Author Topic: Securing Installation  (Read 2994 times)

Offline Loguithat1955

  • Full Member
  • ***
  • Posts: 54
Securing Installation
« on: November 23, 2017, 02:55:22 PM »
Is there a way to secure a Roundcube installation, so that it is not possible to access the sub-folder via a browser? For example, if i install Roundcube in a sub-folder called "roundcube" on my web-server, I'm greeted with the login form if i access this folder. File indexing is disabled, so no one can list the filenames of such folder or a sub-folder like "plugins". but when i know a filename of such sub-folder, i could see that file. For example, if there is a plugin called "enigma" with enigma.js inside this, i could view this file if i enter the whole path in the address-bar of my browser. is there anything i could do, to not allow such direct accessing of a file?

I know, this is a problem i have to address with my server software (apache, nginx) but maybe someone has some tips or maybe concern in that way, that Roundcube doesn't work after such a manipulation?

Offline SKaero

  • Administrator
  • Hero Member
  • *****
  • Posts: 5,876
    • SKaero - Custom Roundcube development
Re: Securing Installation
« Reply #1 on: November 23, 2017, 04:02:20 PM »
You may want to read the "Protect your installation" section in the installation directions https://github.com/roundcube/roundcubemail/wiki/Installation#protect-your-installation

Offline Loguithat1955

  • Full Member
  • ***
  • Posts: 54
Re: Securing Installation
« Reply #2 on: November 23, 2017, 04:13:56 PM »
thx for the link. but if i get this correct, files in the directory's plugins and skins are again unprotected, if i know the right path. Or do i understand it wrong?

Offline SKaero

  • Administrator
  • Hero Member
  • *****
  • Posts: 5,876
    • SKaero - Custom Roundcube development
Re: Securing Installation
« Reply #3 on: November 24, 2017, 01:11:18 AM »
Well files like enigma.js are run by the browser meaning they have to be publicly accessible same goes for the css and image files of the skins.

Offline Loguithat1955

  • Full Member
  • ***
  • Posts: 54
Re: Securing Installation
« Reply #4 on: November 24, 2017, 05:17:13 AM »
Yes, thats the problem. So we can hope only, that no plugin developer stores sesnsible information in such accessible files.

BTW: I have one problem with the instructions on github. It recommends to set the document root to public_html directory. but in my case i have roundcube in a subdirectory "roundcube". the realpath to this folder is /var/www/docroot/roundcube. roundcube istself is installed in /media/mountpoint/hdd3/roundcube_1.3.3/ and /var/www/docroot/roundcube is a symlink to this directory. this works for now. reason is, that i keep old versions for some time in the install folder for the case, if there is a problem with a new installation, thats way i use symlinks. But when i now symlink /media/mountpoint/hdd3/roundcube_1.3.3/public_html to /var/www/docroot/roundcube, i get http 500 server error as response. it fails to include the boostratp.php

if i put a test.php in that folder with echo realpath(__DIR__ . '/..') . '/'; i get the correct path to /media/mountpoint/hdd3/roundcube_1.3.3/. What could i do to use public_html but inside a directory? im using nginx as a server...

Offline SKaero

  • Administrator
  • Hero Member
  • *****
  • Posts: 5,876
    • SKaero - Custom Roundcube development
Re: Securing Installation
« Reply #5 on: November 24, 2017, 01:00:27 PM »
I would just point the nginx config to the Roundcube public_html directory instead of using a symlink.

Offline Loguithat1955

  • Full Member
  • ***
  • Posts: 54
Re: Securing Installation
« Reply #6 on: November 27, 2017, 04:58:36 AM »
Ahhh i have found my failure. I have used

fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

instead of

fastcgi_param SCRIPT_FILENAME $request_filename;