How do I restrict access to /admin?

Dodo · June 8, 2026, 8:20am

I want to restrict access to the control panel interface to the IP address range of my ISP. At least, that seems like a sensible thing to do in terms of security. How do I do that on v76?

Thanks in advance. Post must be at least 250 characters. Post must be at least 250 characters.

KiekerJan · June 8, 2026, 3:00pm

There’s no built in thing. But you could hack the nginx configuration to block access to /admin in this way (I don’t know how though)
Note such a change would probably be overwritten by a nightly script, so that has to be taken into account as well.

andrew · June 9, 2026, 3:58am

Here’s something else that will secure the admin account … MIAB already has two-factor authentication that (if activated) applies to the admin pages (not to email access).

Go to admin / Mail & Users / Two-Factor Authentication.

Dodo · June 9, 2026, 7:47am

True, but you can never have too much security, eh?
I tried to lock it down in nginx, the configuration looks okay but evidently doesn’t work in practice. I’ll try again.

netmaster48 · June 10, 2026, 6:56am

I have tried to modify nginx conf, but indeed, it will be overwritten. 2FA does not help much when in one day some bug is found in login logic (or somewhere) of the admin interface or api. All the MIAB installs will be hacked at once. That’s something that bothers me. In my book, everything not needed for the users (starting from ssh) must be closed or hidden from the world, and there is no need to advertise what exact software you using like MIAB does in SMTP banner. Actually there is full list of security tightening things I do before each install or update. Unfortunately MIAB does everything in it’s power to overwrite them.

Dodo · June 10, 2026, 12:00pm

Right, I got it working.

edit /etc/nginx/conf.d/local.conf

change this

location /admin/ {
    proxy_pass http://127.0.0.1:10222/;
    proxy_set_header X-Forwarded-For $remote_addr;
    add_header X-Frame-Options "DENY";
    add_header X-Content-Type-Options nosniff;
    add_header Content-Security-Policy "frame-ancestors 'none';";
}

to

location /admin/ {
allow v.x.y.z/20;
deny all;

proxy_pass http://127.0.0.1:10222/;
proxy_set_header X-Forwarded-For $remote_addr;
add_header X-Frame-Options "DENY";
add_header X-Content-Type-Options nosniff";
add_header Content-Security-Policy "frame-ancestors 'none';";

}

Do the same in /root/mailinabox/conf/nginx-primaryonly.conf

change this

location /admin/ {
    proxy_pass http://127.0.0.1:10222/;
    proxy_set_header X-Forwarded-For $remote_addr;
    add_header X-Frame-Options "DENY";
    add_header X-Content-Type-Options nosniff";
    add_header Content-Security-Policy "frame-ancestors 'none';";
}

to this

location /admin/ {
    allow v.x.y.z/20;
    deny all;

    proxy_pass http://127.0.0.1:10222/;
    proxy_set_header X-Forwarded-For $remote_addr;
    add_header X-Frame-Options "DENY";
    add_header X-Content-Type-Options nosniff";
    add_header Content-Security-Policy "frame-ancestors 'none';";
}

where v.x.y.z/20 is the subnet you want to allow access to.

Then run restart nginx and run sudo mailinabox for good measure.

KiekerJan · June 10, 2026, 1:14pm

Nice!
Note you’ll need to run some arcane git command when you wamt to upgrade MiaB. Also, in the last section

Should probably be only one time allow?

Dodo · June 10, 2026, 2:49pm

Well spotted, that was a copy & paste error.

I think I’ll knock up a bash script that adds those lines to those files using sed for future use.

system · June 17, 2026, 2:49pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.