1 (edited by tyllee 2021-02-28 03:16:21)

Topic: NGINX Access control for iredadmin blocks newletter subscription

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.3.2
- Deployed with iRedMail Easy or the downloadable installer? No
- Linux/BSD distribution name and version: RHEL 8.3
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): NGNIX
- Manage mail accounts with iRedAdmin-Pro? Yes
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

When a activating # Access control under section [location ~ ^/iredadmin(.*)] to certain IP-addresses in /etc/nginx/templates/iredadmin.tmpl then newsletter subscription page is also applied same rules.

The rewrite goes to iredadmin so this behavior is expected. Can we do something about it?
 
Is it possible to have access control for /iredadmin and the same time allow all IP addresses to location ~ ^/newsletter ?

UPDATE: Even better solution would be to have 2FA for the iredadmin login.

/etc/nginx/templates/iredadmin.tmpl:

...
# Python scripts
location ~ ^/iredadmin(.*) {
    rewrite ^/iredadmin(/.*)$ $1 break;

    include /etc/nginx/templates/hsts.tmpl;

    include uwsgi_params;
    uwsgi_pass 127.0.0.1:7791;
    uwsgi_param UWSGI_CHDIR /opt/www/iredadmin;
    uwsgi_param UWSGI_SCRIPT iredadmin;
    uwsgi_param SCRIPT_NAME /iredadmin;

   # Access control
    allow nnn.nnn.nnn.nnn;
    deny  all;
}

[...]

# Handle newsletter-style subscription/unsubscription supported in iRedAdmin-Pro.
location ~ ^/newsletter/ {
    rewrite /newsletter/(.*) /iredadmin/newsletter/$1 last;
}

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: NGINX Access control for iredadmin blocks newletter subscription

tyllee wrote:

Is it possible to have access control for /iredadmin and the same time allow all IP addresses to location ~ ^/newsletter ?

Try to add "allow all;" inside the `location ~ ^/newsletter` block.

3 (edited by tyllee 2021-02-28 23:28:59)

Re: NGINX Access control for iredadmin blocks newletter subscription

ZhangHuangbin wrote:
tyllee wrote:

Is it possible to have access control for /iredadmin and the same time allow all IP addresses to location ~ ^/newsletter ?

Try to add "allow all;" inside the `location ~ ^/newsletter` block.

No, not working. The purpose is to protect "/iredadmin" interface and if we have 2FA for iRedAdmin pro this would be enough.

# Handle newsletter-style subscription/unsubscription supported in iRedAdmin-Pro.
location ~ ^/newsletter/ {
    rewrite /newsletter/(.*) /iredadmin/newsletter/$1 last;
    allow all;
}

4

Re: NGINX Access control for iredadmin blocks newletter subscription

ok, i put 2FA on my todo list now. But cannot guarantee when it will be implemented.

5 (edited by tyllee 2021-03-03 15:48:41)

Re: NGINX Access control for iredadmin blocks newletter subscription

ZhangHuangbin wrote:

ok, i put 2FA on my todo list now. But cannot guarantee when it will be implemented.

Very pleased to hear that!

We are happy with your intention to implement it and please get back if you want any feedback.