1

Topic: Lockdown access to web interfaces

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.5-1
- Linux/BSD distribution name and version: CentOS 7
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- Related log if you're reporting an issue:
====

I would like to lockdown the access to all available iRedmail web interfaces only to authorized IP addresses instead of making them publicly available at all times... I am talking about the following URLS (and anything else that I may have missed):

https://server.mydomain.com (redirects to /mail)
https://server.mydomain.com/mail
https://server.mydomain.com/sogo
https://server.mydomain.com/iredadmin

What is the best way to accomplish the above? Please let me know what exact settings need to be tweaked.

When using Apache I know one simple method is to place a .htaccess file in the root of each virtual directories to control the access (may not be the best method but it should do the trick), but with Nginx I am little lost as to how to do it.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Lockdown access to web interfaces

Add ACL settings in /etc/nginx/templates/roundcubemail.conf (and other *.conf if necessary).
http://nginx.org/en/docs/http/ngx_http_ … html#allow
https://www.nginx.com/resources/admin-g … ng-access/

3

Re: Lockdown access to web interfaces

ZhangHuangbin wrote:

Add ACL settings in /etc/nginx/templates/roundcubemail.conf (and other *.conf if necessary).
http://nginx.org/en/docs/http/ngx_http_ … html#allow
https://www.nginx.com/resources/admin-g … ng-access/

Thanks! I only found *.tmpl files in the location you specified. I tried editing the roundcube.tmpl file and added the following to the top of that file (example IP used below):

location / {
    allow 192.168.1.1;
    deny  all;
}

I then reload nginx and I get the following error: "nginx: [emerg] duplicate location "/" in /etc/nginx/templates/roundcube.tmpl:3"

I tried removing the '/' after the 'location' in the above configuration and it doesn't help.

However, If remove the above code block and just do the following:

allow 192.168.1.1; deny all;

It works but the problem is that the above doesn't apply just for roundcube... and it blocks the access to everything (I can't even get into iredadmin and sogo)

What should be right syntax I should be using in the roundcube.tmpl file to accomplish the above?

4

Re: Lockdown access to web interfaces

Add your 'allow/deny' rules in /etc/nginx/templates/roundcubemail.tmpl, inside block:

location ~ ^/mail(.*)\.php$ {
    ...
}

5

Re: Lockdown access to web interfaces

ZhangHuangbin wrote:

Add your 'allow/deny' rules in /etc/nginx/templates/roundcubemail.tmpl, inside block:

location ~ ^/mail(.*)\.php$ {
    ...
}

Thanks a lot... It now works as expected.