Should I disallow access to certain roundcube directories in nginx? I'm especially concerned about arbitrary PHP execution in the user upload directory.
Yes, you should. Have a look at the .htaccess file which holds some rewrite rules for Apache webserver:
# security rules: # - deny access to files not containing a dot or starting with a dot # in all locations except installer directory RewriteRule ^(?!installer)(.?[^.]+)$ - [F] # - deny access to some locations RewriteRule ^/?(.git|.tx|SQL|bin|config|logs|temp|tests|program/(include|lib|localization|steps))
- [F]
# - deny access to some documentation files RewriteRule /?(README.md|composer.json-dist|composer.json|package.xml)$
- [F]
If you manage to translate these into ngnix rules, we'd much appreciate if you could post your findings in order to have it added to the configuration guide here: http://trac.roundcube.net/wiki/Howto_Config/Webservers
The following translation seems to work for me:
location ~ ^/(?!installer)(.?[^.]+)$ { deny all; } location ~ ^/?(.git|.tx|SQL|bin|config|logs|temp|tests|program/(include|lib|localization|steps)) { deny all; } location ~ /?(README.md|composer.json-dist|composer.json|package.xml)$ { deny all; }
- Grant