On installing Roundcube, we have an Apache roundcube.conf file that applies to all vhosts. So any.domain.tld/webmail can access email. I like that for some applications. For other purposes, like internal-only email, I prefer to lock down access to mail using socket ports. With port 8081 already active for Apps, and in use with Rspamd, I figured it would be elegant to use 8081 for mail. Port 8081 is currently locked down Making a long story short, for a change, I created a 'mail' vhost subdomain on my master ISPConfig server. That has its own cert. Then I copied and tweaked the roundcube.conf settings into the 'mail' Apache directives. So now that one mail.domain.tld.conf file has VirtualHosts for :80, :443, and :8081. That's working. We can now go to mail.domain.tld:8081/webmail for secure access, and I've disabled roundcube.conf to eliminate any.domain.tld/webmail (which collides with some apps anyway). This seems to me to be really inelegant. I don't feel like I'm using ISPConfig for its features. I feel like I'm using a hack to get ISPConfig to do something that it is not yet prepared to do. Did I do that right? Is there a better way to add another VirtualHost with a different port to an existing subdomain? Might it be worthwhile to create an enhancement that allows creating a new VirtualHost under an existing subdomain, rather than pasting in free-form text directives? Should we avoid putting stuff into the Apps space like that? And it doesn't look like the _default_:8081 settings from apps.vhost are used in a separate VirtualHost *:8081. I had to duplicate relevant settings to get it to work. Is that expected? Thanks for the tooling that allows me to do this better, if not elegantly.
There is currently not a better way to do this for one vhost alone. I would do this differently though, just allow access to webmail from IPs you trust using Apache: Code: <RequireAny> Require all denied # home Require ip 1.2.3.4 </RequireAny>
Thanks for the confirmation @Th0m. That's certainly an option for some applications. At this point in my development I'm controlling access to anything administrative with a network level Security Group. So once I establish the pattern of making specific sites and functional available on a specific port, I don't need to modify Apache directives. From there I have IPTables managing blacklisting IP addresses/blocks. When I'm out of development mode, and most sites need to be on standard :80/:443, then yes, whitelist/blacklist fine-tuning in RequireAny, .htaccess, and individual applications will be useful. Thanks!
