Roundcube - how to block access from internet while allow from local LAN/network

[mathewfer]

Hi,

I have a working email setup on Ubuntu 24.04.2 LTS with Roundcube (I believe back-end uses Nginx) configured as Webmail. I can access HTTPS Roundcube Webmail from local LAN and from internet.

All the accesses are working as expected.

My question:
I want to fully disable "Roundcube Webmail" from internet for security reasons and only allow from LAN (or when VPN in). How can I do this?


My Internet router (Synology RT2600AC) does provide a basic firewall and configured port forwarding for port 80, 443, 587 & 993.

Port 80 and 443 is required for lets encrypt to work for certificate renewal. Therefore, it is not possible to block 80 and 443 to stop access Roundcube from internet.

I hope someone have the answer to my questions from their implementation with restricted access from Internet/outside.

[johnstvn]

You can restrict external access to Roundcube by configuring Nginx to allow only local LAN IPs. Edit your Nginx config file (e.g., /etc/nginx/sites-available/roundcube) and add:
location / {
    allow 192.168.1.0/24; # Replace with your LAN subnet
    deny all;
}
Restart Nginx (sudo systemctl restart nginx) to apply changes. For remote access, use a VPN instead of exposing Roundcube to the internet.
I hope my answer will help you.