>> Should I disallow access to certain roundcube directories in nginx?
>> I'm especially concerned about arbitrary PHP execution in the user
>> upload directory.
>
> Yes, you should. Have a look at the .htaccess file which holds some
> rewrite rules for Apache webserver:
>
> # security rules:
> # - deny access to files not containing a dot or starting with a dot
> # in all locations except installer directory
> RewriteRule ^(?!installer)(\.?[^\.]+)$ - [F]
> # - deny access to some locations
> RewriteRule
> ^/?(\.git|\.tx|SQL|bin|config|logs|temp|tests|program\/(include|lib|localization|steps))
> - [F]
> # - deny access to some documentation files
> RewriteRule /?(README\.md|composer\.json-dist|composer\.json|package\.xml)$
> - [F]
>
> If you manage to translate these into ngnix rules, we'd much
> appreciate if you could post your findings in order to have it added
> to the configuration guide here:
> http://trac.roundcube.net/wiki/Howto_Config/Webservers
The following doesn't seem to cause any problems. Which files would
be good to compare access with/without this config?
location ~
^/?(\.git|\.tx|SQL|bin|config|logs|temp|tests|program\/(include|lib|localization|steps))
{
deny all;
}
location ~ /?(README\.md|composer\.json-dist|composer\.json|package\.xml)$ {
deny all;
}
The following does 403 normal access. Any idea what could be wrong
there? I'm not good with regex.
location ~ ^(?!installer)(\.?[^\.]+)$ {
deny all;
}
> Future versions of Roundcube will ship with a dedicated 'public_html'
> directly which will be the target directory for webserver access and
> all other directories which are supposed to be protected from public
> access, will be outside of the document root.
Is there a version targetted for this change?
- Grant
_______________________________________________
Roundcube Users mailing list
users@lists.roundcube.net
http://lists.roundcube.net/mailman/listinfo/users
