Implement Reverse Proxy for Mailcow Domain to Utilize Content Security Policy

[basteyy]

Summary

When the Mailcow UI attempts to check the current version, it encounters (if set up) an issue due to the Content Security Policy (CSP) restrictions (when it is used by the user and https://api.github.com isn't allowed). Specifically, CSP does not support path-specific connect-src directives, which prevents the Mailcow UI from connecting to the necessary GitHub API endpoint (https://api.github.com/repos/mailcow/mailcow-dockerized/releases/tags/...).

Current CSP Configuration Example:

add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https:; img-src 'self' data: https:;";
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

Motivation

By implementing this solution, the Mailcow UI will be able to check the current version without violating the CSP. This solution maintains the security benefits of CSP while enabling the necessary functionality for Mailcow.

Additional context

Proposed Solution:

There are two potential solutions to this issue:

Set Up a Reverse Proxy on the Mailcow Server:

Create a proxy configuration on the server where Mailcow is hosted, which routes requests to the required GitHub API endpoint:

server {
    location /api-proxy/ {
        proxy_pass https://api.github.com/repos/mailcow/;
        proxy_set_header Host api.github.com;
    }
}

Create a Dedicated API Endpoint (e.g., api.mailcow.de):

Set up a dedicated API endpoint that proxies the necessary requests. This could be managed by the Mailcow maintainers to ensure consistency and security. For example, https://api.mailcow.de/repos/mailcow/version could proxy the requests to the GitHub API.