Create New Document

Document Type

Document Title The title of your document (will be displayed as H1)

Document Slug URL-friendly name (no spaces, use dashes)

Document Path Path where to create document (optional, use forward slashes to create subdirectories)

Move/Rename Document

Delete Document

Are you sure you want to delete this document? This action cannot be undone.

Warning: If this is a folder, all contents including subfolders and documents will be deleted.

Message

Message content goes here.

Confirm Action

Are you sure?

Attachments

Document Files

Loading attached files...

Document History

Previous Versions

Loading versions...

Preview

Select a version to preview

Wiki Settings

Wiki Title

Owner

Copyright Notice

Timezone

Interface Language

Language for the user interface

Document Versions Number of versions to keep per document. Set to 0 to disable versioning.

Max File Upload Size Maximum allowed file size for uploads in MB.

Private wiki (requires login to view)

Disable comments system-wide

Disable File Upload Checking

Enable link embedding from clipboard

Hide attachments section in documents

Use full width for content on Desktop (disable 900px limit)

User Management

Add New User

Username

Password Leave empty to keep current password

User Role

Access Groups

Users with these groups can access restricted sections.

Define path-based access rules for sections of your wiki, then assign users to groups in the Users tab. Rules are evaluated in order. First match wins.

Active Rules

Import markdown files from a ZIP archive. Files will be processed and stored in the appropriate document structure. Directory structure in the ZIP (category/subcategory) will be preserved in the wiki.

Select ZIP Archive Upload a ZIP file containing markdown (.md) files to import.

Create and manage backups of your wiki data. Backups include all documents, images, and configuration files.

Available Backups

Loading backups...

Add/Edit Access Rule

Select Folder

Selected: /

Match Type

This document only

This document and all sub documents

Direct children only

Access Level

Public (Everyone can view)

Private (Any authenticated user)

Restricted (Users)

Access Groups

Description

Add Column

Add Link

URL

The web address of the link (required)

Title Display title for the link (auto-filled from URL if empty)

Description Optional description shown below the title

Category

Group this link under a category section

Home › 5 Snippets › Apache2 PostfixAdmin Security Configuration

Apache2 PostfixAdmin Security Configuration ¶

Security Enhancements Applied ¶

1. Network Binding ¶

Listen only on 127.0.0.1:8080 (not *:8080)
Prevents direct internet access to Apache
Only nginx can proxy to it

2. PHP Security Settings ¶

✅ expose_php off - Hides PHP version in headers
✅ display_errors off - No error messages to users
✅ log_errors on - Logs to /var/log/apache2/postfixadmin-php-error.log
✅ Upload limits: 10MB max
✅ Execution timeout: 300s
✅ Memory limit: 256MB

3. File Access Restrictions ¶

✅ Blocks hidden files (.git, .env, .htaccess)
✅ Blocks backup files (.bak, .sql, .swp, ~)
✅ Blocks config files (.ini, .config)
✅ Blocks setup.php (uncomment after initial setup)
✅ Directory listing disabled (-Indexes)

4. Upload Directory Protection ¶

✅ PHP execution disabled in /uploads
✅ Blocks all script execution (.php, .py, .pl, .sh, .cgi)

5. Proxy Integration ¶

✅ mod_remoteip captures real client IP from nginx
✅ Proper logging of actual user IPs (not 127.0.0.1)

6. HTTP Security Headers ¶

✅ X-Content-Type-Options: nosniff
✅ X-Frame-Options: SAMEORIGIN
✅ X-XSS-Protection: 1; mode=block
✅ ServerSignature Off (hides Apache version)

Required Apache Modules ¶

Enable these modules before deployment:

# Enable required modules
sudo a2enmod headers
sudo a2enmod remoteip
sudo a2enmod rewrite

# Restart Apache
sudo systemctl restart apache2

Update /etc/apache2/ports.conf ¶

Ensure Apache only listens on localhost:

# Change from:
# Listen 8080

# To:
Listen 127.0.0.1:8080

Test configuration:

sudo apachectl configtest
sudo systemctl restart apache2

Verify Security ¶

1. Check Apache is not publicly accessible ¶

# This should fail (connection refused):
curl http://your-server-ip:8080

# This should work (only from localhost):
curl http://127.0.0.1:8080

2. Test blocked files ¶

# Should return 403 Forbidden:
curl -I https://mailadmin.xaos.it/.env
curl -I https://mailadmin.xaos.it/config.inc.php.bak
curl -I https://mailadmin.xaos.it/.git/config

3. Verify PHP settings ¶

Create /var/www/html/postfixadmin/public/phpinfo-test.php:

<?php
phpinfo();
?>

Access it, verify:

expose_php = Off
display_errors = Off
upload_max_filesize = 10M
post_max_size = 10M

Delete the file immediately after testing!

4. Check real IP logging ¶

# Access the site from external IP
# Then check Apache logs show real IP, not 127.0.0.1:
sudo tail /var/log/apache2/postfixadmin-access.log

Post-Setup Hardening ¶

1. Block setup.php ¶

After PostfixAdmin setup is complete, uncomment lines 52-54 in apache2-postfixadmin.conf:

<Files "setup.php">
  Require all denied
</Files>

Reload Apache:

sudo systemctl reload apache2

2. Remove setup.php entirely (recommended) ¶

sudo rm /var/www/html/postfixadmin/public/setup.php

3. Set strict file permissions ¶

# Set ownership
sudo chown -R www-data:www-data /var/www/html/postfixadmin

# Files: read-only for web server
sudo find /var/www/html/postfixadmin -type f -exec chmod 644 {} \;

# Directories: executable
sudo find /var/www/html/postfixadmin -type d -exec chmod 755 {} \;

# Config file: restrict access
sudo chmod 640 /var/www/html/postfixadmin/config.inc.php

# Templates cache: writable
sudo chmod 770 /var/www/html/postfixadmin/templates_c

4. Monitor PHP error log ¶

# Watch for PHP errors and attacks
sudo tail -f /var/log/apache2/postfixadmin-php-error.log

5. Regular updates ¶

# Keep PostfixAdmin updated
cd /var/www/html/postfixadmin
git pull  # or download latest release

Security Testing Checklist ¶

Apache listens only on 127.0.0.1:8080
Direct access to port 8080 fails from internet
Hidden files (.git, .env) return 403
Backup files (.bak, .sql) return 403
setup.php blocked after initial setup
PHP version not exposed in headers
Real client IPs logged (not 127.0.0.1)
Upload directory rejects PHP execution
Security headers present in responses
PHP errors not displayed to users
File permissions are restrictive (644/755)

Troubleshooting ¶

mod_remoteip not working ¶

# Enable module
sudo a2enmod remoteip

# Verify it's loaded
apache2ctl -M | grep remoteip

# Restart Apache
sudo systemctl restart apache2

PHP admin settings not applied ¶

Ensure you're using libapache2-mod-php, not php-fpm:

# Check
apache2ctl -M | grep php

# Should show: php7_module or php8_module

Setup.php still accessible ¶

# Uncomment the block in apache2-postfixadmin.conf
# Lines 52-54

# Reload
sudo systemctl reload apache2

Additional Hardening (Optional) ¶

1. Implement rate limiting ¶

Use mod_evasive or mod_security:

sudo apt install libapache2-mod-evasive
sudo a2enmod evasive

2. Enable ModSecurity WAF ¶

sudo apt install libapache2-mod-security2
sudo a2enmod security2

3. Restrict Apache to specific IPs ¶

If you want to restrict to specific admin IPs, add to Directory block:

<RequireAny>
  Require ip 192.168.1.0/24
  Require ip 10.0.0.0/8
</RequireAny>

4. Add fail2ban filter ¶

Create /etc/fail2ban/filter.d/postfixadmin-apache.conf:

[Definition]
failregex = ^<HOST> .* "POST /login.php.*" 200
ignoreregex =

Enable jail:

sudo fail2ban-client add postfixadmin-apache

Attached Files

Loading attached files...

Comments

No comments yet. Be the first to comment!

Search Results