Restricting by IP to shared host single website webmail


#1

I am attempting to restrict access to the webmail “folder” (actually an Alias in Apache config), but only for a single website on my server which is hosting several other unrelated websites. I am using the very latest Symbiosis.

I have seen the thread, Putting Roundcube under a subdomain but it doesn’t quite help as I need to provide open access to the other websites webmail as normal.

Is there any way to keep the Alias and apply a different set of access-controls just on a specific domain/website? Or would the Alias need to be removed and specific access controls set on every single website/domain?

Thanks in advance.


#2

There’s two ways we could do that, either by modifying the particular site’s vhost in /etc/apache2/sites-enabled/domain.com.conf, or the webmail config in /etc/apache2/conf-enabled/symbiosis-webmail.conf. The latter is probably better in most cases as we then wouldn’t run into issues with Symbiosis not touching the vhost for SSL renewals (since we’d manually modified it). :slight_smile:

If we wanted to modify the vhost, we could add this block in domain.com.conf (for both the :80 and :443 VirtualHost blocks):

<Location /webmail>
  Require ip 1.2.3.4
</Location>

Or if we wanted to change symbiosis-webmail.conf:

<If "%{HTTP_HOST} =~ m#.*domain.com#">
  Require ip 1.2.3.4
</If>

#3

Superb, thank you, I will give the symbiosis-webmail.conf method a go, but not today, day off.


#4

I applied this restriction (symbiosis-webmail.conf) over the weekend, and it appears to have restricted access to the entire website to just myself.

I tested this by removing the restriction, and restarting apache, and suddenly the website was accessible by all again.

Edit: Further, I have just proven this to be true, by re-running the fun under a less important domain, and as soon as I added the IP restriction to the symbiosis-webmail.conf file, I could neither access webmail (correct) or any other part of the site (incorrect).


#5

Ah sorry, when modifying symbiosis-webmail.conf we’d need to add an additional check if we were only wanting to restrict access to domain.com/webmail rather than domain.com entirely. One way we can do that is with a <Location> block, so we might have:

Alias /webmail /var/www/webmail

<Location /webmail>

  <If "%{HTTP_HOST} =~ m#.*domain.com#">
    Require ip 1.2.3.4
  </If>

</Location>

More recent versions of Apache (2.4.26 onward) should support nested If blocks, so we should then be able to have this instead:

Alias /webmail /var/www/webmail

<If "%{HTTP_HOST} =~ m#.*domain.com#">
 <If "%{REQUEST_URI} =~ /webmail/">
    Require ip 1.2.3.4
  </If>
</If>

#6

I can confirm that this is now working as expected, thank you.