From f07615c4a4d9a2d339d1eee73be1a3c64a6a24a5 Mon Sep 17 00:00:00 2001
From: Pierre Jaury <pierre@jaury.eu>
Date: Sat, 10 Sep 2016 12:07:32 +0200
Subject: [PATCH] Do not expose the Web admin interface by default, fixes #40

---
 .env             |  3 +++
 nginx/nginx.conf | 14 ++++++++++++--
 2 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/.env b/.env
index 07a8e128..61f1030c 100644
--- a/.env
+++ b/.env
@@ -42,6 +42,9 @@ FRONTEND=none
 # Choose which webmail to run if any (values: roundcube, rainloop, none)
 WEBMAIL=none
 
+# Expose the admin interface in publicly (values: yes, no)
+EXPOSE_ADMIN=no
+
 ###################################
 # Mail settings
 ###################################
diff --git a/nginx/nginx.conf b/nginx/nginx.conf
index d8fb2183..9c87509f 100644
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@@ -10,6 +10,7 @@ events {
 
 # Environment variables used in the configuration
 env WEBMAIL;
+env EXPOSE_ADMIN;
 
 http {
     # Standard HTTP configuration with slight hardening
@@ -42,6 +43,7 @@ http {
 
       # Load Lua variables
       set_by_lua $webmail 'return os.getenv("WEBMAIL")';
+      set_by_lua $expose_admin 'return os.getenv("EXPOSE_ADMIN")';
 
       # Actual logic
 
@@ -50,11 +52,19 @@ http {
           proxy_pass http://webmail;
         }
 
-        return 403;
+        if ($webmail = none) {
+          return 403;
+        }
       }
 
       location /admin {
-        proxy_pass http://admin;
+        if ($expose_admin = yes) {
+          proxy_pass http://admin;
+        }
+
+        if ($expose_admin != yes) {
+          return 403;
+        }
       }
     }
 }