Fix resources isues 22
This commit is contained in:
@@ -9,29 +9,46 @@ metadata:
|
||||
environment: production
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: letsencrypt-production
|
||||
# Proxy settings for large attachments and long connections
|
||||
nginx.ingress.kubernetes.io/proxy-body-size: "100m"
|
||||
nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
|
||||
nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
|
||||
nginx.ingress.kubernetes.io/proxy-connect-timeout: "60"
|
||||
# SSL redirect
|
||||
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
|
||||
nginx.ingress.kubernetes.io/ssl-redirect: "true"
|
||||
# CRITICAL: Headers for Mailu compatibility to fix webmail redirect loop
|
||||
# CRITICAL: Disable proxy buffering for webmail streaming/long-polling
|
||||
# This prevents the "stuck loading" issue with Roundcube webmail
|
||||
# Reference: https://github.com/Mailu/Mailu/issues/2850
|
||||
nginx.ingress.kubernetes.io/proxy-buffering: "off"
|
||||
nginx.ingress.kubernetes.io/proxy-request-buffering: "off"
|
||||
# WebSocket support for webmail real-time features
|
||||
nginx.ingress.kubernetes.io/proxy-http-version: "1.1"
|
||||
nginx.ingress.kubernetes.io/upstream-hash-by: "$remote_addr"
|
||||
# CRITICAL: Configuration snippet for Mailu header handling
|
||||
# Fixes redirect loops by ensuring Mailu sees the correct protocol
|
||||
# Reference: https://mailu.io/2.0/reverse.html
|
||||
nginx.ingress.kubernetes.io/configuration-snippet: |
|
||||
# Set proper headers for Mailu
|
||||
more_set_headers "X-Forwarded-Proto $scheme";
|
||||
more_set_headers "X-Forwarded-Port $server_port";
|
||||
more_set_headers "X-Original-Forwarded-For $http_x_forwarded_for";
|
||||
# CRITICAL: Force X-Forwarded-Proto to https to prevent redirect loops
|
||||
# Mailu's internal nginx checks this header to decide if redirect is needed
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
proxy_set_header X-Forwarded-Port 443;
|
||||
proxy_set_header X-Forwarded-Ssl on;
|
||||
|
||||
# Handle redirects properly to prevent loops for webmail
|
||||
proxy_redirect https://$host https://$host;
|
||||
proxy_redirect http://$host https://$host;
|
||||
|
||||
# Ensure proper host header
|
||||
# Real IP headers for Mailu logging and rate limiting
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
# Additional proxy settings for Mailu
|
||||
nginx.ingress.kubernetes.io/proxy-set-headers: "X-Forwarded-Proto https"
|
||||
|
||||
# Fix redirects from Mailu internal services (admin, webmail)
|
||||
# Don't add trailing slash to prevent 404 on redirects
|
||||
proxy_redirect http://localhost https://$host;
|
||||
proxy_redirect https://localhost https://$host;
|
||||
proxy_redirect http://$host https://$host;
|
||||
|
||||
# Disable buffering for streaming responses (webmail)
|
||||
proxy_buffering off;
|
||||
proxy_cache off;
|
||||
spec:
|
||||
ingressClassName: nginx
|
||||
tls:
|
||||
|
||||
@@ -103,18 +103,24 @@ replicaCount: 1 # Can be increased in production as needed
|
||||
secretKey: "generate-strong-key-here-for-production"
|
||||
|
||||
# Ingress configuration for production - disabled to use with existing ingress
|
||||
# External nginx-ingress handles TLS termination and proxies to Mailu front
|
||||
ingress:
|
||||
enabled: false # Disable chart's Ingress; use existing one
|
||||
enabled: false # Disable chart's Ingress; use existing mailu-ingress.yaml
|
||||
tls: false # Disable TLS in chart since ingress handles it
|
||||
tlsFlavorOverride: notls # No TLS on internal NGINX; expect external proxy to handle TLS
|
||||
realIpHeader: X-Forwarded-For # Header for client IP from your Ingress
|
||||
realIpFrom: 0.0.0.0/0 # Trust all proxies (restrict to your Ingress pod CIDR for security)
|
||||
tlsFlavorOverride: notls # No TLS on internal NGINX; external ingress handles TLS
|
||||
# CRITICAL: Real IP header configuration for proper client IP detection
|
||||
# This must match the header set by nginx-ingress (X-Real-IP)
|
||||
# Reference: https://mailu.io/2.0/reverse.html
|
||||
realIpHeader: X-Real-IP
|
||||
realIpFrom: "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16" # Trust cluster pod CIDRs
|
||||
path: /
|
||||
pathType: ImplementationSpecific
|
||||
|
||||
# TLS flavor for production (uses Let's Encrypt)
|
||||
# TLS flavor for production
|
||||
# "notls" because external ingress handles TLS termination
|
||||
# The ingress sends X-Forwarded-Proto: https to tell Mailu the original protocol
|
||||
tls:
|
||||
flavor: "cert"
|
||||
flavor: "notls"
|
||||
|
||||
# Welcome message (enabled in production)
|
||||
welcomeMessage:
|
||||
|
||||
Reference in New Issue
Block a user