>> Should I disallow access to certain roundcube directories in nginx? >> I'm especially concerned about arbitrary PHP execution in the user >> upload directory. > > Yes, you should. Have a look at the .htaccess file which holds some > rewrite rules for Apache webserver: > > # security rules: > # - deny access to files not containing a dot or starting with a dot > # in all locations except installer directory > RewriteRule ^(?!installer)(\.?[^\.]+)$ - [F] > # - deny access to some locations > RewriteRule > ^/?(\.git|\.tx|SQL|bin|config|logs|temp|tests|program\/(include|lib|localization|steps)) > - [F] > # - deny access to some documentation files > RewriteRule /?(README\.md|composer\.json-dist|composer\.json|package\.xml)$ > - [F] > > If you manage to translate these into ngnix rules, we'd much > appreciate if you could post your findings in order to have it added > to the configuration guide here: > http://trac.roundcube.net/wiki/Howto_Config/Webservers
The following doesn't seem to cause any problems. Which files would be good to compare access with/without this config? location ~ ^/?(\.git|\.tx|SQL|bin|config|logs|temp|tests|program\/(include|lib|localization|steps)) { deny all; } location ~ /?(README\.md|composer\.json-dist|composer\.json|package\.xml)$ { deny all; } The following does 403 normal access. Any idea what could be wrong there? I'm not good with regex. location ~ ^(?!installer)(\.?[^\.]+)$ { deny all; } > Future versions of Roundcube will ship with a dedicated 'public_html' > directly which will be the target directory for webserver access and > all other directories which are supposed to be protected from public > access, will be outside of the document root. Is there a version targetted for this change? - Grant _______________________________________________ Roundcube Users mailing list users@lists.roundcube.net http://lists.roundcube.net/mailman/listinfo/users