From 95f2f40c5d49b1d75f87b2114affb19c6d691d14 Mon Sep 17 00:00:00 2001 From: Gianluca Boiano <491117+M0Rf30@users.noreply.github.com> Date: Mon, 19 Jan 2026 14:54:23 +0100 Subject: [PATCH 1/2] chore: replace nviennot module, add cookie security flags, upstream keepalive, HTTP/2Feature/replace nviennot with native keepalive (#203) * refactor(CO-3074): replace nviennot tcp-keepalive module with native nginx so_keepalive Replace the external nviennot/nginx-tcp-keepalive module with nginx's native so_keepalive parameter on listen directives. This removes an external dependency on a dormant module (last updated 2021) in favor of built-in functionality available since nginx 1.11.0. Changes: - Remove tcp_keepalive directive from nginx.conf.web.template - Add so_keepalive=on to all listen directives across: - HTTP/HTTPS web templates - Admin console templates - SSO templates - Mail proxy templates (IMAP/IMAPS/POP3/POP3S) - Stream templates (XMPP/AddressBook) Note: The nginx-tcp-keepalive module can now be removed from carbonio-thirds PKGBUILD. * fix(CO-3074): add cookie security flags, upstream keepalive, and HTTP/2 for admin - Add HttpOnly, Secure, SameSite=Strict to logout cookies on HTTPS templates - Add HttpOnly, SameSite=Strict to logout cookies on HTTP templates - Add keepalive 32 to all service upstreams for connection reuse - Enable HTTP/2 on admin panel templates * fix(CO-3074): add carbonio-catalog as runtime dependency The proxy configures an Envoy sidecar upstream for carbonio-catalog but the package was not declared as a dependency, causing connection resets when the catalog service is missing. * fix(CO-3074): add Connection header for upstream keepalive support Add `proxy_set_header Connection "";` to all non-WebSocket locations that use keepalive-enabled upstreams. Without this header, nginx sends `Connection: close` by default, preventing connection reuse and making the `keepalive 32;` directives ineffective. Locations updated: - /services/files/, /services/chats/, /services/docs/, /services/tasks/ - /services/storages/, /services/catalog/, /services/mobile/tokens - /services/certificate-manager/, /zx/login/, /zx/auth/ WebSocket locations (/services/chats/events, /services/messaging/ws-xmpp, /services/docs/editor/) already have `Connection "upgrade"` and are unchanged. Refs: CO-3074 --- .../nginx.conf.mail.imap.default.template | 6 +- .../templates/nginx.conf.mail.imap.template | 6 +- .../nginx.conf.mail.imaps.default.template | 6 +- .../templates/nginx.conf.mail.imaps.template | 6 +- .../nginx.conf.mail.pop3.default.template | 6 +- .../templates/nginx.conf.mail.pop3.template | 6 +- .../nginx.conf.mail.pop3s.default.template | 6 +- .../templates/nginx.conf.mail.pop3s.template | 6 +- .../nginx.conf.stream.addressBook.template | 6 +- ...nf.stream.message.dispatcher.xmpp.template | 6 +- .../nginx.conf.web.admin.default.template | 8 +-- .../templates/nginx.conf.web.admin.template | 6 +- ...x.conf.web.carbonio.admin.default.template | 27 +++++---- .../nginx.conf.web.carbonio.admin.template | 25 +++++---- .../nginx.conf.web.http.default.template | 56 +++++++++++-------- .../templates/nginx.conf.web.http.template | 48 +++++++++------- .../nginx.conf.web.https.default.template | 56 +++++++++++-------- .../templates/nginx.conf.web.https.template | 48 +++++++++------- .../nginx.conf.web.sso.default.template | 6 +- .../templates/nginx.conf.web.sso.template | 6 +- .../nginx/templates/nginx.conf.web.template | 3 - .../nginx.conf.web.upstreams.template | 11 ++++ 22 files changed, 207 insertions(+), 153 deletions(-) diff --git a/proxy/conf/nginx/templates/nginx.conf.mail.imap.default.template b/proxy/conf/nginx/templates/nginx.conf.mail.imap.default.template index cd8d8e96..a80c45e1 100644 --- a/proxy/conf/nginx/templates/nginx.conf.mail.imap.default.template +++ b/proxy/conf/nginx/templates/nginx.conf.mail.imap.default.template @@ -2,9 +2,9 @@ # server { - ${core.ipboth.enabled}listen [::]:${mail.imap.port}; - ${core.ipv4only.enabled}listen ${mail.imap.port}; - ${core.ipv6only.enabled}listen [::]:${mail.imap.port}; + ${core.ipboth.enabled}listen [::]:${mail.imap.port} so_keepalive=on; + ${core.ipv4only.enabled}listen ${mail.imap.port} so_keepalive=on; + ${core.ipv6only.enabled}listen [::]:${mail.imap.port} so_keepalive=on; ${web.ssl.dhparam.enabled}ssl_dhparam ${web.ssl.dhparam.file}; protocol imap; proxy on; diff --git a/proxy/conf/nginx/templates/nginx.conf.mail.imap.template b/proxy/conf/nginx/templates/nginx.conf.mail.imap.template index a9488b21..0109e9bb 100644 --- a/proxy/conf/nginx/templates/nginx.conf.mail.imap.template +++ b/proxy/conf/nginx/templates/nginx.conf.mail.imap.template @@ -4,9 +4,9 @@ server { server_name ${vhn}; - ${core.ipboth.enabled}listen ${vip}${mail.imap.port}; - ${core.ipv4only.enabled}listen ${vip}${mail.imap.port}; - ${core.ipv6only.enabled}listen ${vip}${mail.imap.port}; + ${core.ipboth.enabled}listen ${vip}${mail.imap.port} so_keepalive=on; + ${core.ipv4only.enabled}listen ${vip}${mail.imap.port} so_keepalive=on; + ${core.ipv6only.enabled}listen ${vip}${mail.imap.port} so_keepalive=on; protocol imap; proxy on; timeout ${mail.imap.timeout}; diff --git a/proxy/conf/nginx/templates/nginx.conf.mail.imaps.default.template b/proxy/conf/nginx/templates/nginx.conf.mail.imaps.default.template index f27fbe48..943e93f5 100644 --- a/proxy/conf/nginx/templates/nginx.conf.mail.imaps.default.template +++ b/proxy/conf/nginx/templates/nginx.conf.mail.imaps.default.template @@ -2,9 +2,9 @@ # server { - ${core.ipboth.enabled}listen [::]:${mail.imaps.port} ssl; - ${core.ipv4only.enabled}listen ${mail.imaps.port} ssl; - ${core.ipv6only.enabled}listen [::]:${mail.imaps.port} ssl; + ${core.ipboth.enabled}listen [::]:${mail.imaps.port} ssl so_keepalive=on; + ${core.ipv4only.enabled}listen ${mail.imaps.port} ssl so_keepalive=on; + ${core.ipv6only.enabled}listen [::]:${mail.imaps.port} ssl so_keepalive=on; ${web.ssl.dhparam.enabled}ssl_dhparam ${web.ssl.dhparam.file}; protocol imap; proxy on; diff --git a/proxy/conf/nginx/templates/nginx.conf.mail.imaps.template b/proxy/conf/nginx/templates/nginx.conf.mail.imaps.template index ecdd7906..693c322d 100644 --- a/proxy/conf/nginx/templates/nginx.conf.mail.imaps.template +++ b/proxy/conf/nginx/templates/nginx.conf.mail.imaps.template @@ -4,9 +4,9 @@ server { server_name ${vhn}; - ${core.ipboth.enabled}listen ${vip}${mail.imaps.port} ssl; - ${core.ipv4only.enabled}listen ${vip}${mail.imaps.port} ssl; - ${core.ipv6only.enabled}listen ${vip}${mail.imaps.port} ssl; + ${core.ipboth.enabled}listen ${vip}${mail.imaps.port} ssl so_keepalive=on; + ${core.ipv4only.enabled}listen ${vip}${mail.imaps.port} ssl so_keepalive=on; + ${core.ipv6only.enabled}listen ${vip}${mail.imaps.port} ssl so_keepalive=on; protocol imap; proxy on; timeout ${mail.imap.timeout}; diff --git a/proxy/conf/nginx/templates/nginx.conf.mail.pop3.default.template b/proxy/conf/nginx/templates/nginx.conf.mail.pop3.default.template index d6994289..058656b7 100644 --- a/proxy/conf/nginx/templates/nginx.conf.mail.pop3.default.template +++ b/proxy/conf/nginx/templates/nginx.conf.mail.pop3.default.template @@ -2,9 +2,9 @@ # server { - ${core.ipboth.enabled}listen [::]:${mail.pop3.port}; - ${core.ipv4only.enabled}listen ${mail.pop3.port}; - ${core.ipv6only.enabled}listen [::]:${mail.pop3.port}; + ${core.ipboth.enabled}listen [::]:${mail.pop3.port} so_keepalive=on; + ${core.ipv4only.enabled}listen ${mail.pop3.port} so_keepalive=on; + ${core.ipv6only.enabled}listen [::]:${mail.pop3.port} so_keepalive=on; ${web.ssl.dhparam.enabled}ssl_dhparam ${web.ssl.dhparam.file}; protocol pop3; proxy on; diff --git a/proxy/conf/nginx/templates/nginx.conf.mail.pop3.template b/proxy/conf/nginx/templates/nginx.conf.mail.pop3.template index e0fb7bc1..805a4ede 100644 --- a/proxy/conf/nginx/templates/nginx.conf.mail.pop3.template +++ b/proxy/conf/nginx/templates/nginx.conf.mail.pop3.template @@ -4,9 +4,9 @@ server { server_name ${vhn}; - ${core.ipboth.enabled}listen ${vip}${mail.pop3.port}; - ${core.ipv4only.enabled}listen ${vip}${mail.pop3.port}; - ${core.ipv6only.enabled}listen ${vip}${mail.pop3.port}; + ${core.ipboth.enabled}listen ${vip}${mail.pop3.port} so_keepalive=on; + ${core.ipv4only.enabled}listen ${vip}${mail.pop3.port} so_keepalive=on; + ${core.ipv6only.enabled}listen ${vip}${mail.pop3.port} so_keepalive=on; protocol pop3; proxy on; timeout ${mail.pop3.timeout}; diff --git a/proxy/conf/nginx/templates/nginx.conf.mail.pop3s.default.template b/proxy/conf/nginx/templates/nginx.conf.mail.pop3s.default.template index 89832179..90c9ba86 100644 --- a/proxy/conf/nginx/templates/nginx.conf.mail.pop3s.default.template +++ b/proxy/conf/nginx/templates/nginx.conf.mail.pop3s.default.template @@ -2,9 +2,9 @@ # server { - ${core.ipboth.enabled}listen [::]:${mail.pop3s.port} ssl; - ${core.ipv4only.enabled}listen ${mail.pop3s.port} ssl; - ${core.ipv6only.enabled}listen [::]:${mail.pop3s.port} ssl; + ${core.ipboth.enabled}listen [::]:${mail.pop3s.port} ssl so_keepalive=on; + ${core.ipv4only.enabled}listen ${mail.pop3s.port} ssl so_keepalive=on; + ${core.ipv6only.enabled}listen [::]:${mail.pop3s.port} ssl so_keepalive=on; ${web.ssl.dhparam.enabled}ssl_dhparam ${web.ssl.dhparam.file}; protocol pop3; proxy on; diff --git a/proxy/conf/nginx/templates/nginx.conf.mail.pop3s.template b/proxy/conf/nginx/templates/nginx.conf.mail.pop3s.template index 4856ab45..2751aecf 100644 --- a/proxy/conf/nginx/templates/nginx.conf.mail.pop3s.template +++ b/proxy/conf/nginx/templates/nginx.conf.mail.pop3s.template @@ -4,9 +4,9 @@ server { server_name ${vhn}; - ${core.ipboth.enabled}listen ${vip}${mail.pop3s.port} ssl; - ${core.ipv4only.enabled}listen ${vip}${mail.pop3s.port} ssl; - ${core.ipv6only.enabled}listen ${vip}${mail.pop3s.port} ssl; + ${core.ipboth.enabled}listen ${vip}${mail.pop3s.port} ssl so_keepalive=on; + ${core.ipv4only.enabled}listen ${vip}${mail.pop3s.port} ssl so_keepalive=on; + ${core.ipv6only.enabled}listen ${vip}${mail.pop3s.port} ssl so_keepalive=on; protocol pop3; proxy on; timeout ${mail.pop3.timeout}; diff --git a/proxy/conf/nginx/templates/nginx.conf.stream.addressBook.template b/proxy/conf/nginx/templates/nginx.conf.stream.addressBook.template index 1f57c970..b3a53b9f 100644 --- a/proxy/conf/nginx/templates/nginx.conf.stream.addressBook.template +++ b/proxy/conf/nginx/templates/nginx.conf.stream.addressBook.template @@ -4,9 +4,9 @@ include ${core.includes}/${core.cprefix}.map.ssl; server { - ${core.ipboth.enabled}listen 8636 ssl; - ${core.ipv4only.enabled}listen 8636 ssl; - ${core.ipv6only.enabled}listen [::]:8636 ssl; + ${core.ipboth.enabled}listen 8636 ssl so_keepalive=on; + ${core.ipv4only.enabled}listen 8636 ssl so_keepalive=on; + ${core.ipv6only.enabled}listen [::]:8636 ssl so_keepalive=on; ssl_protocols ${web.ssl.protocols}; ssl_prefer_server_ciphers ${web.ssl.preferserverciphers}; ssl_ciphers ${web.ssl.ciphers}; diff --git a/proxy/conf/nginx/templates/nginx.conf.stream.message.dispatcher.xmpp.template b/proxy/conf/nginx/templates/nginx.conf.stream.message.dispatcher.xmpp.template index bb5b9fb8..d2b01b8f 100644 --- a/proxy/conf/nginx/templates/nginx.conf.stream.message.dispatcher.xmpp.template +++ b/proxy/conf/nginx/templates/nginx.conf.stream.message.dispatcher.xmpp.template @@ -4,9 +4,9 @@ include ${core.includes}/${core.cprefix}.map.ssl; server { - ${core.ipboth.enabled}listen 5222 ssl; - ${core.ipv4only.enabled}listen 5222 ssl; - ${core.ipv6only.enabled}listen [::]:5222 ssl; + ${core.ipboth.enabled}listen 5222 ssl so_keepalive=on; + ${core.ipv4only.enabled}listen 5222 ssl so_keepalive=on; + ${core.ipv6only.enabled}listen [::]:5222 ssl so_keepalive=on; ssl_protocols ${web.ssl.protocols}; ssl_prefer_server_ciphers ${web.ssl.preferserverciphers}; ssl_ciphers ${web.ssl.ciphers}; diff --git a/proxy/conf/nginx/templates/nginx.conf.web.admin.default.template b/proxy/conf/nginx/templates/nginx.conf.web.admin.default.template index 0f56a2ba..89658e26 100644 --- a/proxy/conf/nginx/templates/nginx.conf.web.admin.default.template +++ b/proxy/conf/nginx/templates/nginx.conf.web.admin.default.template @@ -2,10 +2,10 @@ # server { - ${core.ipboth.enabled}listen ${web.admin.port} default_server ssl; - ${core.ipboth.enabled}listen [::]:${web.admin.port} default_server ssl; - ${core.ipv4only.enabled}listen ${web.admin.port} default_server ssl; - ${core.ipv6only.enabled}listen [::]:${web.admin.port} default_server ssl; + ${core.ipboth.enabled}listen ${web.admin.port} default_server ssl so_keepalive=on; + ${core.ipboth.enabled}listen [::]:${web.admin.port} default_server ssl so_keepalive=on; + ${core.ipv4only.enabled}listen ${web.admin.port} default_server ssl so_keepalive=on; + ${core.ipv6only.enabled}listen [::]:${web.admin.port} default_server ssl so_keepalive=on; ssl_protocols ${web.ssl.protocols}; ssl_prefer_server_ciphers ${web.ssl.preferserverciphers}; diff --git a/proxy/conf/nginx/templates/nginx.conf.web.admin.template b/proxy/conf/nginx/templates/nginx.conf.web.admin.template index c7e30532..234424da 100644 --- a/proxy/conf/nginx/templates/nginx.conf.web.admin.template +++ b/proxy/conf/nginx/templates/nginx.conf.web.admin.template @@ -5,9 +5,9 @@ server { server_name ${vhn}; - ${core.ipboth.enabled}listen ${vip}${web.admin.port} ssl; - ${core.ipv4only.enabled}listen ${vip}${web.admin.port} ssl; - ${core.ipv6only.enabled}listen ${vip}${web.admin.port} ssl; + ${core.ipboth.enabled}listen ${vip}${web.admin.port} ssl so_keepalive=on; + ${core.ipv4only.enabled}listen ${vip}${web.admin.port} ssl so_keepalive=on; + ${core.ipv6only.enabled}listen ${vip}${web.admin.port} ssl so_keepalive=on; ssl_protocols ${web.ssl.protocols}; ssl_prefer_server_ciphers ${web.ssl.preferserverciphers}; diff --git a/proxy/conf/nginx/templates/nginx.conf.web.carbonio.admin.default.template b/proxy/conf/nginx/templates/nginx.conf.web.carbonio.admin.default.template index 46554928..75bf39d4 100644 --- a/proxy/conf/nginx/templates/nginx.conf.web.carbonio.admin.default.template +++ b/proxy/conf/nginx/templates/nginx.conf.web.carbonio.admin.default.template @@ -2,10 +2,11 @@ # server { - ${core.ipboth.enabled}listen ${web.carbonio.admin.port} default_server ssl; - ${core.ipboth.enabled}listen [::]:${web.carbonio.admin.port} default_server ssl; - ${core.ipv4only.enabled}listen ${web.carbonio.admin.port} default_server ssl; - ${core.ipv6only.enabled}listen [::]:${web.carbonio.admin.port} default_server ssl; + ${core.ipboth.enabled}listen ${web.carbonio.admin.port} default_server ssl so_keepalive=on; + ${core.ipboth.enabled}listen [::]:${web.carbonio.admin.port} default_server ssl so_keepalive=on; + ${core.ipv4only.enabled}listen ${web.carbonio.admin.port} default_server ssl so_keepalive=on; + ${core.ipv6only.enabled}listen [::]:${web.carbonio.admin.port} default_server ssl so_keepalive=on; + http2 on; ssl_protocols ${web.ssl.protocols}; ssl_prefer_server_ciphers ${web.ssl.preferserverciphers}; @@ -46,6 +47,7 @@ server proxy_request_buffering off; proxy_pass http://carbonio-storages/; proxy_http_version 1.1; + proxy_set_header Connection ""; } location /services/catalog/ @@ -53,6 +55,7 @@ server proxy_request_buffering off; proxy_pass http://carbonio-catalog/; proxy_http_version 1.1; + proxy_set_header Connection ""; } location ^~ /service @@ -111,14 +114,14 @@ server location ~/logout { - add_header Set-Cookie "ZM_ADMIN_AUTH_TOKEN=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; - add_header Set-Cookie "ZX_AUTH_TOKEN=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; - add_header Set-Cookie "ZM_AUTH_TOKEN=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; - add_header Set-Cookie "JSESSIONID=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; - add_header Set-Cookie "AUTH_TOKEN_TYPE=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; - add_header Set-Cookie "T=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; - add_header Set-Cookie "Y=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; - add_header Set-Cookie "ADMIN_AUTH_KEY=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; + add_header Set-Cookie "ZM_ADMIN_AUTH_TOKEN=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; Secure; SameSite=Strict"; + add_header Set-Cookie "ZX_AUTH_TOKEN=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; Secure; SameSite=Strict"; + add_header Set-Cookie "ZM_AUTH_TOKEN=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; Secure; SameSite=Strict"; + add_header Set-Cookie "JSESSIONID=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; Secure; SameSite=Strict"; + add_header Set-Cookie "AUTH_TOKEN_TYPE=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; Secure; SameSite=Strict"; + add_header Set-Cookie "T=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; Secure; SameSite=Strict"; + add_header Set-Cookie "Y=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; Secure; SameSite=Strict"; + add_header Set-Cookie "ADMIN_AUTH_KEY=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; Secure; SameSite=Strict"; ${web.carbonio.admin.logout.redirect.default}; } diff --git a/proxy/conf/nginx/templates/nginx.conf.web.carbonio.admin.template b/proxy/conf/nginx/templates/nginx.conf.web.carbonio.admin.template index ba6ed125..8d41a46a 100644 --- a/proxy/conf/nginx/templates/nginx.conf.web.carbonio.admin.template +++ b/proxy/conf/nginx/templates/nginx.conf.web.carbonio.admin.template @@ -5,9 +5,10 @@ server { server_name ${vhn}; - ${core.ipboth.enabled}listen ${vip}${web.carbonio.admin.port} ssl; - ${core.ipv4only.enabled}listen ${vip}${web.carbonio.admin.port} ssl; - ${core.ipv6only.enabled}listen ${vip}${web.carbonio.admin.port} ssl; + ${core.ipboth.enabled}listen ${vip}${web.carbonio.admin.port} ssl so_keepalive=on; + ${core.ipv4only.enabled}listen ${vip}${web.carbonio.admin.port} ssl so_keepalive=on; + ${core.ipv6only.enabled}listen ${vip}${web.carbonio.admin.port} ssl so_keepalive=on; + http2 on; ssl_protocols ${web.ssl.protocols}; ssl_prefer_server_ciphers ${web.ssl.preferserverciphers}; ssl_session_cache ${ssl.session.cachesize}; @@ -47,6 +48,7 @@ server proxy_request_buffering off; proxy_pass http://carbonio-storages/; proxy_http_version 1.1; + proxy_set_header Connection ""; } location /services/catalog/ @@ -54,6 +56,7 @@ server proxy_request_buffering off; proxy_pass http://carbonio-catalog/; proxy_http_version 1.1; + proxy_set_header Connection ""; } location ^~ /service @@ -112,14 +115,14 @@ server location ~/logout { - add_header Set-Cookie "ZM_ADMIN_AUTH_TOKEN=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; - add_header Set-Cookie "ZX_AUTH_TOKEN=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; - add_header Set-Cookie "ZM_AUTH_TOKEN=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; - add_header Set-Cookie "JSESSIONID=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; - add_header Set-Cookie "AUTH_TOKEN_TYPE=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; - add_header Set-Cookie "T=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; - add_header Set-Cookie "Y=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; - add_header Set-Cookie "ADMIN_AUTH_KEY=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; + add_header Set-Cookie "ZM_ADMIN_AUTH_TOKEN=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; Secure; SameSite=Strict"; + add_header Set-Cookie "ZX_AUTH_TOKEN=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; Secure; SameSite=Strict"; + add_header Set-Cookie "ZM_AUTH_TOKEN=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; Secure; SameSite=Strict"; + add_header Set-Cookie "JSESSIONID=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; Secure; SameSite=Strict"; + add_header Set-Cookie "AUTH_TOKEN_TYPE=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; Secure; SameSite=Strict"; + add_header Set-Cookie "T=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; Secure; SameSite=Strict"; + add_header Set-Cookie "Y=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; Secure; SameSite=Strict"; + add_header Set-Cookie "ADMIN_AUTH_KEY=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; Secure; SameSite=Strict"; ${web.carbonio.admin.logout.redirect.vhost}; } diff --git a/proxy/conf/nginx/templates/nginx.conf.web.http.default.template b/proxy/conf/nginx/templates/nginx.conf.web.http.default.template index 5fa734fe..b3b20997 100644 --- a/proxy/conf/nginx/templates/nginx.conf.web.http.default.template +++ b/proxy/conf/nginx/templates/nginx.conf.web.http.default.template @@ -4,9 +4,9 @@ ${web.strict.servername}# Strict servername enforcing block ${web.strict.servername}# Enabled/disabled through the 'zimbraReverseProxyStrictServerName' configuration item ${web.strict.servername}# The $\{listen.:addresses\} is NOT demarcated with web.strict.servername on purpose. ${web.strict.servername}server { -${web.strict.servername} ${core.ipboth.enabled}listen [::]:${web.http.port} default_server ipv6only=off; -${web.strict.servername} ${core.ipv4only.enabled}listen ${web.http.port} default_server ; -${web.strict.servername} ${core.ipv6only.enabled}listen [::]:${web.http.port} default_server ; +${web.strict.servername} ${core.ipboth.enabled}listen [::]:${web.http.port} default_server ipv6only=off so_keepalive=on; +${web.strict.servername} ${core.ipv4only.enabled}listen ${web.http.port} default_server so_keepalive=on; +${web.strict.servername} ${core.ipv6only.enabled}listen [::]:${web.http.port} default_server so_keepalive=on; ${web.strict.servername} server_name _; ${web.strict.servername} ${web.strict.servername} # Listen addresses extracted from `zimbraVirtualIPAddress` on each domain @@ -25,10 +25,10 @@ server { server_name ${web.server_name.default}; # add aliases and perhaps public - ${core.ipboth.enabled}listen ${web.http.port} default_server ; - ${core.ipboth.enabled}listen [::]:${web.http.port} default_server ; - ${core.ipv4only.enabled}listen ${web.http.port} default_server ; - ${core.ipv6only.enabled}listen [::]:${web.http.port} default_server ; + ${core.ipboth.enabled}listen ${web.http.port} default_server so_keepalive=on; + ${core.ipboth.enabled}listen [::]:${web.http.port} default_server so_keepalive=on; + ${core.ipv4only.enabled}listen ${web.http.port} default_server so_keepalive=on; + ${core.ipv6only.enabled}listen [::]:${web.http.port} default_server so_keepalive=on; # no maximum limit imposed on the size of the request body @@ -77,14 +77,14 @@ server location ~/logout { - add_header Set-Cookie "ZM_AUTH_TOKEN=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; - add_header Set-Cookie "ZX_AUTH_TOKEN=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; - add_header Set-Cookie "ZM_ADMIN_AUTH_TOKEN=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; - add_header Set-Cookie "JSESSIONID=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; - add_header Set-Cookie "AUTH_TOKEN_TYPE=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; - add_header Set-Cookie "T=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; - add_header Set-Cookie "Y=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; - add_header Set-Cookie "ADMIN_AUTH_KEY=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; + add_header Set-Cookie "ZM_AUTH_TOKEN=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; SameSite=Strict"; + add_header Set-Cookie "ZX_AUTH_TOKEN=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; SameSite=Strict"; + add_header Set-Cookie "ZM_ADMIN_AUTH_TOKEN=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; SameSite=Strict"; + add_header Set-Cookie "JSESSIONID=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; SameSite=Strict"; + add_header Set-Cookie "AUTH_TOKEN_TYPE=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; SameSite=Strict"; + add_header Set-Cookie "T=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; SameSite=Strict"; + add_header Set-Cookie "Y=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; SameSite=Strict"; + add_header Set-Cookie "ADMIN_AUTH_KEY=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; SameSite=Strict"; ${web.carbonio.webui.logout.redirect.default}; } @@ -140,6 +140,7 @@ server proxy_request_buffering off; proxy_pass http://files/; proxy_http_version 1.1; + proxy_set_header Connection ""; } location /services/chats/events @@ -158,6 +159,7 @@ server proxy_request_buffering off; proxy_pass http://ws-collaboration/; proxy_http_version 1.1; + proxy_set_header Connection ""; } location /services/messaging/ws-xmpp @@ -176,6 +178,7 @@ server proxy_request_buffering off; proxy_pass http://docs-connector/; proxy_http_version 1.1; + proxy_set_header Connection ""; } location /services/docs/editor/ @@ -194,6 +197,7 @@ server proxy_request_buffering off; proxy_pass http://tasks/; proxy_http_version 1.1; + proxy_set_header Connection ""; } location /services/storages/ @@ -201,6 +205,7 @@ server proxy_request_buffering off; proxy_pass http://carbonio-storages/; proxy_http_version 1.1; + proxy_set_header Connection ""; } location /services/catalog/ @@ -208,6 +213,7 @@ server proxy_request_buffering off; proxy_pass http://carbonio-catalog/; proxy_http_version 1.1; + proxy_set_header Connection ""; } location /services/mobile/tokens @@ -215,6 +221,7 @@ server proxy_request_buffering off; proxy_pass http://carbonio-notification-push/tokens; proxy_http_version 1.1; + proxy_set_header Connection ""; } location /services/certificate-manager/ @@ -222,6 +229,7 @@ server proxy_request_buffering off; proxy_pass http://carbonio-certificate-manager/; proxy_http_version 1.1; + proxy_set_header Connection ""; } location ^~ /zx/login/ @@ -231,6 +239,7 @@ server proxy_set_header X-Forwarded-Port $server_port; proxy_set_header Host $http_host; proxy_http_version 1.1; + proxy_set_header Connection ""; proxy_pass http://carbonio-auth/zx/login/; } @@ -241,6 +250,7 @@ server proxy_set_header X-Forwarded-Port $server_port; proxy_set_header Host $http_host; proxy_http_version 1.1; + proxy_set_header Connection ""; proxy_pass http://carbonio-auth/zx/auth/; } @@ -271,14 +281,14 @@ server # Defaults to /static/login/ # Marked for removal: will be removed in 23.10.0 and logout will be handled at ~/logout if ($query_string ~ loginOp=logout) { - add_header Set-Cookie "ZM_AUTH_TOKEN=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; - add_header Set-Cookie "ZX_AUTH_TOKEN=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; - add_header Set-Cookie "ZM_ADMIN_AUTH_TOKEN=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; - add_header Set-Cookie "JSESSIONID=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; - add_header Set-Cookie "AUTH_TOKEN_TYPE=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; - add_header Set-Cookie "T=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; - add_header Set-Cookie "Y=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; - add_header Set-Cookie "ADMIN_AUTH_KEY=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; + add_header Set-Cookie "ZM_AUTH_TOKEN=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; SameSite=Strict"; + add_header Set-Cookie "ZX_AUTH_TOKEN=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; SameSite=Strict"; + add_header Set-Cookie "ZM_ADMIN_AUTH_TOKEN=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; SameSite=Strict"; + add_header Set-Cookie "JSESSIONID=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; SameSite=Strict"; + add_header Set-Cookie "AUTH_TOKEN_TYPE=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; SameSite=Strict"; + add_header Set-Cookie "T=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; SameSite=Strict"; + add_header Set-Cookie "Y=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; SameSite=Strict"; + add_header Set-Cookie "ADMIN_AUTH_KEY=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; SameSite=Strict"; ${web.carbonio.webui.logout.redirect.default}; } diff --git a/proxy/conf/nginx/templates/nginx.conf.web.http.template b/proxy/conf/nginx/templates/nginx.conf.web.http.template index e2f3f2b0..440435a9 100644 --- a/proxy/conf/nginx/templates/nginx.conf.web.http.template +++ b/proxy/conf/nginx/templates/nginx.conf.web.http.template @@ -11,9 +11,9 @@ server { server_name ${vhn}; - ${core.ipboth.enabled}listen ${vip}${web.http.port} ; - ${core.ipv4only.enabled}listen ${vip}${web.http.port} ; - ${core.ipv6only.enabled}listen ${vip}${web.http.port} ; + ${core.ipboth.enabled}listen ${vip}${web.http.port} so_keepalive=on; + ${core.ipv4only.enabled}listen ${vip}${web.http.port} so_keepalive=on; + ${core.ipv6only.enabled}listen ${vip}${web.http.port} so_keepalive=on; # no maximum limit imposed on the size of the request body @@ -51,14 +51,14 @@ server location ~/logout { - add_header Set-Cookie "ZM_AUTH_TOKEN=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; - add_header Set-Cookie "ZX_AUTH_TOKEN=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; - add_header Set-Cookie "ZM_ADMIN_AUTH_TOKEN=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; - add_header Set-Cookie "JSESSIONID=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; - add_header Set-Cookie "AUTH_TOKEN_TYPE=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; - add_header Set-Cookie "T=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; - add_header Set-Cookie "Y=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; - add_header Set-Cookie "ADMIN_AUTH_KEY=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; + add_header Set-Cookie "ZM_AUTH_TOKEN=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; SameSite=Strict"; + add_header Set-Cookie "ZX_AUTH_TOKEN=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; SameSite=Strict"; + add_header Set-Cookie "ZM_ADMIN_AUTH_TOKEN=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; SameSite=Strict"; + add_header Set-Cookie "JSESSIONID=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; SameSite=Strict"; + add_header Set-Cookie "AUTH_TOKEN_TYPE=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; SameSite=Strict"; + add_header Set-Cookie "T=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; SameSite=Strict"; + add_header Set-Cookie "Y=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; SameSite=Strict"; + add_header Set-Cookie "ADMIN_AUTH_KEY=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; SameSite=Strict"; ${web.carbonio.webui.logout.redirect.vhost}; } @@ -114,6 +114,7 @@ server proxy_request_buffering off; proxy_pass http://files/; proxy_http_version 1.1; + proxy_set_header Connection ""; } location /services/chats/events @@ -132,6 +133,7 @@ server proxy_request_buffering off; proxy_pass http://ws-collaboration/; proxy_http_version 1.1; + proxy_set_header Connection ""; } location /services/messaging/ws-xmpp @@ -150,6 +152,7 @@ server proxy_request_buffering off; proxy_pass http://docs-connector/; proxy_http_version 1.1; + proxy_set_header Connection ""; } location /services/docs/editor/ @@ -168,6 +171,7 @@ server proxy_request_buffering off; proxy_pass http://tasks/; proxy_http_version 1.1; + proxy_set_header Connection ""; } location /services/storages/ @@ -175,6 +179,7 @@ server proxy_request_buffering off; proxy_pass http://carbonio-storages/; proxy_http_version 1.1; + proxy_set_header Connection ""; } location /services/catalog/ @@ -182,6 +187,7 @@ server proxy_request_buffering off; proxy_pass http://carbonio-catalog/; proxy_http_version 1.1; + proxy_set_header Connection ""; } location /services/mobile/tokens @@ -189,6 +195,7 @@ server proxy_request_buffering off; proxy_pass http://carbonio-notification-push/tokens; proxy_http_version 1.1; + proxy_set_header Connection ""; } location /services/certificate-manager/ @@ -196,6 +203,7 @@ server proxy_request_buffering off; proxy_pass http://carbonio-certificate-manager/; proxy_http_version 1.1; + proxy_set_header Connection ""; } location ^~ /zx/login/ @@ -205,6 +213,7 @@ server proxy_set_header X-Forwarded-Port $server_port; proxy_set_header Host $http_host; proxy_http_version 1.1; + proxy_set_header Connection ""; proxy_pass http://carbonio-auth/zx/login/; } @@ -215,6 +224,7 @@ server proxy_set_header X-Forwarded-Port $server_port; proxy_set_header Host $http_host; proxy_http_version 1.1; + proxy_set_header Connection ""; proxy_pass http://carbonio-auth/zx/auth/; } @@ -245,14 +255,14 @@ server # Defaults to /static/login/ # Marked for removal: will be removed in 23.10.0 and logout will be handled at ~/logout if ($query_string ~ loginOp=logout) { - add_header Set-Cookie "ZM_AUTH_TOKEN=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; - add_header Set-Cookie "ZX_AUTH_TOKEN=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; - add_header Set-Cookie "ZM_ADMIN_AUTH_TOKEN=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; - add_header Set-Cookie "JSESSIONID=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; - add_header Set-Cookie "AUTH_TOKEN_TYPE=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; - add_header Set-Cookie "T=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; - add_header Set-Cookie "Y=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; - add_header Set-Cookie "ADMIN_AUTH_KEY=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; + add_header Set-Cookie "ZM_AUTH_TOKEN=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; SameSite=Strict"; + add_header Set-Cookie "ZX_AUTH_TOKEN=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; SameSite=Strict"; + add_header Set-Cookie "ZM_ADMIN_AUTH_TOKEN=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; SameSite=Strict"; + add_header Set-Cookie "JSESSIONID=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; SameSite=Strict"; + add_header Set-Cookie "AUTH_TOKEN_TYPE=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; SameSite=Strict"; + add_header Set-Cookie "T=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; SameSite=Strict"; + add_header Set-Cookie "Y=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; SameSite=Strict"; + add_header Set-Cookie "ADMIN_AUTH_KEY=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; SameSite=Strict"; ${web.carbonio.webui.logout.redirect.vhost}; } diff --git a/proxy/conf/nginx/templates/nginx.conf.web.https.default.template b/proxy/conf/nginx/templates/nginx.conf.web.https.default.template index e771a258..26ff7fcd 100644 --- a/proxy/conf/nginx/templates/nginx.conf.web.https.default.template +++ b/proxy/conf/nginx/templates/nginx.conf.web.https.default.template @@ -4,9 +4,9 @@ ${web.strict.servername}# Strict servername enforcing block ${web.strict.servername}# Enabled/disabled through the 'zimbraReverseProxyStrictServerName' configuration item ${web.strict.servername}# The $\{listen.:addresses\} is NOT demarcated with web.strict.servername on purpose. ${web.strict.servername}server { -${web.strict.servername} ${core.ipboth.enabled}listen [::]:${web.https.port} default_server ipv6only=off ssl; -${web.strict.servername} ${core.ipv4only.enabled}listen ${web.https.port} default_server ssl; -${web.strict.servername} ${core.ipv6only.enabled}listen [::]:${web.https.port} default_server ssl; +${web.strict.servername} ${core.ipboth.enabled}listen [::]:${web.https.port} default_server ipv6only=off ssl so_keepalive=on; +${web.strict.servername} ${core.ipv4only.enabled}listen ${web.https.port} default_server ssl so_keepalive=on; +${web.strict.servername} ${core.ipv6only.enabled}listen [::]:${web.https.port} default_server ssl so_keepalive=on; ${web.strict.servername} server_name _; ${web.strict.servername} ${web.strict.servername} # Listen addresses extracted from `zimbraVirtualIPAddress` on each domain @@ -36,10 +36,10 @@ server { server_name ${web.server_name.default}; # add aliases and perhaps public - ${core.ipboth.enabled}listen ${web.https.port} default_server ssl; - ${core.ipboth.enabled}listen [::]:${web.https.port} default_server ssl; - ${core.ipv4only.enabled}listen ${web.https.port} default_server ssl; - ${core.ipv6only.enabled}listen [::]:${web.https.port} default_server ssl; + ${core.ipboth.enabled}listen ${web.https.port} default_server ssl so_keepalive=on; + ${core.ipboth.enabled}listen [::]:${web.https.port} default_server ssl so_keepalive=on; + ${core.ipv4only.enabled}listen ${web.https.port} default_server ssl so_keepalive=on; + ${core.ipv6only.enabled}listen [::]:${web.https.port} default_server ssl so_keepalive=on; http2 on; ssl_protocols ${web.ssl.protocols}; @@ -101,14 +101,14 @@ server location ~/logout { - add_header Set-Cookie "ZM_AUTH_TOKEN=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; - add_header Set-Cookie "ZX_AUTH_TOKEN=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; - add_header Set-Cookie "ZM_ADMIN_AUTH_TOKEN=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; - add_header Set-Cookie "JSESSIONID=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; - add_header Set-Cookie "AUTH_TOKEN_TYPE=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; - add_header Set-Cookie "T=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; - add_header Set-Cookie "Y=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; - add_header Set-Cookie "ADMIN_AUTH_KEY=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; + add_header Set-Cookie "ZM_AUTH_TOKEN=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; Secure; SameSite=Strict"; + add_header Set-Cookie "ZX_AUTH_TOKEN=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; Secure; SameSite=Strict"; + add_header Set-Cookie "ZM_ADMIN_AUTH_TOKEN=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; Secure; SameSite=Strict"; + add_header Set-Cookie "JSESSIONID=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; Secure; SameSite=Strict"; + add_header Set-Cookie "AUTH_TOKEN_TYPE=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; Secure; SameSite=Strict"; + add_header Set-Cookie "T=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; Secure; SameSite=Strict"; + add_header Set-Cookie "Y=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; Secure; SameSite=Strict"; + add_header Set-Cookie "ADMIN_AUTH_KEY=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; Secure; SameSite=Strict"; ${web.carbonio.webui.logout.redirect.default}; } @@ -164,6 +164,7 @@ server proxy_request_buffering off; proxy_pass http://files/; proxy_http_version 1.1; + proxy_set_header Connection ""; } location /services/chats/events @@ -182,6 +183,7 @@ server proxy_request_buffering off; proxy_pass http://ws-collaboration/; proxy_http_version 1.1; + proxy_set_header Connection ""; } location /services/messaging/ws-xmpp @@ -200,6 +202,7 @@ server proxy_request_buffering off; proxy_pass http://docs-connector/; proxy_http_version 1.1; + proxy_set_header Connection ""; } location /services/docs/editor/ @@ -218,6 +221,7 @@ server proxy_request_buffering off; proxy_pass http://tasks/; proxy_http_version 1.1; + proxy_set_header Connection ""; } location /services/storages/ @@ -225,6 +229,7 @@ server proxy_request_buffering off; proxy_pass http://carbonio-storages/; proxy_http_version 1.1; + proxy_set_header Connection ""; } location /services/catalog/ @@ -232,6 +237,7 @@ server proxy_request_buffering off; proxy_pass http://carbonio-catalog/; proxy_http_version 1.1; + proxy_set_header Connection ""; } location /services/mobile/tokens @@ -239,6 +245,7 @@ server proxy_request_buffering off; proxy_pass http://carbonio-notification-push/tokens; proxy_http_version 1.1; + proxy_set_header Connection ""; } location /services/certificate-manager/ @@ -246,6 +253,7 @@ server proxy_request_buffering off; proxy_pass http://carbonio-certificate-manager/; proxy_http_version 1.1; + proxy_set_header Connection ""; } location ^~ /zx/login/ @@ -255,6 +263,7 @@ server proxy_set_header X-Forwarded-Port $server_port; proxy_set_header Host $http_host; proxy_http_version 1.1; + proxy_set_header Connection ""; proxy_pass http://carbonio-auth/zx/login/; } @@ -265,6 +274,7 @@ server proxy_set_header X-Forwarded-Port $server_port; proxy_set_header Host $http_host; proxy_http_version 1.1; + proxy_set_header Connection ""; proxy_pass http://carbonio-auth/zx/auth/; } @@ -295,14 +305,14 @@ server # Defaults to /static/login/ # Marked for removal: will be removed in 23.10.0 and logout will be handled at ~/logout if ($query_string ~ loginOp=logout) { - add_header Set-Cookie "ZM_AUTH_TOKEN=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; - add_header Set-Cookie "ZX_AUTH_TOKEN=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; - add_header Set-Cookie "ZM_ADMIN_AUTH_TOKEN=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; - add_header Set-Cookie "JSESSIONID=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; - add_header Set-Cookie "AUTH_TOKEN_TYPE=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; - add_header Set-Cookie "T=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; - add_header Set-Cookie "Y=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; - add_header Set-Cookie "ADMIN_AUTH_KEY=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; + add_header Set-Cookie "ZM_AUTH_TOKEN=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; Secure; SameSite=Strict"; + add_header Set-Cookie "ZX_AUTH_TOKEN=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; Secure; SameSite=Strict"; + add_header Set-Cookie "ZM_ADMIN_AUTH_TOKEN=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; Secure; SameSite=Strict"; + add_header Set-Cookie "JSESSIONID=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; Secure; SameSite=Strict"; + add_header Set-Cookie "AUTH_TOKEN_TYPE=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; Secure; SameSite=Strict"; + add_header Set-Cookie "T=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; Secure; SameSite=Strict"; + add_header Set-Cookie "Y=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; Secure; SameSite=Strict"; + add_header Set-Cookie "ADMIN_AUTH_KEY=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; Secure; SameSite=Strict"; ${web.carbonio.webui.logout.redirect.default}; } diff --git a/proxy/conf/nginx/templates/nginx.conf.web.https.template b/proxy/conf/nginx/templates/nginx.conf.web.https.template index 3e0e39ad..6a4b0478 100644 --- a/proxy/conf/nginx/templates/nginx.conf.web.https.template +++ b/proxy/conf/nginx/templates/nginx.conf.web.https.template @@ -11,9 +11,9 @@ server { server_name ${vhn}; - ${core.ipboth.enabled}listen ${vip}${web.https.port} ssl; - ${core.ipv4only.enabled}listen ${vip}${web.https.port} ssl; - ${core.ipv6only.enabled}listen ${vip}${web.https.port} ssl; + ${core.ipboth.enabled}listen ${vip}${web.https.port} ssl so_keepalive=on; + ${core.ipv4only.enabled}listen ${vip}${web.https.port} ssl so_keepalive=on; + ${core.ipv6only.enabled}listen ${vip}${web.https.port} ssl so_keepalive=on; http2 on; ssl_protocols ${web.ssl.protocols}; @@ -63,14 +63,14 @@ server location ~/logout { - add_header Set-Cookie "ZM_AUTH_TOKEN=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; - add_header Set-Cookie "ZX_AUTH_TOKEN=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; - add_header Set-Cookie "ZM_ADMIN_AUTH_TOKEN=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; - add_header Set-Cookie "JSESSIONID=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; - add_header Set-Cookie "AUTH_TOKEN_TYPE=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; - add_header Set-Cookie "T=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; - add_header Set-Cookie "Y=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; - add_header Set-Cookie "ADMIN_AUTH_KEY=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; + add_header Set-Cookie "ZM_AUTH_TOKEN=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; Secure; SameSite=Strict"; + add_header Set-Cookie "ZX_AUTH_TOKEN=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; Secure; SameSite=Strict"; + add_header Set-Cookie "ZM_ADMIN_AUTH_TOKEN=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; Secure; SameSite=Strict"; + add_header Set-Cookie "JSESSIONID=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; Secure; SameSite=Strict"; + add_header Set-Cookie "AUTH_TOKEN_TYPE=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; Secure; SameSite=Strict"; + add_header Set-Cookie "T=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; Secure; SameSite=Strict"; + add_header Set-Cookie "Y=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; Secure; SameSite=Strict"; + add_header Set-Cookie "ADMIN_AUTH_KEY=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; Secure; SameSite=Strict"; ${web.carbonio.webui.logout.redirect.vhost}; } @@ -126,6 +126,7 @@ server proxy_request_buffering off; proxy_pass http://files/; proxy_http_version 1.1; + proxy_set_header Connection ""; } location /services/chats/events @@ -144,6 +145,7 @@ server proxy_request_buffering off; proxy_pass http://ws-collaboration/; proxy_http_version 1.1; + proxy_set_header Connection ""; } location /services/messaging/ws-xmpp @@ -162,6 +164,7 @@ server proxy_request_buffering off; proxy_pass http://docs-connector/; proxy_http_version 1.1; + proxy_set_header Connection ""; } location /services/docs/editor/ @@ -180,6 +183,7 @@ server proxy_request_buffering off; proxy_pass http://tasks/; proxy_http_version 1.1; + proxy_set_header Connection ""; } location /services/storages/ @@ -187,6 +191,7 @@ server proxy_request_buffering off; proxy_pass http://carbonio-storages/; proxy_http_version 1.1; + proxy_set_header Connection ""; } location /services/catalog/ @@ -194,6 +199,7 @@ server proxy_request_buffering off; proxy_pass http://carbonio-catalog/; proxy_http_version 1.1; + proxy_set_header Connection ""; } location /services/mobile/tokens @@ -201,6 +207,7 @@ server proxy_request_buffering off; proxy_pass http://carbonio-notification-push/tokens; proxy_http_version 1.1; + proxy_set_header Connection ""; } location /services/certificate-manager/ @@ -208,6 +215,7 @@ server proxy_request_buffering off; proxy_pass http://carbonio-certificate-manager/; proxy_http_version 1.1; + proxy_set_header Connection ""; } location ^~ /zx/login/ @@ -217,6 +225,7 @@ server proxy_set_header X-Forwarded-Port $server_port; proxy_set_header Host $http_host; proxy_http_version 1.1; + proxy_set_header Connection ""; proxy_pass http://carbonio-auth/zx/login/; } @@ -227,6 +236,7 @@ server proxy_set_header X-Forwarded-Port $server_port; proxy_set_header Host $http_host; proxy_http_version 1.1; + proxy_set_header Connection ""; proxy_pass http://carbonio-auth/zx/auth/; } @@ -257,14 +267,14 @@ server # Defaults to /static/login/ # Marked for removal: will be removed in 23.10.0 and logout will be handled at ~/logout if ($query_string ~ loginOp=logout) { - add_header Set-Cookie "ZM_AUTH_TOKEN=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; - add_header Set-Cookie "ZX_AUTH_TOKEN=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; - add_header Set-Cookie "ZM_ADMIN_AUTH_TOKEN=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; - add_header Set-Cookie "JSESSIONID=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; - add_header Set-Cookie "AUTH_TOKEN_TYPE=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; - add_header Set-Cookie "T=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; - add_header Set-Cookie "Y=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; - add_header Set-Cookie "ADMIN_AUTH_KEY=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0"; + add_header Set-Cookie "ZM_AUTH_TOKEN=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; Secure; SameSite=Strict"; + add_header Set-Cookie "ZX_AUTH_TOKEN=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; Secure; SameSite=Strict"; + add_header Set-Cookie "ZM_ADMIN_AUTH_TOKEN=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; Secure; SameSite=Strict"; + add_header Set-Cookie "JSESSIONID=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; Secure; SameSite=Strict"; + add_header Set-Cookie "AUTH_TOKEN_TYPE=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; Secure; SameSite=Strict"; + add_header Set-Cookie "T=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; Secure; SameSite=Strict"; + add_header Set-Cookie "Y=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; Secure; SameSite=Strict"; + add_header Set-Cookie "ADMIN_AUTH_KEY=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; HttpOnly; Secure; SameSite=Strict"; ${web.carbonio.webui.logout.redirect.vhost}; } diff --git a/proxy/conf/nginx/templates/nginx.conf.web.sso.default.template b/proxy/conf/nginx/templates/nginx.conf.web.sso.default.template index 898e53f5..e189ed4a 100644 --- a/proxy/conf/nginx/templates/nginx.conf.web.sso.default.template +++ b/proxy/conf/nginx/templates/nginx.conf.web.sso.default.template @@ -1,8 +1,8 @@ #client cert auth server { - ${core.ipboth.enabled}listen [::]:${web.sso.certauth.port} default ssl; - ${core.ipv4only.enabled}listen ${web.sso.certauth.port} default ssl; - ${core.ipv6only.enabled}listen [::]:${web.sso.certauth.port} default ssl; + ${core.ipboth.enabled}listen [::]:${web.sso.certauth.port} default ssl so_keepalive=on; + ${core.ipv4only.enabled}listen ${web.sso.certauth.port} default ssl so_keepalive=on; + ${core.ipv6only.enabled}listen [::]:${web.sso.certauth.port} default ssl so_keepalive=on; ${web.add.headers.default} ssl_protocols ${web.ssl.protocols}; ssl_prefer_server_ciphers ${web.ssl.preferserverciphers}; diff --git a/proxy/conf/nginx/templates/nginx.conf.web.sso.template b/proxy/conf/nginx/templates/nginx.conf.web.sso.template index 25e7d3a6..0f80bc5e 100644 --- a/proxy/conf/nginx/templates/nginx.conf.web.sso.template +++ b/proxy/conf/nginx/templates/nginx.conf.web.sso.template @@ -3,9 +3,9 @@ #client cert auth server { server_name ${vhn}; - ${core.ipboth.enabled}listen ${vip}${web.sso.certauth.port} ssl; - ${core.ipv4only.enabled}listen ${vip}${web.sso.certauth.port} ssl; - ${core.ipv6only.enabled}listen ${vip}${web.sso.certauth.port} ssl; + ${core.ipboth.enabled}listen ${vip}${web.sso.certauth.port} ssl so_keepalive=on; + ${core.ipv4only.enabled}listen ${vip}${web.sso.certauth.port} ssl so_keepalive=on; + ${core.ipv6only.enabled}listen ${vip}${web.sso.certauth.port} ssl so_keepalive=on; ${web.add.headers.vhost} ssl_protocols ${web.ssl.protocols}; ssl_prefer_server_ciphers ${web.ssl.preferserverciphers}; diff --git a/proxy/conf/nginx/templates/nginx.conf.web.template b/proxy/conf/nginx/templates/nginx.conf.web.template index 80377cb9..36f7f304 100644 --- a/proxy/conf/nginx/templates/nginx.conf.web.template +++ b/proxy/conf/nginx/templates/nginx.conf.web.template @@ -43,9 +43,6 @@ http ${ssl.clientcertca.enabled}ssl_client_certificate ${ssl.clientcertca.default}; - # turn on tcp keepalive - tcp_keepalive on; - ${web.http.enabled}include ${core.includes}/${core.cprefix}.web.http; ${web.http.enabled}include ${core.includes}/${core.cprefix}.web.http.default; ${web.https.enabled}include ${core.includes}/${core.cprefix}.web.https; diff --git a/proxy/conf/nginx/templates/nginx.conf.web.upstreams.template b/proxy/conf/nginx/templates/nginx.conf.web.upstreams.template index b1661b61..207d493a 100644 --- a/proxy/conf/nginx/templates/nginx.conf.web.upstreams.template +++ b/proxy/conf/nginx/templates/nginx.conf.web.upstreams.template @@ -113,54 +113,65 @@ upstream files { server 127.78.0.1:20000 fail_timeout=10s; + keepalive 32; } upstream ws-collaboration { server 127.78.0.1:20001 fail_timeout=10s; + keepalive 32; } upstream docs-connector { server 127.78.0.1:20002 fail_timeout=10s; + keepalive 32; } upstream docs-editor { server 127.78.0.1:20003 fail_timeout=10s; + keepalive 32; } upstream message-dispatcher-http { server 127.78.0.1:20004 fail_timeout=10s; + keepalive 32; } upstream tasks { server 127.78.0.1:20007 fail_timeout=10s; + keepalive 32; } upstream carbonio-auth { server 127.78.0.1:20008 fail_timeout=10s; + keepalive 32; } upstream carbonio-storages { server 127.78.0.1:20009 fail_timeout=10s; + keepalive 32; } upstream carbonio-notification-push { server 127.78.0.1:20010 fail_timeout=10s; + keepalive 32; } upstream carbonio-certificate-manager { server 127.78.0.1:20011 fail_timeout=10s; + keepalive 32; } upstream carbonio-catalog { server 127.78.0.1:20012 fail_timeout=10s; + keepalive 32; } \ No newline at end of file From 4a8284ee633cb36f4ec66f1ea3a420baddda588c Mon Sep 17 00:00:00 2001 From: Zextras Bot Date: Tue, 20 Jan 2026 03:24:54 +0000 Subject: [PATCH 2/2] chore(deps): update dependency org.apache.maven.plugins:maven-dependency-plugin to v3.9.0 --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 02dd1dd9..18beac18 100644 --- a/pom.xml +++ b/pom.xml @@ -197,7 +197,7 @@ org.apache.maven.plugins maven-dependency-plugin - 3.6.1 + 3.9.0 analyze