Fix: Webmail-Vhost nur /webmail/* — Control Panel nicht mehr erreichbar

- build_webmail_http_only / build_webmail_tls als eigene Funktionen - Webmail-Domain: / und /login → redirect auf /webmail/login - Webmail-Domain: nur /webmail/* wird an Laravel weitergeleitet - Alles andere auf Webmail-Domain → 403 - UI-Domain bleibt unverändert (voller Laravel-Zugriff) - mailwolt-apply-domains deployed aktualisiert (write_webmail_vhost) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-23 02:54:05 +02:00 · 2026-04-23 02:54:05 +02:00 · 46fb3f12ff
parent 3bc3862b69
commit 46fb3f12ff
1 changed files with 66 additions and 6 deletions
--- a/mailwolt-installer/scripts/70-nginx.sh
+++ b/mailwolt-installer/scripts/70-nginx.sh
@ -396,6 +396,67 @@ server {
 CONF
 }

+# ── Builder Webmail: nur /webmail/* erlaubt, root → redirect ───────────────
+build_webmail_http_only(){
+  local host="$1" outfile="$2" def_flag="${3:-nodefault}"
+  local def=""
+  [[ "${DEV_MODE}" = "1" && "${def_flag}" = "default" ]] && def=" default_server"
+  [[ -z "${host}" || "${host}" = "_" ]] && host="_"
+  cat > "$outfile" <<CONF
+# --- ${host} : Webmail (nur /webmail/*) ---
+server {
+  listen 80${def};
+  listen [::]:80${def};
+  server_name ${host};
+  location ^~ /.well-known/acme-challenge/ { root ${ACME_ROOT}; allow all; }
+  root ${APP_DIR}/public;
+  index index.php;
+  access_log /var/log/nginx/${host/_/__}_webmail_access.log;
+  error_log  /var/log/nginx/${host/_/__}_webmail_error.log;
+  client_max_body_size 25m;
+  location = /       { return 301 /webmail/login; }
+  location = /login  { return 301 /webmail/login; }
+  location ^~ /webmail/ { try_files \$uri \$uri/ /index.php?\$query_string; }
+  location ~ \.php\$  { include snippets/fastcgi-php.conf; ${FASTCGI_PASS} }
+  location ^~ /livewire/ { try_files \$uri /index.php?\$query_string; }
+  location ~* \.(css|js|ico|svg|woff2?|ttf|jpg|jpeg|png|gif)\$ { expires 30d; access_log off; }
+  location / { return 403; }
+}
+CONF
+}
+
+build_webmail_tls(){
+  local host="$1" cert_dir="$2" outfile="$3"
+  cat > "$outfile" <<CONF
+# --- ${host} : Webmail TLS (nur /webmail/*) ---
+server {
+  listen 80; listen [::]:80; server_name ${host};
+  location ^~ /.well-known/acme-challenge/ { root ${ACME_ROOT}; allow all; }
+  return 301 https://\$host\$request_uri;
+}
+server {
+  listen 443 ssl${NGINX_HTTP2_SUFFIX}; listen [::]:443 ssl${NGINX_HTTP2_SUFFIX};
+  server_name ${host};
+  ssl_certificate     ${cert_dir}/fullchain.pem;
+  ssl_certificate_key ${cert_dir}/privkey.pem;
+  ssl_protocols       TLSv1.2 TLSv1.3;
+  location ^~ /.well-known/acme-challenge/ { root ${ACME_ROOT}; allow all; }
+  root ${APP_DIR}/public;
+  index index.php;
+  access_log /var/log/nginx/${host}_webmail_ssl_access.log;
+  error_log  /var/log/nginx/${host}_webmail_ssl_error.log;
+  client_max_body_size 25m;
+  location = /       { return 301 https://\$host/webmail/login; }
+  location = /login  { return 301 https://\$host/webmail/login; }
+  location ^~ /webmail/ { try_files \$uri \$uri/ /index.php?\$query_string; }
+  location ~ \.php\$  { include snippets/fastcgi-php.conf; ${FASTCGI_PASS} }
+  location ^~ /livewire/ { try_files \$uri /index.php?\$query_string; }
+  location ~* \.(css|js|ico|svg|woff2?|ttf|jpg|jpeg|png|gif)\$ { expires 30d; access_log off; }
+  location / { return 403; }
+}
+CONF
+}
+
 # ── Sites erzeugen ─────────────────────────────────────────────────────────
 MX_SITE="/etc/nginx/sites-available/mx-mailwolt.conf"
 UI_SITE="/etc/nginx/sites-available/ui-mailwolt.conf"
@ -412,16 +473,15 @@ WEBMAIL_SITE="/etc/nginx/sites-available/webmail-mailwolt.conf"

 # UI & Webmail …
 if [[ "${DEV_MODE}" = "1" ]]; then
-  # UI = Catch-All + default_server, Webmail = Catch-All ohne default
  build_site_http_only    "_" "$UI_SITE"      "default"
-  build_site_http_only "_" "$WEBMAIL_SITE" "nodefault"
+  build_webmail_http_only "_" "$WEBMAIL_SITE" "nodefault"
 else
  if [[ "${PROXY_MODE:-0}" -eq 1 ]]; then
    build_site_http_only    "$UI_HOST"      "$UI_SITE"
-    build_site_http_only "$WEBMAIL_HOST" "$WEBMAIL_SITE"
+    build_webmail_http_only "$WEBMAIL_HOST" "$WEBMAIL_SITE"
  else
    build_site_tls       "$UI_HOST"      "/etc/ssl/ui"      "$UI_SITE"
-    build_site_tls       "$WEBMAIL_HOST" "/etc/ssl/webmail" "$WEBMAIL_SITE"
+    build_webmail_tls    "$WEBMAIL_HOST" "/etc/ssl/webmail"  "$WEBMAIL_SITE"
  fi
 fi
 #if [[ "${DEV_MODE}" = "1" ]]; then