Should I disallow access to certain roundcube directories in nginx? I'm especially concerned about arbitrary PHP execution in the user upload directory.
Yes, you should. Have a look at the .htaccess file which holds some rewrite rules for Apache webserver:
# security rules: # - deny access to files not containing a dot or starting with a dot # in all locations except installer directory RewriteRule ^(?!installer)(.?[^.]+)$ - [F] # - deny access to some locations RewriteRule ^/?(.git|.tx|SQL|bin|config|logs|temp|tests|program/(include|lib|localization|steps))
- [F]
# - deny access to some documentation files RewriteRule /?(README.md|composer.json-dist|composer.json|package.xml)$
- [F]
If you manage to translate these into ngnix rules, we'd much appreciate if you could post your findings in order to have it added to the configuration guide here: http://trac.roundcube.net/wiki/Howto_Config/Webservers
The following doesn't seem to cause any problems. Which files would be good to compare access with/without this config?
location ~ ^/?(.git|.tx|SQL|bin|config|logs|temp|tests|program/(include|lib|localization|steps)) { deny all; } location ~ /?(README.md|composer.json-dist|composer.json|package.xml)$ { deny all; }
The following does 403 normal access. Any idea what could be wrong there? I'm not good with regex.
location ~ ^(?!installer)(.?[^.]+)$ { deny all; }
Future versions of Roundcube will ship with a dedicated 'public_html' directly which will be the target directory for webserver access and all other directories which are supposed to be protected from public access, will be outside of the document root.
Is there a version targetted for this change?