Limit gui access while keeping 80/443 open for ACME

honestlai

Hi,

I was surprised to not really find an answer to this easily, but I’m trying to block all admin gui access to the general internet while keeping 80 and 443 open for letsencrypt cert automation.

I have an NGinx reverse proxy setup in combination with a cloudflared tunnel for SSO protected web access to my web apps and plan on access the gui through this, but realized after SMTP login kept failing to authenticate that I needed the acme docker to have 80 and 443 open for authenticated certs to be generated.

Thanks,
-Matt

esackbauer

honestlai but I’m trying to block all admin gui access to the general internet

So you are cutting off users from doing their mail settings when abroad?

That is a job for a more complex reverse proxy configuration, which handles different subdirectories different…
I don’t separate these things, I have a Web Application Firewall in front of mailcow which handles intrusion attempts.

maddler

esackbauer What do you use for the WAF?

honestlai

esackbauer

I’m only using the server for relaying email addresses and for SMTP, the admin gui is really all I need access to.

I don’t mind leaving 80 and 443 open for letsencrypt, I would just like to limit the admin portal and use cloudflare’s zero trust infrastructure for logging in and protecting the gui.

esackbauer

Sophos Firewall. It is free for “home use”

maddler

esackbauer cool, will have a look!

esackbauer

honestlai
Then you should learn about reverse proxies and set up the rules based on directories/URLs etc.

esackbauer

Also you should know that port 443 is also used for ActiveSync, if your clients use that. That means that autodiscover must also be available.

honestlai

I’ve been using various implementations of nginx for years in combination with cloudflare proxy’ing, tunnels, and wildcard subdomains domains. I think what I’m getting at is asking if there is a built in method for doing what I’m asking, or if I need to manipulate nginx config files within the nginx-mailcow container directly?

maddler

No, there’s no such built-in feature. Not something you can just switch on/off at least.
You’d need to have a look at the Nginx files.

honestlai

Got it… I’ll take a look at what I find and post my results/solution here for anyone else that needs to make a change like this.

jimmy_jummy

honestlai

What I did in my case is very simple, but effective. I’ve just placed the following php code into the index.php (/opt/mailcow-dockerized/data/web) to restrict GUI access just to my home IP address (which uses DDNS:

<?php $home = gethostbyname("my.dnydns.net."); $ip_allowed = array("$home"); if(!in_array($_SERVER['REMOTE_ADDR'], $ip_allowed)) { header("HTTP/1.1 403"); include('403.php'); exit; } ?>
That’s it. Nothing else is restricted by this. Just the GUI.

Cheers…

maddler

jimmy_jummy nice one, might actually “steal” it 🙂

jimmy_jummy

maddler

Of course, mate. Enjoy!