.env.example

@@ -33,7 +33,7 @@ SESSION_ENCRYPT=false
 SESSION_PATH=/
 # For cross-subdomain session sharing (e.g. webmail on mail.example.com):
 # SESSION_DOMAIN=.example.com
-SESSION_DOMAIN=
+SESSION_DOMAIN=null
 
 #BROADCAST_CONNECTION=log
 FILESYSTEM_DISK=local

app/Console/Commands/WizardDomains.php

@@ -67,12 +67,8 @@ class WizardDomains extends Command
             $ssl ? 1 : 0,
         ));
 
+        $helperOk   = $out !== null && !str_contains((string) $out, '[x]');
         $outStr     = (string) $out;
-        $helperOk = $out !== null
-            && !str_contains($outStr, '[x]')
-            && !str_contains($outStr, 'command not found')
-            && !str_contains($outStr, 'No such file')
-            && trim($outStr) !== '';
 
         foreach (['ui', 'mail', 'webmail'] as $key) {
             $status = file_get_contents(self::STATE_DIR . "/{$key}");
@@ -86,15 +82,12 @@ class WizardDomains extends Command
             }
         }
 
-        // Shell-Script schreibt done bereits vor dem nginx-Switch — nicht überschreiben
-        $alreadyDone = trim((string) @file_get_contents(self::STATE_DIR . '/done')) === '1';
-        if (!$alreadyDone) {
         file_put_contents(self::STATE_DIR . '/done', $helperOk ? '1' : '0');
-        }
+        Setting::set('ssl_configured', $helperOk ? '1' : '0');
-        Setting::set('ssl_configured', ($helperOk || $alreadyDone) ? '1' : '0');
 
-        // SESSION_SECURE_COOKIE wird nicht automatisch gesetzt —
+        if ($helperOk && $ssl) {
-        // nginx leitet HTTP→HTTPS weiter, Secure-Flag wird im Admin gesetzt
+            $this->updateEnv(base_path('.env'), 'SESSION_SECURE_COOKIE', 'true');
+        }
 
         return self::SUCCESS;
     }

installer.sh

@@ -76,9 +76,10 @@ footer_ok() {
   echo -e ""
   echo -e "  ${CYAN}➜  Setup-Wizard jetzt öffnen:${NC}"
   echo -e "     ${CYAN}http://${ip}/setup${NC}"
+  echo -e "     ${GREY}https://${ip}/setup${NC}  (self-signed Zertifikat)"
   echo -e ""
   echo -e "  Laravel Root:        ${GREY}${app_dir}${NC}"
-  echo -e "  Mail-TLS Cert:       ${GREY}${cert_dir}/{cert.pem,key.pem}${NC}  (Postfix/Dovecot)"
+  echo -e "  Self-signed Cert:    ${GREY}${cert_dir}/{cert.pem,key.pem}${NC}"
   echo -e "  Postfix/Dovecot:     ${GREY}25, 465, 587, 110, 995, 143, 993${NC}"
   echo -e "${GREEN}${BAR}${NC}"
   echo
@@ -725,9 +726,8 @@ if [ -n "${UI_HOST}" ] && [ "${UI_HAS_CERT}" = "1" ]; then
   cat <<CONF
 
 server {
-  listen 443 ssl;
+  listen 443 ssl http2;
-  listen [::]:443 ssl;
+  listen [::]:443 ssl http2;
-  http2 on;
   server_name ${UI_HOST};
 
   ssl_certificate     /etc/letsencrypt/live/${UI_HOST}/fullchain.pem;
@@ -740,7 +740,6 @@ server {
   location / { try_files \$uri \$uri/ /index.php?\$query_string; }
   location ~ \.php\$ {
     include snippets/fastcgi-php.conf;
-    fastcgi_param HTTPS on;
     fastcgi_pass unix:${PHP_FPM_SOCK};
   }
   location ^~ /livewire/ { try_files \$uri /index.php?\$query_string; }
@@ -753,9 +752,8 @@ if [ -n "${WEBMAIL_HOST}" ] && [ "${WM_HAS_CERT}" = "1" ]; then
   cat <<CONF
 
 server {
-  listen 443 ssl;
+  listen 443 ssl http2;
-  listen [::]:443 ssl;
+  listen [::]:443 ssl http2;
-  http2 on;
   server_name ${WEBMAIL_HOST};
 
   ssl_certificate     /etc/letsencrypt/live/${WEBMAIL_HOST}/fullchain.pem;
@@ -768,7 +766,6 @@ server {
   location / { try_files \$uri \$uri/ /index.php?\$query_string; }
   location ~ \.php\$ {
     include snippets/fastcgi-php.conf;
-    fastcgi_param HTTPS on;
     fastcgi_pass unix:${PHP_FPM_SOCK};
   }
   location ^~ /livewire/ { try_files \$uri /index.php?\$query_string; }
@@ -778,22 +775,6 @@ CONF
 fi
 ) > "${NGINX_SITE}"
 
-# State-Dateien VOR dem nginx-Switch schreiben:
-# Browser-Poll (alle 2s) liest done=1 → Polling stoppt → "Zum Login" erscheint.
-# Danach 6s sleep → nginx switchet auf HTTPS → User klickt Link → funktioniert.
-STATE_DIR="/var/lib/mailwolt/wizard"
-if [ -d "${STATE_DIR}" ]; then
-  for k in ui mail webmail; do
-    [ -f "${STATE_DIR}/${k}" ] && printf "done" > "${STATE_DIR}/${k}"
-  done
-  if [ "${UI_HAS_CERT}" = "1" ] || [ "${WM_HAS_CERT}" = "1" ]; then
-    printf "1" > "${STATE_DIR}/done"
-  else
-    printf "0" > "${STATE_DIR}/done"
-  fi
-  sleep 6
-fi
-
 nginx -t && systemctl reload nginx
 HELPER
 chmod 755 /usr/local/sbin/mailwolt-apply-domains
@@ -805,7 +786,6 @@ install -m 755 "${APP_DIR}/update.sh" /usr/local/sbin/mailwolt-update
 cat > /etc/sudoers.d/mailwolt-certbot <<'SUDOERS'
 www-data ALL=(root) NOPASSWD: /usr/local/sbin/mailwolt-apply-domains
 www-data ALL=(root) NOPASSWD: /usr/local/sbin/mailwolt-update
-www-data ALL=(root) NOPASSWD: /usr/bin/certbot
 SUDOERS
 chmod 440 /etc/sudoers.d/mailwolt-certbot
 
@@ -915,6 +895,7 @@ check process nginx with pidfile /run/nginx.pid
   start program = "/bin/systemctl start nginx"
   stop  program = "/bin/systemctl stop nginx"
   if failed host 127.0.0.1 port 80 type tcp for 2 cycles then restart
+  if failed host 127.0.0.1 port 443 type tcpssl for 2 cycles then restart
   if 5 restarts within 10 cycles then alert
 
 check process fail2ban with pidfile /run/fail2ban/fail2ban.pid

resources/views/livewire/setup/wizard.blade.php

@@ -292,12 +292,10 @@
     </div>
     @elseif($step === 5 && $setupDone)
     <div style="display:flex;justify-content:flex-end;margin-top:20px">
-        {{-- Kein wire:click — plain Link damit kein Livewire-POST nötig ist.
+        <button wire:click="goToLogin" class="mbx-btn-primary" style="font-size:12.5px;width:fit-content">
-             nginx leitet /login nach SSL-Switch automatisch auf HTTPS weiter. --}}
-        <a href="/login" class="mbx-btn-primary" style="font-size:12.5px;width:fit-content;text-decoration:none;display:inline-flex;align-items:center;gap:6px">
             <svg width="12" height="12" viewBox="0 0 12 12" fill="none"><path d="M2 6.5l2.5 2.5 5.5-5.5" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"/></svg>
             {{ collect($domainStatus)->contains(fn($s) => in_array($s, ['error','nodns','noipv6'])) ? 'Trotzdem zum Login' : 'Zum Login' }}
-        </a>
+        </button>
     </div>
     @endif