Should I disallow access to certain roundcube directories in nginx? I'm especially concerned about arbitrary PHP execution in the user upload directory
any directory containing user uploads has execution disabled by definition
Apache:
<IfModule mod_php5.c> php_flag engine off </IfModule>
any directory only containing libraries and no directly accessed files has access denied by definition
that is completly independent of roundcube or whatever webserver that are best practices in any case and not a question
Apache: <IfModule !mod_version.c> Order deny,allow Deny from all
</IfModule> <IfModule mod_version.c> <IfVersion < 2.4> Order deny,allow Deny from all </IfVersion> <IfVersion >= 2.4> Require all denied </IfVersion> </IfModule>
Are the default permissions you reference set via .htaccess files?