On Thu, Feb 13, 2014 at 6:13 PM, Grant emailgrant@gmail.com wrote:
Should I disallow access to certain roundcube directories in nginx? I'm especially concerned about arbitrary PHP execution in the user upload directory.
Yes, you should. Have a look at the .htaccess file which holds some rewrite rules for Apache webserver:
# security rules: # - deny access to files not containing a dot or starting with a dot # in all locations except installer directory RewriteRule ^(?!installer)(.?[^.]+)$ - [F] # - deny access to some locations RewriteRule ^/?(.git|.tx|SQL|bin|config|logs|temp|tests|program/(include|lib|localization|steps))
# - deny access to some documentation files RewriteRule /?(README.md|composer.json-dist|composer.json|package.xml)$
If you manage to translate these into ngnix rules, we'd much appreciate if you could post your findings in order to have it added to the configuration guide here: http://trac.roundcube.net/wiki/Howto_Config/Webservers
Future versions of Roundcube will ship with a dedicated 'public_html' directly which will be the target directory for webserver access and all other directories which are supposed to be protected from public access, will be outside of the document root.
Kind regards, Thomas