Hi,
I debugged this a bit. There seems to be some kind of bad interaction of nginx and php-fpm involved here.
There is an issue that nginx doesn't seems to do the right thing when using fastcgi_split_path_info with try_files. See
https://trac.nginx.org/nginx/ticket/321 for more info about that part.
The part specific to roundcube and oauth2 redirects seems to be, that the setting "fastcgi_param PATH_TRANSLATED $document_root$fastgi_path_info" is not doing what it shall do. Due to the interaction between try_files and fastcgi_split_path_info, the $fastcgi_path_info is empty. The solution for $fastcgi_path_info in the trac ticket above is to save the content into your own variable and use that. If I do this with PATH_TRANSLATED, I get access denied even for the login page. If I remove the PATH_TRANSLATED, all works, but not the OAauth2 login due to the previously mentioned wrong path.
My relevant nginx config is:
location ~ ^.+\.php(/|$) {
# first split, then do try_Files later
# see https://trac.nginx.org/nginx/ticket/321
fastcgi_split_path_info ^((?U).+\.php)(/.+)$;
set $orig_path $fastcgi_path_info;
fastcgi_keep_conn on;
fastcgi_index index.php;
# first set var, then do try_Files later
# see https://trac.nginx.org/nginx/ticket/321
set $orig_path $fastcgi_path_info;
# Zero-day exploit defense.
# http://forum.nginx.org/read.php?2,88845,page=3
try_files $uri $uri/ $fastcgi_script_name index.php =404;
include fastcgi_params;
fastcgi_param PATH_INFO $orig_path;
fastcgi_pass unix:/var/run/php-webmail2.fcgi;
# for oauth2
# fastcgi_param PATH_TRANSLATED $document_root$orig_path;
}
location / {
try_files $uri $uri/ index.php;
}
location ~ /\.ht {
deny all;
}
# Media: images, icons, video, audio, HTC, archives
location ~* \.(?:jpe?g|gif|png|ico|cur|gz|bz2|tbz|tgz|svg|svgz|mp4|ogg|ogv|webm|htc|css|js|pdf|zip|rar|tar|txt)$ {
try_files $uri =404;
expires 1w;
access_log off;
add_header Cache-Control "public";
}
location ~ ^/(README|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
deny all;
}
location ~ ^/(bin|SQL|config|temp|logs)/ {
deny all;
}
How is PATH_TRANSLATED supposed to look like for this use case?
If I use a debug header instead of PATH_TRANSLATED with the setting, I get the document root in the "/script.php" case and the document root with the path info added in the "/script.php/whatever" case, which seems to work badly with php-fpm. I assume that php-fpm tries to use PATH_TRANSLATED instead of SCRIPT_FILENAME when PATH_TRANSLATED is present. For the login page ("
https://domain.tld/") this means PATH_TRANSLATED points to the document root directory instead of the file .../index.php.
Bye,
Alexander.
