Do not expose the Web admin interface by default, fixes #40

8 years ago · f07615c4a4
parent ec5a75f603
commit f07615c4a4
2 changed files with 15 additions and 2 deletions
--- a/.env
+++ b/.env
@ -42,6 +42,9 @@ FRONTEND=none
 # Choose which webmail to run if any (values: roundcube, rainloop, none)
 WEBMAIL=none

+# Expose the admin interface in publicly (values: yes, no)
+EXPOSE_ADMIN=no
+
 ###################################
 # Mail settings
 ###################################
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@ -10,6 +10,7 @@ events {

 # Environment variables used in the configuration
 env WEBMAIL;
+env EXPOSE_ADMIN;

 http {
    # Standard HTTP configuration with slight hardening
@ -42,6 +43,7 @@ http {

      # Load Lua variables
      set_by_lua $webmail 'return os.getenv("WEBMAIL")';
+      set_by_lua $expose_admin 'return os.getenv("EXPOSE_ADMIN")';

      # Actual logic

@ -50,11 +52,19 @@ http {
          proxy_pass http://webmail;
        }

-        return 403;
+        if ($webmail = none) {
+          return 403;
+        }
      }

      location /admin {
-        proxy_pass http://admin;
+        if ($expose_admin = yes) {
+          proxy_pass http://admin;
+        }
+
+        if ($expose_admin != yes) {
+          return 403;
+        }
      }
    }
 }