Non-HTTPS static site (no SSL or box URLs)

Help with Setup/Upgrade
1

I’d really like to serve my static site without SSL and all the Mail-in-a-box endpoints such as /admin, /cloud, and /mail, but that doesn’t seem to be the way Mail-in-a-box is configured. For example:

https://box.example.com - is the location of all Box specific functionality and http://example.com is where the static site lives.

Here’s why I want to set it up this way:

  • I don’t want to have to buy two certs, or get a multi-domain cert if I don’t have to
  • I don’t want the enpoints for the various Box apps conflicting with my website
  • I see no real reason to encrypt my static site

I checked out the nginx config, and it is trivial to do (basically don’t do anything in the SSL section of the config), but as it states in the file, it will get re-generated and overwrite any custom configuration, no matter how trivial.

So here are my questions:

  • Is there any particular reason that SSL is required for the main host?
  • Why can’t I change it/why must the config be constantly re-generated?
  • Is there some other way to disable SSL for the static site/top level host?

If this cannot truly be achieved, what was the way it was intended to be configured?

Thanks!

2

Hi @dustinboston,

Is there any particular reason that SSL is required for the main host?

Pretty much everything in the project is required. There are essentially no configuration options, and that’s because I want Mail-in-a-Box to be easy to set up and because I don’t have the capacity to run a more complex project.

The web is quickly moving to SSL everywhere, for good reason. Putting any part of a system on HTTP jeopardizes the security of the whole system. So the choice between using HTTPS or not, given the goal of the project to promote private and security, is easy.

Why can’t I change it/why must the config be constantly re-generated?

It’s regenerated in response to actions taken on the control panel — adding additional domains, installing SSL certificates, changing the web root. These things all require changing the nginx config, and, at least so far, it is far too complex to try to preserve user settings while updating it.

I discourage changing it because I don’t have time to provide general system administration support here when something goes wrong on a box whose configuration has been changed.

Is there some other way to disable SSL for the static site/top level host?

The project’s goals don’t really include providing a web solution at all — static web hosting is included because it sort of comes for free. (The box is already listening on the web ports for other reasons — it might as well provide content.) You can’t disable SSL, but for a more complex setup, you can host the website on another server: using the Custom DNS page in the control panel, set an A record for the domain to point to the IP address of a different machine (and if applicable an AAAA record to the other machine’s IPv6 address).

If this cannot truly be achieved, what was the way it was intended to be configured?

The box is not intended to be configured outside of the control panel. As I say on the website: “My long-term goal is to make this a one-click install with no customization options so anyone can do it.”

1 Like
3

Well put! No arguments here. :smile: To your point: I installed and “set up” the whole thing in about 4 hours, and most of that was spent waiting for DNS. I think you’ve really nailed it, and your constraints are dead on. Maybe you could elaborate on these particular items in the FAQ?

4

Thanks. I appreciate all that.

I’ve updated the website / setup guide a bit to make this clearer in the meanwhile.

5

Hi Josh,
I’ve recently installed mailinabox and have to say I’m loving what it says on the box (a gmail replacement). More importantly, it delivers it easily. I’ve spent way too many hours looking at iredmail, kolab, DIY, etc trying to make a gmail replacement a viable option.

I can’t believe how easy it is to add a new domain (ie. add an email account!)

HOWEVER… :wink:

I also think that needing HTTPS for static websites (ie particularly the secondary non-admin ones) is a little overkill. It basically locks out using the ‘static web’ as just that.
I have heaps of very static websites with email behind them all and am not able to embrace mailinabox completely for sites like “auntyfloes-needlework-haven.com”. It would be awesome if there was a way to specify it as an option somewhere to NOT redirect HTTP to HTTPS for non-default sites serving static content.

Of course, you’re right in thinking that “where does such reasoning stop”? Others will want mysql/maria/postgres, etc, etc.

So maybe it would be best if there were a way for us to be able to ‘hook’ changes into the mailinabox setup system as a post-configuration script? This way, we could do some pretty imaginative things to the ‘base-install’ of mailinabox (eg. add different roundcube skins, or, disable HTTP redirect for some sites, etc). Of course, this is all outside the scope of what you’re willing to support, and I don’t think anyone would disagree with such statements.
What do you think?

6

Hi. I don’t have anything to add beyond what I’ve already written earlier in the thread.