NGINX

Hello,

I  decided to switch to nginx instead of apache2 because of a bit more performance.

Following the instructions on http://kolab.org/blog/grote/2013/07/08/using-kolab-3-nginx and https://docs.kolab.org/howtos/nginx-webserver.html I have a working setup on my Raspberry Pi.

The main purpose of this config is, that all services are redirected to SSL (port 443) and roundcubemail is bound to the domain itself (https://example.org)
Also the BOSH http-bind is proxied with nginx to eJabberd.


Of course you need nginx :-) and for PHP you need php-fpm and php-apc.
apt-get install nginx php5-fpm php-apc
Activate APC in /etc/php5/mods-available/apcu.ini
extension=apc.so
; enable APC
apc.enabled=1
; The number of shared memory segments
apc.shm_segments=1
; The size of each shared memory segment
apc.shm_size=64
; The number of seconds a cache entry is allowed to idle in a slot in case this
; cache entry slot is needed by another entry.
apc.ttl=7200 
Now delete the default WWW pool
rm -f /etc/php5/fpm/pool.d/www.conf
Create the directories for the sockets:
mkdir -p /var/lib/nginx/fastcgi/tmp/
chmod 700 /var/lib/nginx/fastcgi/tmp/
mkdir /var/run/php-fpm
chown -R www-data:www-data /var/lib/nginx/fastcgi/
chmod 700 /var/lib/nginx/fastcgi/  
chown -R www-data:www-data /var/run/php-fpm 
chmod +s /var/run/php-fpm
Now create the following files in /etc/php5/fpm/pool.d
chwala.conf
iRony.con
kolab-freebusy.conf
kolab-syncroton.conf
kolab-webadmin.conf
roundcubemail.conf
chwala.conf
[example.org_chwala]
user = www-data
group = www-data
listen = /var/run/php-fpm/example.org_chwala.sock
pm = dynamic
pm.max_children = 20
pm.start_servers = 1
pm.min_spare_servers = 1
pm.max_spare_servers = 2
chdir = /
iRony.conf
[example.org_iRony]
user = www-data
group = www-data
listen = /var/run/php-fpm/example.org_iRony.sock
pm = dynamic
pm.max_children = 20
pm.start_servers = 1
pm.min_spare_servers = 1
pm.max_spare_servers = 2
chdir = /
kolab-freebusy.conf
[example.org_kolab-freebusy]
user = www-data
group = www-data
listen = /var/run/php-fpm/example.org_kolab-freebusy.sock
pm = dynamic
pm.max_children = 20
pm.start_servers = 1
pm.min_spare_servers = 1
pm.max_spare_servers = 2
chdir = /
kolab-syncroton.conf
[example.org_kolab-syncroton]
user = www-data
group = www-data
listen = /var/run/php-fpm/example.org_kolab-syncroton.sock
pm = dynamic
pm.max_children = 20
pm.start_servers = 1
pm.min_spare_servers = 1
pm.max_spare_servers = 2
chdir = /
php_flag[suhosin.session.encrypt] = Off
kolab-webadmin.conf
[example.org_kolab-webadmin]
user = www-data
group = www-data
listen = /var/run/php-fpm/example.org_kolab-webadmin.sock
pm = dynamic
pm.max_children = 20
pm.start_servers = 1
pm.min_spare_servers = 1
pm.max_spare_servers = 2
chdir = /
roundcubemail.conf
[example.org_roundcubemail]
user = www-data
group = www-data
listen = /var/run/php-fpm/example.org_roundcubemail.sock
pm = dynamic
pm.max_children = 20
pm.start_servers = 1
pm.min_spare_servers = 1
pm.max_spare_servers = 2
chdir = /
# Derived from .htaccess of roundcube
php_flag[display_errors] = Off
php_flag[log_errors] = On
php_value[upload_max_filesize] = 30M
php_value[post_max_size] = 30M
php_flag[zlib.output_compression] = Off
php_flag[magic_quotes_gpc] = Off
php_flag[magic_quotes_runtime] = Off
php_flag[zend.ze1_compatibility_mode] = Off
php_flag[suhosin.session.encrypt] = Off
php_flag[session.auto_start] = Off
php_value[session.gc_maxlifetime] = 21600
php_value[session.gc_divisor] = 500
php_value[session.gc_probability] = 1
# http://bugs.php.net/bug.php?id=30766
php_value[mbstring.func_overload] = 0
And now the nginx config:
fastcgi_cache_path /var/lib/nginx/fastcgi/ levels=1:2 keys_zone=example.org:16m max_size=256m inactive=1d;
fastcgi_temp_path /var/lib/nginx/fastcgi/tmp 1 2;
fastcgi_cache_key "$scheme$request_method$host$request_uri";
fastcgi_cache_use_stale error timeout invalid_header http_500;
server {
    listen                      80 default_server;
    server_name                 example.org;
    rewrite                     ^ https://$server_name$request_uri permanent;  # enforce https
}
server {
    listen                      443 ssl;
    server_name                 .example.org;
    access_log                  /var/log/nginx/example.org-access_log;
    error_log                   /var/log/nginx/example.org-error_log;
    ssl on;
    ssl_certificate /etc/nginx/ssl/ssl-unified.crt;
    ssl_certificate_key /etc/nginx/ssl/ssl.key;

    open_file_cache             max=1024 inactive=1m;
    open_file_cache_valid       90s;
    open_file_cache_min_uses    2;
    fastcgi_param HTTPS on;
    fastcgi_keep_conn on;
    fastcgi_cache example.org;
    fastcgi_cache_valid 200 302 304 10m;
    fastcgi_cache_valid 301 1h;
    fastcgi_cache_min_uses 2;
    fastcgi_buffers 256 4k;
    fastcgi_busy_buffers_size 8k;
    fastcgi_temp_file_write_size 8k;
    location /http-bind {
            proxy_pass  http://localhost:5280/http-bind;
            proxy_set_header Host $host;
            proxy_buffering off;
            tcp_nodelay on;
        }

    ##
    ## Chwala
    ##
    location /chwala {
        index index.php;
        alias /usr/share/chwala/public_html;
        client_max_body_size 30M; # set maximum upload size
        # enable php
        location ~ \.php$ {
            include fastcgi_params;
            fastcgi_pass unix:/var/run/php-fpm/example.org_chwala.sock;
            fastcgi_param SCRIPT_FILENAME $request_filename;
            # Without this, PHPSESSION is replaced by webadmin-api X-Session-Token
            fastcgi_param PHP_VALUE "session.auto_start=0
                session.use_cookies=0";
            fastcgi_pass_header X-Session-Token;
        }
    }
    ##
    ## iRony
    ##
    location /iRony {
        alias  /usr/share/iRony/public_html/index.php;
        client_max_body_size 30M; # set maximum upload size
        # Make Apple Calendar.app and Contacts.app happy:
        rewrite ^/.well-known/caldav / last;
        rewrite ^/.well-known/carddav / last;
        # If Nginx was built with http_dav_module:
        dav_methods  PUT DELETE MKCOL COPY MOVE; # PROPFIND;
        # Required Nginx to be built with nginx-dav-ext-module:
        dav_ext_methods PROPFIND OPTIONS;
        include fastcgi_params;
        fastcgi_index index.php;
        fastcgi_pass unix:/var/run/php-fpm/example.org_iRony.sock;
        fastcgi_param SCRIPT_FILENAME $request_filename;
    }
    #-------------------------------------------------
    # roundcube mail
    #-------------------------------------------------
    location / {
        index index.php;
        root  /usr/share/roundcubemail;
        client_max_body_size 30M; # set maximum upload size for mail attachments
        proxy_set_header  X-Real-IP  $remote_addr;
        proxy_set_header  X-Real-Host  $host;
        proxy_read_timeout 120;
        # Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
        location ~ ^/(README(.md)?|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
            deny all;
        }
        location ~ ^/(bin|SQL|config|logs)/ {
            deny all;
        }
        location ~^/program/(include|lib|localization|steps)/ {
            deny all;
        }
        location ~ /\. {
            deny all;
            access_log off;
            log_not_found off;
        }
        # enable php
        location ~ \.php$ {
            include fastcgi_params;
            fastcgi_split_path_info ^(.+\.php)(/.*)$;
            fastcgi_pass unix:/var/run/php-fpm/example.org_roundcubemail.sock;
            fastcgi_param SCRIPT_FILENAME $request_filename;
        }
    }
    ##
    ## Kolab Web Administration Panel (WAP) and API
    ##
    location /kolab-webadmin {
        index index.php;
        alias /usr/share/kolab-webadmin/public_html;
        rewrite ^/kolab-webadmin/api/(.*)\.(.*)$ /kolab-webadmin/api/index.php?service=$1&method=$2 last;
        # enable php
        location ~ \.php$ {
            include fastcgi_params;
            fastcgi_pass unix:/var/run/php-fpm/example.org_kolab-webadmin.sock;
            fastcgi_param SCRIPT_FILENAME $request_filename;
            # Without this, PHPSESSION is replaced by webadmin-api X-Session-Token
            fastcgi_param PHP_VALUE "session.auto_start=0
                session.use_cookies=0";
            fastcgi_pass_header X-Session-Token;
        }
    }
    ##
    ## Kolab syncroton ActiveSync
    ##
    location /Microsoft-Server-ActiveSync {
        alias  /usr/share/kolab-syncroton/index.php;
        client_max_body_size 30M; # set maximum upload size for mail attachments
        include fastcgi_params;
        fastcgi_index index.php;
fastcgi_read_timeout 150;
        fastcgi_pass unix:/var/run/php-fpm/example.org_kolab-syncroton.sock;
        fastcgi_param SCRIPT_FILENAME /usr/share/kolab-syncroton/index.php;
    }
    ##
    ## Kolab Free/Busy
    ##
    location /freebusy {
        alias  /usr/share/kolab-freebusy/public_html/index.php;
        include fastcgi_params;
        fastcgi_index index.php;
        fastcgi_pass unix:/var/run/php-fpm/example.org_kolab-freebusy.sock;
        fastcgi_param SCRIPT_FILENAME /usr/share/kolab-freebusy/public_html/index.php;
    }
}