Weirdness with nginx.ssl.conf templates in mail

andrewnewby · December 5, 2023, 8:23am

I have a very weird one! My Letsencrypt wasn’t renewing for the mail domain. I noticed that the domains nginx.ssl.conf file had:

listen      172.104.227.123:443 ssl http2;

Yet my config file ( /usr/local/hestia/data/templates/mail/nginx/default.stpl ) , is:

	# bar
    listen      %ip%:%proxy_ssl_port% ssl; # something
    listen      [::]:%proxy_ssl_port% ssl;
	server_name %domain_idn% %alias_idn%;
	root        /var/lib/roundcube;
	index       index.php index.html index.htm;
	access_log  /var/log/nginx/domains/%domain%.log combined;
	error_log   /var/log/nginx/domains/%domain%.error.log error;

	#test

Yet this compiles to:

server {
	# bar
    listen      172.104.227.123:443 ssl http2; # something
    listen      [::]:443 ssl;
	server_name webmail.montferlandmarketing.nl mail.montferlandmarketing.nl;
	root        /var/lib/roundcube;
	index       index.php index.html index.htm;
	access_log  /var/log/nginx/domains/webmail.montferlandmarketing.nl.log combined;
	error_log   /var/log/nginx/domains/webmail.montferlandmarketing.nl.error.log error;

	#test

I don’t understand where its getting the http2 part from? Is it being added in? I’ve compared it to one of my other servers, and that correctly doesn’t have the http2 bit in - so why does this? The only difference with this one is that its apache + nginx, whereas the other one was nginx.

BTW the # comments are just so I could be sure it was building the template I thought it was

eris · December 5, 2023, 8:50am

What nginx version do you run ?

andrewnewby · December 5, 2023, 9:55am

On one that has the issue - its:

nginx/1.25.0

And one that’s ok, is:

nginx/1.25.2

Could that make a difference? The main .conf files all have the http2 removed (where it was ssl http2 , its now just ssl)

Cheers

Andy

eris · December 5, 2023, 9:57am

github.com

hestiacp/hestiacp/blob/main/install/deb/templates/mail/nginx/default.stpl

server {
	listen      %ip%:%proxy_ssl_port% ssl;
	server_name %domain_idn% %alias_idn%;
	root        /var/lib/roundcube;
	index       index.php index.html index.htm;
	access_log  /var/log/nginx/domains/%domain%.log combined;
	error_log   /var/log/nginx/domains/%domain%.error.log error;

	ssl_certificate     %ssl_pem%;
	ssl_certificate_key %ssl_key%;
	ssl_stapling        on;
	ssl_stapling_verify on;

	# TLS 1.3 0-RTT anti-replay
	if ($anti_replay = 307) { return 307 https://$host$request_uri; }
	if ($anti_replay = 425) { return 425; }

	location ~ /\.(?!well-known\/) {
		deny all;
		return 404;

This file has been truncated. show original

We already changed it

v-update-mail-templates replace them maybe we forgot them?

andrewnewby · December 5, 2023, 10:14am

Thats the weird part though… http2 doesn’t exist in the default.stpl file! Yet when I run

v-rebuild-mail-domain montferlandmart montferlandmarketing.nl

…it correctly rebuilds the template … with the exception of adding in http2 to the directive! I can see when doing a grep of hestia files, we have:

/usr/local/hestia/func/domain.sh

So maybe the nginx version is the issue, as I can see 1.25.1:

process_http2_directive() {
	if [ -e /etc/nginx/conf.d/http2-directive.conf ]; then
		while IFS= read -r old_param; do
			new_param="$(echo "$old_param" | sed 's/\shttp2//')"
			sed -i "s/$old_param/$new_param/" "$1"
		done < <(grep -E "listen.*(\bssl\b(\s|.+){1,}\bhttp2\b|\bhttp2\b(\s|.+){1,}\bssl\b).*;" "$1")
	else
		if version_ge "$(nginx -v 2>&1 | cut -d'/' -f2)" "1.25.1"; then
			echo "http2 on;" > /etc/nginx/conf.d/http2-directive.conf

			while IFS= read -r old_param; do
				new_param="$(echo "$old_param" | sed 's/\shttp2//')"
				sed -i "s/$old_param/$new_param/" "$1"
			done < <(grep -E "listen.*(\bssl\b(\s|.+){1,}\bhttp2\b|\bhttp2\b(\s|.+){1,}\bssl\b).*;" "$1")
		else
			listen_ssl="$(grep -E "listen.*\s\bssl\b(?:\s)*.*;" "$1")"
			listen_http2="$(grep -E "listen.*(\bssl\b(\s|.+){1,}\bhttp2\b|\bhttp2\b(\s|.+){1,}\bssl\b).*;" "$1")"

			if [ -n "$listen_ssl" ] && [ -z "$listen_http2" ]; then
				while IFS= read -r old_param; do
					new_param="$(echo "$old_param" | sed 's/\sssl/ ssl http2/')"
					sed -i "s/$old_param/$new_param/" "$1"
				done < <(grep -E "listen.*\s\bssl\b(?:\s)*.*;" "$1")
			fi
		fi
	fi
}

So maybe it just needs nginx updated? The weird thing is, that both servers are running Hestia v1.8.11 , so I’m not sure why the one with the issue is still on nginx 1.25.0 ?

eris · December 5, 2023, 10:21am

The new feature got introduced 1.25.1 or 2 so in that case upgrade to that version is fine …

andrewnewby · December 5, 2023, 10:41am

Ah ok. Doesn’t Hestia normally update nginx during the upgrade process? Or is that something I should do manually?

eris · December 5, 2023, 10:43am

We don’t update system packages except hestia-* (Hestia-php, hestia-nginx, and hestia)

So you need to do that your self

andrewnewby · December 5, 2023, 10:53am

Ah ok. I’ll do that later on in the week then. The client is meeting some people today, so won’t appreciate if the server is down for any reason =)

istiak101 · December 7, 2023, 7:02am

It’s not in server block.

andrewnewby · December 7, 2023, 7:26am

Yup. The problem is that its on nginx 1.25.0, and that change was brought in on 1.25.1 (or 2). So what it seems to be doing, is when it creates the domain part, it adds in the http2 part via a sed. Upgrading nginx to the latest fixed it

system · January 6, 2024, 7:26am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.