Initial

install/rpm/templates/mail/apache2/default.stpl

@@ -0,0 +1,51 @@
+<VirtualHost %ip%:%web_ssl_port%>
+    ServerName %domain_idn%
+    ServerAlias %alias%
+    Alias / /var/lib/roundcube/
+    Alias /error/ %home%/%user%/web/%root_domain%/document_errors/
+    #SuexecUserGroup %user% %group%
+
+    SSLEngine on
+    SSLVerifyClient none
+    SSLCertificateFile         %home%/%user%/conf/mail/%root_domain%/ssl/%root_domain%.crt
+    SSLCertificateKeyFile      %home%/%user%/conf/mail/%root_domain%/ssl/%root_domain%.key
+
+    <Directory "/usr/share/tinymce/www/">
+      Options Indexes MultiViews FollowSymLinks
+      AllowOverride None
+      Order allow,deny
+      allow from all
+    </Directory>
+
+    <Directory /var/lib/roundcube/>
+        Options +FollowSymLinks
+        # This is needed to parse /var/lib/roundcube/.htaccess. See its
+        # content before setting AllowOverride to None.
+        AllowOverride All
+        order allow,deny
+        allow from all
+    </Directory>
+
+    # Protecting basic directories:
+    <Directory /var/lib/roundcube/config>
+            Options -FollowSymLinks
+            AllowOverride None
+    </Directory>
+
+    <Directory /var/lib/roundcube/temp>
+            Options -FollowSymLinks
+            AllowOverride None
+        Order allow,deny
+        Deny from all
+    </Directory>
+
+    <Directory /var/lib/roundcube/logs>
+            Options -FollowSymLinks
+            AllowOverride None
+        Order allow,deny
+        Deny from all
+    </Directory>
+
+    IncludeOptional %home%/%user%/conf/mail/%root_domain%/%web_system%.ssl.conf_*
+
+</VirtualHost>

install/rpm/templates/mail/apache2/default.tpl

@@ -0,0 +1,48 @@
+<VirtualHost %ip%:%web_port%>
+    ServerName %domain_idn%
+    ServerAlias %alias_idn%
+    Alias / /var/lib/roundcube/
+    Alias /error/ %home%/%user%/web/%root_domain%/document_errors/
+    #SuexecUserGroup %user% %group%
+
+    IncludeOptional %home%/%user%/conf/mail/%root_domain%/apache2.forcessl.conf*
+
+    <Directory "/usr/share/tinymce/www/">
+      Options Indexes MultiViews FollowSymLinks
+      AllowOverride None
+      Order allow,deny
+      allow from all
+    </Directory>
+
+    <Directory /var/lib/roundcube/>
+        Options +FollowSymLinks
+        # This is needed to parse /var/lib/roundcube/.htaccess. See its
+        # content before setting AllowOverride to None.
+        AllowOverride All
+        order allow,deny
+        allow from all
+    </Directory>
+
+    # Protecting basic directories:
+    <Directory /var/lib/roundcube/config>
+            Options -FollowSymLinks
+            AllowOverride None
+    </Directory>
+
+    <Directory /var/lib/roundcube/temp>
+            Options -FollowSymLinks
+            AllowOverride None
+        Order allow,deny
+        Deny from all
+    </Directory>
+
+    <Directory /var/lib/roundcube/logs>
+            Options -FollowSymLinks
+            AllowOverride None
+        Order allow,deny
+        Deny from all
+    </Directory>
+
+    IncludeOptional %home%/%user%/conf/mail/%root_domain%/%web_system%.conf_*
+
+</VirtualHost>

install/rpm/templates/mail/apache2/disabled.stpl

@@ -0,0 +1,12 @@
+<VirtualHost %ip%:%web_ssl_port%>
+ServerName %domain_idn%
+ServerAlias %alias_idn%
+DocumentRoot /var/www/html/
+Alias /error/ /var/www/document_errors/
+
+SSLEngine on
+SSLVerifyClient none
+SSLCertificateFile         %home%/%user%/conf/mail/%root_domain%/ssl/%root_domain%.crt
+SSLCertificateKeyFile      %home%/%user%/conf/mail/%root_domain%/ssl/%root_domain%.key
+
+</VirtualHost>

install/rpm/templates/mail/apache2/disabled.tpl

@@ -0,0 +1,7 @@
+<VirtualHost %ip%:%web_port%>
+    ServerName %domain_idn%
+    ServerAlias %alias_idn%
+    DocumentRoot /var/www/html/
+    Alias /error/ /var/www/document_errors/
+    #SuexecUserGroup %user% %group%
+</VirtualHost>

install/rpm/templates/mail/apache2/rainloop.stpl

@@ -0,0 +1,31 @@
+<VirtualHost %ip%:%web_ssl_port%>
+ServerName %domain_idn%
+ServerAlias %alias_idn%
+Alias / /var/lib/rainloop/
+Alias /error/ %home%/%user%/web/%root_domain%/document_errors/
+#SuexecUserGroup %user% %group%
+
+SSLEngine on
+SSLVerifyClient none
+SSLCertificateFile         %home%/%user%/conf/mail/%root_domain%/ssl/%root_domain%.crt
+SSLCertificateKeyFile      %home%/%user%/conf/mail/%root_domain%/ssl/%root_domain%.key
+
+<Directory /var/lib/rainloop/>
+    Options +FollowSymLinks
+    # This is needed to parse /var/lib/rainloop/.htaccess. See its
+    # content before setting AllowOverride to None.
+    AllowOverride All
+    order allow,deny
+    allow from all
+</Directory>
+
+# Protecting basic directories:
+<Directory /var/lib/rainloop/data>
+        Options -FollowSymLinks
+        AllowOverride None
+</Directory>
+
+
+IncludeOptional %home%/%user%/conf/mail/%root_domain%/%web_system%.ssl.conf_*
+
+</VirtualHost>

install/rpm/templates/mail/apache2/rainloop.tpl

@@ -0,0 +1,25 @@
+<VirtualHost %ip%:%web_port%>
+    ServerName %domain_idn%
+    ServerAlias %alias_idn%
+    Alias / /var/lib/rainloop/
+    Alias /error/ %home%/%user%/web/%root_domain%/document_errors/
+    #SuexecUserGroup %user% %group%
+
+    IncludeOptional %home%/%user%/conf/mail/%root_domain%/apache2.forcessl.conf*
+
+    <Directory /var/lib/rainloop/>
+        Options +FollowSymLinks
+        # This is needed to parse /var/lib/rainloop/.htaccess. See its
+        # content before setting AllowOverride to None.
+        AllowOverride All
+        order allow,deny
+        allow from all
+    </Directory>
+
+    # Protecting basic directories:
+    <Directory /var/lib/rainloop/data>
+            Options -FollowSymLinks
+            AllowOverride None
+    </Directory>
+    IncludeOptional %home%/%user%/conf/mail/%root_domain%/%web_system%.conf_*
+</VirtualHost>

install/rpm/templates/mail/apache2/snappymail.stpl

@@ -0,0 +1,31 @@
+<VirtualHost %ip%:%web_ssl_port%>
+ServerName %domain_idn%
+ServerAlias %alias_idn%
+Alias / /var/lib/snappymail/
+Alias /error/ %home%/%user%/web/%root_domain%/document_errors/
+#SuexecUserGroup %user% %group%
+
+SSLEngine on
+SSLVerifyClient none
+SSLCertificateFile         %home%/%user%/conf/mail/%root_domain%/ssl/%root_domain%.crt
+SSLCertificateKeyFile      %home%/%user%/conf/mail/%root_domain%/ssl/%root_domain%.key
+
+<Directory /var/lib/snappymail/>
+    Options +FollowSymLinks
+    # This is needed to parse /var/lib/snappymail/.htaccess. See its
+    # content before setting AllowOverride to None.
+    AllowOverride All
+    order allow,deny
+    allow from all
+</Directory>
+
+# Protecting basic directories:
+<Directory /var/lib/snappymail/data>
+        Options -FollowSymLinks
+        AllowOverride None
+</Directory>
+
+
+IncludeOptional %home%/%user%/conf/mail/%root_domain%/%web_system%.ssl.conf_*
+
+</VirtualHost>

install/rpm/templates/mail/apache2/snappymail.tpl

@@ -0,0 +1,25 @@
+<VirtualHost %ip%:%web_port%>
+    ServerName %domain_idn%
+    ServerAlias %alias_idn%
+    Alias / /var/lib/snappymail/
+    Alias /error/ %home%/%user%/web/%root_domain%/document_errors/
+    #SuexecUserGroup %user% %group%
+
+    IncludeOptional %home%/%user%/conf/mail/%root_domain%/apache2.forcessl.conf*
+
+    <Directory /var/lib/snappymail/>
+        Options +FollowSymLinks
+        # This is needed to parse /var/lib/snappymail/.htaccess. See its
+        # content before setting AllowOverride to None.
+        AllowOverride All
+        order allow,deny
+        allow from all
+    </Directory>
+
+    # Protecting basic directories:
+    <Directory /var/lib/snappymail/data>
+            Options -FollowSymLinks
+            AllowOverride None
+    </Directory>
+    IncludeOptional %home%/%user%/conf/mail/%root_domain%/%web_system%.conf_*
+</VirtualHost>

install/rpm/templates/mail/nginx/default.stpl

@@ -0,0 +1,52 @@
+server {
+	listen      %ip%:%proxy_ssl_port% ssl;
+	server_name %domain_idn% %alias_idn%;
+	root        /var/lib/roundcube;
+	index       index.php index.html index.htm;
+	access_log  /var/log/nginx/domains/%domain%.log combined;
+	error_log   /var/log/nginx/domains/%domain%.error.log error;
+
+	ssl_certificate     %ssl_pem%;
+	ssl_certificate_key %ssl_key%;
+	ssl_stapling        on;
+	ssl_stapling_verify on;
+
+	# TLS 1.3 0-RTT anti-replay
+	if ($anti_replay = 307) { return 307 https://$host$request_uri; }
+	if ($anti_replay = 425) { return 425; }
+
+	location ~ /\.(?!well-known\/) {
+		deny all;
+		return 404;
+	}
+
+	location ~ ^/(README.md|config|temp|logs|bin|SQL|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
+		deny all;
+		return 404;
+	}
+
+	location / {
+		alias /var/lib/roundcube/;
+
+		try_files $uri $uri/ =404;
+
+		proxy_pass https://%ip%:%web_ssl_port%;
+
+		location ~* ^.+\.(ogg|ogv|svg|svgz|swf|eot|otf|woff|woff2|mov|mp3|mp4|webm|flv|ttf|rss|atom|jpg|jpeg|gif|png|webp|ico|bmp|mid|midi|wav|rtf|css|js|jar)$ {
+			expires 7d;
+			fastcgi_hide_header "Set-Cookie";
+		}
+	}
+
+	location @fallback {
+		proxy_pass https://%ip%:%web_ssl_port%;
+	}
+
+	location /error/ {
+		alias /var/www/document_errors/;
+	}
+
+	proxy_hide_header Upgrade;
+
+	include %home%/%user%/conf/mail/%root_domain%/%proxy_system%.ssl.conf_*;
+}

install/rpm/templates/mail/nginx/default.tpl

@@ -0,0 +1,43 @@
+server {
+	listen      %ip%:%proxy_port%;
+	server_name %domain_idn% %alias_idn%;
+	root        /var/lib/roundcube;
+	index       index.php index.html index.htm;
+	access_log  /var/log/nginx/domains/%domain%.log combined;
+	error_log   /var/log/nginx/domains/%domain%.error.log error;
+
+	include %home%/%user%/conf/mail/%root_domain%/nginx.forcessl.conf*;
+
+	location ~ /\.(?!well-known\/) {
+		deny all;
+		return 404;
+	}
+
+	location ~ ^/(README.md|config|temp|logs|bin|SQL|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
+		deny all;
+		return 404;
+	}
+
+	location / {
+		alias /var/lib/roundcube/;
+
+		try_files $uri $uri/ =404;
+
+		proxy_pass http://%ip%:%web_port%;
+
+		location ~* ^.+\.(ogg|ogv|svg|svgz|swf|eot|otf|woff|woff2|mov|mp3|mp4|webm|flv|ttf|rss|atom|jpg|jpeg|gif|png|webp|ico|bmp|mid|midi|wav|rtf|css|js|jar)$ {
+			expires 7d;
+			fastcgi_hide_header "Set-Cookie";
+		}
+	}
+
+	location @fallback {
+		proxy_pass http://%ip%:%web_port%;
+	}
+
+	location /error/ {
+		alias /var/www/document_errors/;
+	}
+
+	include %home%/%user%/conf/mail/%root_domain%/%proxy_system%.conf_*;
+}

install/rpm/templates/mail/nginx/default_disabled.stpl

@@ -0,0 +1,29 @@
+server {
+	listen      %ip%:%proxy_ssl_port% ssl;
+	server_name %domain_idn% %alias_idn%;
+	index       index.php index.html index.htm;
+	access_log  /var/log/nginx/domains/%domain%.log combined;
+	error_log   /var/log/nginx/domains/%domain%.error.log error;
+
+	ssl_certificate     %ssl_pem%;
+	ssl_certificate_key %ssl_key%;
+	ssl_stapling        on;
+	ssl_stapling_verify on;
+
+	# TLS 1.3 0-RTT anti-replay
+	if ($anti_replay = 307) { return 307 https://$host$request_uri; }
+	if ($anti_replay = 425) { return 425; }
+
+	location ~ /\.(?!well-known\/) {
+		deny all;
+		return 404;
+	}
+
+	location / {
+		proxy_pass http://%ip%:%web_port%;
+	}
+
+	proxy_hide_header Upgrade;
+
+	include %home%/%user%/conf/mail/%root_domain%/%proxy_system%.ssl.conf_*;
+}

install/rpm/templates/mail/nginx/default_disabled.tpl

@@ -0,0 +1,20 @@
+server {
+	listen      %ip%:%proxy_port%;
+	server_name %domain_idn% %alias_idn%;
+	index       index.php index.html index.htm;
+	access_log  /var/log/nginx/domains/%domain%.log combined;
+	error_log   /var/log/nginx/domains/%domain%.error.log error;
+
+	include %home%/%user%/conf/mail/%root_domain%/nginx.forcessl.conf*;
+
+	location ~ /\.(?!well-known\/) {
+		deny all;
+		return 404;
+	}
+
+	location / {
+		proxy_pass http://%ip%:%web_port%;
+	}
+
+	include %home%/%user%/conf/mail/%root_domain%/%proxy_system%.conf_*;
+}

install/rpm/templates/mail/nginx/default_snappymail.stpl

@@ -0,0 +1,52 @@
+server {
+	listen      %ip%:%proxy_ssl_port% ssl;
+	server_name %domain_idn% %alias_idn%;
+	root        /var/lib/snappymail;
+	index       index.php index.html index.htm;
+	access_log  /var/log/nginx/domains/%domain%.log combined;
+	error_log   /var/log/nginx/domains/%domain%.error.log error;
+
+	ssl_certificate     %ssl_pem%;
+	ssl_certificate_key %ssl_key%;
+	ssl_stapling        on;
+	ssl_stapling_verify on;
+
+	# TLS 1.3 0-RTT anti-replay
+	if ($anti_replay = 307) { return 307 https://$host$request_uri; }
+	if ($anti_replay = 425) { return 425; }
+
+	location ^~ /data {
+		deny all;
+		return 404;
+	}
+
+	location ~ ^/(README.md|config|temp|logs|bin|SQL|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
+		deny all;
+		return 404;
+	}
+
+	location / {
+		alias /var/lib/snappymail/;
+
+		try_files $uri $uri/ =404;
+
+		proxy_pass https://%ip%:%web_ssl_port%;
+
+		location ~* ^.+\.(ogg|ogv|svg|svgz|swf|eot|otf|woff|woff2|mov|mp3|mp4|webm|flv|ttf|rss|atom|jpg|jpeg|gif|png|webp|ico|bmp|mid|midi|wav|rtf|css|js|jar)$ {
+			expires 7d;
+			fastcgi_hide_header "Set-Cookie";
+		}
+	}
+
+	location @fallback {
+		proxy_pass https://%ip%:%web_ssl_port%;
+	}
+
+	location /error/ {
+		alias /var/www/document_errors/;
+	}
+
+	proxy_hide_header Upgrade;
+
+	include %home%/%user%/conf/mail/%root_domain%/%proxy_system%.ssl.conf_*;
+}

install/rpm/templates/mail/nginx/default_snappymail.tpl

@@ -0,0 +1,48 @@
+server {
+	listen      %ip%:%proxy_port%;
+	server_name %domain_idn% %alias_idn%;
+	root        /var/lib/snappymail;
+	index       index.php index.html index.htm;
+	access_log  /var/log/nginx/domains/%domain%.log combined;
+	error_log   /var/log/nginx/domains/%domain%.error.log error;
+
+	include %home%/%user%/conf/mail/%root_domain%/nginx.forcessl.conf*;
+
+	location ~ /\.(?!well-known\/) {
+		deny all;
+		return 404;
+	}
+
+	location ^~ /data {
+		deny all;
+		return 404;
+	}
+
+	location ~ ^/(README.md|config|temp|logs|bin|SQL|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
+		deny all;
+		return 404;
+	}
+
+	location / {
+		alias /var/lib/snappymail/;
+
+		try_files $uri $uri/ =404;
+
+		proxy_pass http://%ip%:%web_port%;
+
+		location ~* ^.+\.(ogg|ogv|svg|svgz|swf|eot|otf|woff|woff2|mov|mp3|mp4|webm|flv|ttf|rss|atom|jpg|jpeg|gif|png|webp|ico|bmp|mid|midi|wav|rtf|css|js|jar)$ {
+			expires 7d;
+			fastcgi_hide_header "Set-Cookie";
+		}
+	}
+
+	location @fallback {
+		proxy_pass http://%ip%:%web_port%;
+	}
+
+	location /error/ {
+		alias /var/www/document_errors/;
+	}
+
+	include %home%/%user%/conf/mail/%root_domain%/%proxy_system%.conf_*;
+}

install/rpm/templates/mail/nginx/disabled.stpl

@@ -0,0 +1,34 @@
+server {
+	listen      %ip%:%web_ssl_port% ssl;
+	server_name %domain_idn% %alias_idn%;
+	root        /var/www/html;
+	index       index.php index.html index.htm;
+	access_log  /var/log/nginx/domains/%domain%.log combined;
+	error_log   /var/log/nginx/domains/%domain%.error.log error;
+
+	ssl_certificate     %ssl_pem%;
+	ssl_certificate_key %ssl_key%;
+	ssl_stapling        on;
+	ssl_stapling_verify on;
+
+	# TLS 1.3 0-RTT anti-replay
+	if ($anti_replay = 307) { return 307 https://$host$request_uri; }
+	if ($anti_replay = 425) { return 425; }
+
+	location ~ /\.(?!well-known\/) {
+		deny all;
+		return 404;
+	}
+
+	location / {
+		try_files $uri $uri/ =404;
+	}
+
+	location /error/ {
+		alias /var/www/document_errors/;
+	}
+
+	proxy_hide_header Upgrade;
+
+	include %home%/%user%/conf/mail/%root_domain%/%web_system%.ssl.conf_*;
+}

install/rpm/templates/mail/nginx/disabled.tpl

@@ -0,0 +1,25 @@
+server {
+	listen      %ip%:%web_port%;
+	server_name %domain_idn% %alias_idn%;
+	root        /var/www/html;
+	index       index.php index.html index.htm;
+	access_log  /var/log/nginx/domains/%domain%.log combined;
+	error_log   /var/log/nginx/domains/%domain%.error.log error;
+
+	include %home%/%user%/conf/mail/%root_domain%/nginx.forcessl.conf*;
+
+	location ~ /\.(?!well-known\/) {
+		deny all;
+		return 404;
+	}
+
+	location / {
+		try_files $uri $uri/ =404;
+	}
+
+	location /error/ {
+		alias /var/www/document_errors/;
+	}
+
+	include %home%/%user%/conf/mail/%root_domain%/%web_system%.conf_*;
+}

install/rpm/templates/mail/nginx/snappymail.stpl

@@ -0,0 +1,59 @@
+server {
+	listen      %ip%:%web_ssl_port% ssl;
+	server_name %domain_idn% %alias_idn%;
+	root        /var/lib/snappymail;
+	index       index.php index.html index.htm;
+	access_log  /var/log/nginx/domains/%domain%.log combined;
+	error_log   /var/log/nginx/domains/%domain%.error.log error;
+
+	ssl_certificate     %ssl_pem%;
+	ssl_certificate_key %ssl_key%;
+	ssl_stapling        on;
+	ssl_stapling_verify on;
+
+	# TLS 1.3 0-RTT anti-replay
+	if ($anti_replay = 307) { return 307 https://$host$request_uri; }
+	if ($anti_replay = 425) { return 425; }
+
+	location ~ /\.(?!well-known\/) {
+		deny all;
+		return 404;
+	}
+
+	location ^~ /data {
+		deny all;
+		return 404;
+	}
+
+	location ~ ^/(README.md|config|temp|logs|bin|SQL|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
+		deny all;
+		return 404;
+	}
+
+	location / {
+		try_files $uri $uri/ =404;
+
+		location ~* ^.+\.(ogg|ogv|svg|svgz|swf|eot|otf|woff|woff2|mov|mp3|mp4|webm|flv|ttf|rss|atom|jpg|jpeg|gif|png|webp|ico|bmp|mid|midi|wav|rtf|css|js|jar)$ {
+			expires 7d;
+			fastcgi_hide_header "Set-Cookie";
+		}
+
+		location ~ ^/(.*\.php)$ {
+			include /etc/nginx/fastcgi_params;
+
+			fastcgi_index index.php;
+			fastcgi_param HTTP_EARLY_DATA $rfc_early_data if_not_empty;
+			fastcgi_param SCRIPT_FILENAME $request_filename;
+
+			fastcgi_pass  127.0.0.1:9000;
+		}
+	}
+
+	location /error/ {
+		alias /var/www/document_errors/;
+	}
+
+	proxy_hide_header Upgrade;
+
+	include %home%/%user%/conf/mail/%root_domain%/%web_system%.ssl.conf_*;
+}

install/rpm/templates/mail/nginx/snappymail.tpl

@@ -0,0 +1,49 @@
+server {
+	listen      %ip%:%web_port%;
+	server_name %domain_idn% %alias_idn%;
+	root        /var/lib/snappymail;
+	index       index.php index.html index.htm;
+	access_log  /var/log/nginx/domains/%domain%.log combined;
+	error_log   /var/log/nginx/domains/%domain%.error.log error;
+
+	include %home%/%user%/conf/mail/%root_domain%/nginx.forcessl.conf*;
+
+	location ~ /\.(?!well-known\/) {
+		deny all;
+		return 404;
+	}
+
+	location ^~ /data {
+		deny all;
+		return 404;
+	}
+
+	location ~ ^/(README.md|config|temp|logs|bin|SQL|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
+		deny all;
+		return 404;
+	}
+
+	location / {
+		try_files $uri $uri/ =404;
+
+		location ~* ^.+\.(ogg|ogv|svg|svgz|swf|eot|otf|woff|woff2|mov|mp3|mp4|webm|flv|ttf|rss|atom|jpg|jpeg|gif|png|webp|ico|bmp|mid|midi|wav|rtf|css|js|jar)$ {
+			expires 7d;
+			fastcgi_hide_header "Set-Cookie";
+		}
+
+		location ~ ^/(.*\.php)$ {
+			include /etc/nginx/fastcgi_params;
+
+			fastcgi_index index.php;
+			fastcgi_param SCRIPT_FILENAME $request_filename;
+
+			fastcgi_pass  127.0.0.1:9000;
+		}
+	}
+
+	location /error/ {
+		alias /var/www/document_errors/;
+	}
+
+	include %home%/%user%/conf/mail/%root_domain%/%web_system%.conf_*;
+}

install/rpm/templates/mail/nginx/web_system.stpl

@@ -0,0 +1,53 @@
+server {
+	listen      %ip%:%web_ssl_port% ssl;
+	server_name %domain_idn% %alias_idn%;
+	root        /var/lib/roundcube;
+	index       index.php index.html index.htm;
+	access_log  /var/log/nginx/domains/%domain%.log combined;
+	error_log   /var/log/nginx/domains/%domain%.error.log error;
+
+	ssl_certificate     %ssl_pem%;
+	ssl_certificate_key %ssl_key%;
+	ssl_stapling        on;
+	ssl_stapling_verify on;
+
+	# TLS 1.3 0-RTT anti-replay
+	if ($anti_replay = 307) { return 307 https://$host$request_uri; }
+	if ($anti_replay = 425) { return 425; }
+
+	location ~ /\.(?!well-known\/) {
+		deny all;
+		return 404;
+	}
+
+	location ~ ^/(README.md|config|temp|logs|bin|SQL|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
+		deny all;
+		return 404;
+	}
+	location / {
+		try_files $uri $uri/ =404;
+
+		location ~* ^.+\.(ogg|ogv|svg|svgz|swf|eot|otf|woff|woff2|mov|mp3|mp4|webm|flv|ttf|rss|atom|jpg|jpeg|gif|png|webp|ico|bmp|mid|midi|wav|rtf|css|js|jar)$ {
+			expires 7d;
+			fastcgi_hide_header "Set-Cookie";
+		}
+
+		location ~ ^/(.*\.php)$ {
+			include /etc/nginx/fastcgi_params;
+
+			fastcgi_index index.php;
+			fastcgi_param HTTP_EARLY_DATA $rfc_early_data if_not_empty;
+			fastcgi_param SCRIPT_FILENAME $request_filename;
+
+			fastcgi_pass  127.0.0.1:9000;
+		}
+	}
+
+	location /error/ {
+		alias /var/www/document_errors/;
+	}
+
+	proxy_hide_header Upgrade;
+
+	include %home%/%user%/conf/mail/%root_domain%/%web_system%.ssl.conf_*;
+}

install/rpm/templates/mail/nginx/web_system.tpl

@@ -0,0 +1,44 @@
+server {
+	listen      %ip%:%web_port%;
+	server_name %domain_idn% %alias_idn%;
+	root        /var/lib/roundcube;
+	index       index.php index.html index.htm;
+	access_log  /var/log/nginx/domains/%domain%.log combined;
+	error_log   /var/log/nginx/domains/%domain%.error.log error;
+
+	include %home%/%user%/conf/mail/%root_domain%/nginx.forcessl.conf*;
+
+	location ~ /\.(?!well-known\/) {
+		deny all;
+		return 404;
+	}
+
+	location ~ ^/(README.md|config|temp|logs|bin|SQL|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
+		deny all;
+		return 404;
+	}
+
+	location / {
+		try_files $uri $uri/ =404;
+
+		location ~* ^.+\.(ogg|ogv|svg|svgz|swf|eot|otf|woff|woff2|mov|mp3|mp4|webm|flv|ttf|rss|atom|jpg|jpeg|gif|png|webp|ico|bmp|mid|midi|wav|rtf|css|js|jar)$ {
+			expires 7d;
+			fastcgi_hide_header "Set-Cookie";
+		}
+
+		location ~ ^/(.*\.php)$ {
+			include /etc/nginx/fastcgi_params;
+
+			fastcgi_index index.php;
+			fastcgi_param SCRIPT_FILENAME $request_filename;
+
+			fastcgi_pass  127.0.0.1:9000;
+		}
+	}
+
+	location /error/ {
+		alias /var/www/document_errors/;
+	}
+
+	include %home%/%user%/conf/mail/%root_domain%/%web_system%.conf_*;
+}