php-fpm/kolab.example.org_iRony.sock;
            fastcgi_param SCRIPT_FILENAME $request_filename;
        }
    }
    
    #
    # Kolab Web Admin Panel + API
    #
    server {
        listen 443 ssl;
        server_name kolab.example.org;
    
        access_log /var/log/nginx/kolab.example.org-access_log;
        error_log /var/log/nginx/kolab.example.org-error_log;
    
        # enable ssl
    
        ssl on;
        ssl_certificate /etc/pki/tls/private/localhost.pem;
        ssl_certificate_key /etc/pki/tls/private/localhost.pem;
    
        # Start common Kolab config
    
        ##
        ## Kolab Web Administration Panel (WAP) and API
        ##
        root /usr/share/kolab-webadmin/public_html;
        index index.php;
        try_files $uri $uri/ @kolab-wapapi;
    
        # enable php
        location ~ .php$ {
            include fastcgi_params;
            fastcgi_param HTTPS on;
            fastcgi_pass unix:/var/run/php-fpm/kolab.example.org_kolab-webadmin.sock;
            fastcgi_param SCRIPT_FILENAME $request_filename;
            # Without this, PHPSESSION is replaced by webadmin-api X-Session-Token
            fastcgi_param PHP_VALUE "session.auto_start=0
                session.use_cookies=0";
            fastcgi_pass_header X-Session-Token;
        }
    
        # kolab-webadmin api
        location @kolab-wapapi {
            rewrite ^/api/([^.]*).([^.]*)$ /api/index.php?service=$1&method=$2;
        }
    }
    
    #
    # Syncroton / ActiveSync
    #
    server {
        listen 443 ssl;
        server_name activesync.example.org;
    
        access_log /var/log/nginx/kolab.example.org-access_log;
        error_log /var/log/nginx/kolab.example.org-error_log;
    
        # enable ssl
    
        ssl on;
        ssl_certificate /etc/pki/tls/private/localhost.pem;
        ssl_certificate_key /etc/pki/tls/private/localhost.pem;
    
        ##
        ## Kolab syncroton ActiveSync
        ##
        location /Microsoft-Server-ActiveSync {
            alias  /usr/share/kolab-syncroton/index.php;
    
            client_max_body_size 30M; # maximum upload size for mail attachments
    
            include fastcgi_params;
            fastcgi_param HTTPS on;
            fastcgi_read_timeout 1200;
            fastcgi_index index.php;
            fastcgi_pass unix:/var/run/php-fpm/kolab.example.org_kolab-syncroton.sock;
            fastcgi_param SCRIPT_FILENAME /usr/share/kolab-syncroton/index.php;
        }
    
        ##
        ## Return to Webmail any other invalid request
        ##
        location / {
            rewrite ^ https://webmail.example.org permanent;
        }
    }
    
    #
    # FreeBusy
    #
    server {
        listen 443 ssl;
        server_name freebusy.example.org;
    
        access_log /var/log/nginx/freebusy.example.org-access_log;
        error_log /var/log/nginx/freebusy.example.org-error_log;
    
        # enable ssl
    
        ssl on;
        ssl_certificate /etc/pki/tls/private/localhost.pem;
        ssl_certificate_key /etc/pki/tls/private/localhost.pem;
    
        # Start common Kolab config
    
        ##
        ## Kolab Free/Busy
        ##
        root  /usr/share/kolab-freebusy/public_html/index.php;
        index index.php;
        try_files $uri $uri/ /index.php?$args;
    
        location ~ .php$ {
            include fastcgi_params;
            fastcgi_param HTTPS on;
            fastcgi_index index.php;
            fastcgi_pass unix:/var/run/php-fpm/kolab.example.org_kolab-freebusy.sock;
            fastcgi_param SCRIPT_FILENAME /usr/share/kolab-freebusy/public_html/index.php;
        }
    }
    

    Note

    On Debian you can use the site configuration found at

    • /etc/nginx/sites-available/
    • /etc/nginx/sites-enabled/
  2. Adjust your kolab webadmin api url in the /etc/kolab/kolab.conf configuration, otherwise webadmin or commandline tools will not work.

    [kolab_wap]
    api_url = https://kolab.example.org/api
    
  3. Since Freebusy has moved to a different location we’ve to adjust the api endpoint in /etc/roundcubemail/libkolab.inc.php

    $config['kolab_freebusy_server'] = 'https://freebusy.example.org';
    
  4. iRony basedir has to be adjusted in /etc/iRony/dav.inc.php

    $config['base_uri'] = '/';
    
  5. We can now set the absolute urls for the CalDAV/CardDAV integration

    /etc/roundcubemail/calendar.inc.php

    $config['calendar_caldav_url'] = "https://caldav.example.org/calendars/%u/%i";
    

    /etc/roundcubemail/kolab_addressbook.inc.php

    $config['kolab_addressbook_carddav_url'] = "https://carddav.example.org/addressbooks/%u/%i";
    

Finalize / Common

  1. Since we run Roundcube in the base directory / of the server, we’ve to set the correct asset path

    $config['assets_path'] = '/assets/';
    
  2. For configurations that use SSL, make sure to work around a known issue in PHP pear module HTTP_Request2, and include in /etc/roundcubemail/config.inc.php:

    $config['ssl_verify_host'] = false;
    $config['ssl_verify_peer'] = false;
    
  3. Start the php-fpm service and configure the service to start on boot:

    # service php-fpm start
    # chkconfig php-fpm on
    
  4. Start the nginx service and configure the service to start on boot:

    # service nginx start
    # chkconfig nginx on
    

Tips, tweaks and optimizations

Tweaking ssl cipher settings

To ensure Perfect Forward Secrecy is enabled when possible

  1. Add the following into http section of /etc/nginx/nginx.conf:

    # These cipher settings should ensure Perfect Forward Secrecy is
    # enabled when possible.
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    
    ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM
    EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384
    EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL
    !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
    
    ssl_session_cache shared:SSL:10m;
    
  2. Restart the nginx service:

    # service nginx restart
    

Adding open file cache to nginx

Open file cache will make nginx cache static files, that were accessed open_file_cache_min_uses times.

  1. Add the following into http section of /etc/nginx/nginx.conf:

    open_file_cache max=16384 inactive=5m;
    open_file_cache_valid 90s;
    open_file_cache_min_uses 2;
    open_file_cache_errors on;
    
  2. Restart the nginx service:

    # service nginx restart
    

Adding fastcgi_cache to nginx

  1. Create and set ownership on the following directories:

    • /var/lib/nginx/fastcgi/
    # mkdir -p /var/lib/nginx/fastcgi/
    # chown -R nginx:nginx /var/lib/nginx/fastcgi/
    # chmod -R 700 /var/lib/nginx/fastcgi/
    
  2. Add the following into http section of /etc/nginx/nginx.conf:

    fastcgi_cache_key "$scheme$request_method$host$request_uri";
    fastcgi_cache_use_stale error timeout invalid_header http_500;
    fastcgi_cache_valid 200 302 304 10m;
    fastcgi_cache_valid 301 1h;
    fastcgi_cache_min_uses 2;
    
  3. Add the following outside server sections of /etc/nginx/conf.d/default.conf:

    fastcgi_cache_path /var/lib/nginx/fastcgi/ levels=1:2 keys_zone=key-zone-name:16m max_size=256m inactive=1d;
    
  4. Add the following into ssl server section of /etc/nginx/conf.d/default.conf:

fastcgi_cache key-zone-name;
  1. Restart the nginx service:

    # service nginx restart
    

Browse CalDAV/CardDAV/WebDAV with your browser

In the default configuration iRony only supports the default DAV commands. If you want to use GET to browse through your DAV instance to make sure everything is working, just uncomment the fastcgi_param DAVBROWSER 1 option in the php section and point your browser to it.

Splitting Kolab nginx config for use with multi-domain

You can put common Kolab config into separate file and include it into server configurations, if you need different settings for different domains in a multi-domain setup (eg. different ssl certificates).

This way you wount have to keep up to date lines common to all Kolab servers in multitude of server configurations.

  1. Common Kolab config is between lines:

    # Start common Kolab config
    ...
    # End common Kolab config
    

    move it into separate file (eg. /etc/nginx/kolab_common.conf)

  2. Use include directive to include the new file into configuration:

    # Start common Kolab config
    include /etc/nginx/kolab_common.conf
    # End common Kolab config
    

So your server configuration file can look like similar to this:

fastcgi_cache_path /var/lib/nginx/fastcgi/ levels=1:2 keys_zone=kolab1-key-zone-name:16m max_size=256m inactive=1d;

server {
    listen 80 default_server;
    server_name kolab1.example.org;
    rewrite ^ https://$http_hosts$request_uri permanent; # enforce https redirect
}

server {
    listen 443 ssl;
    server_name kolab1.example.org;

    access_log /var/log/nginx/kolab1.example.org-access_log;
    error_log /var/log/nginx/kolab1.example.org-error_log;

    ssl on;
    ssl_certificate /etc/pki/tls/certs/kolab1.example.org.pem;
    ssl_certificate_key /etc/pki/tls/certs/kolab1.example.org.pem;

    fastcgi_cache kolab1-key-zone-name;

    # Start common Kolab config
    include /etc/nginx/kolab_common.conf
    # End common Kolab config
}

Footnotes

[1]Values for fpm servers are taken from a moderately loaded virtual server with 4x3.5GHz CPU and 4GB RAM, feel free to adjust them according to your setup.