Roundcube Community Forum
News and Announcements => General Discussion => Topic started by: Loguithat1955 on November 23, 2017, 02:55:22 PM
-
Is there a way to secure a Roundcube installation, so that it is not possible to access the sub-folder via a browser? For example, if i install Roundcube in a sub-folder called "roundcube" on my web-server, I'm greeted with the login form if i access this folder. File indexing is disabled, so no one can list the filenames of such folder or a sub-folder like "plugins". but when i know a filename of such sub-folder, i could see that file. For example, if there is a plugin called "enigma" with enigma.js inside this, i could view this file if i enter the whole path in the address-bar of my browser. is there anything i could do, to not allow such direct accessing of a file?
I know, this is a problem i have to address with my server software (apache, nginx) but maybe someone has some tips or maybe concern in that way, that Roundcube doesn't work after such a manipulation?
-
You may want to read the "Protect your installation" section in the installation directions https://github.com/roundcube/roundcubemail/wiki/Installation#protect-your-installation
-
thx for the link. but if i get this correct, files in the directory's plugins and skins are again unprotected, if i know the right path. Or do i understand it wrong?
-
Well files like enigma.js are run by the browser meaning they have to be publicly accessible same goes for the css and image files of the skins.
-
Yes, thats the problem. So we can hope only, that no plugin developer stores sesnsible information in such accessible files.
BTW: I have one problem with the instructions on github. It recommends to set the document root to public_html directory. but in my case i have roundcube in a subdirectory "roundcube". the realpath to this folder is /var/www/docroot/roundcube. roundcube istself is installed in /media/mountpoint/hdd3/roundcube_1.3.3/ and /var/www/docroot/roundcube is a symlink to this directory. this works for now. reason is, that i keep old versions for some time in the install folder for the case, if there is a problem with a new installation, thats way i use symlinks. But when i now symlink /media/mountpoint/hdd3/roundcube_1.3.3/public_html to /var/www/docroot/roundcube, i get http 500 server error as response. it fails to include the boostratp.php
if i put a test.php in that folder with echo realpath(__DIR__ . '/..') . '/'; i get the correct path to /media/mountpoint/hdd3/roundcube_1.3.3/. What could i do to use public_html but inside a directory? im using nginx as a server...
-
I would just point the nginx config to the Roundcube public_html directory instead of using a symlink.
-
Ahhh i have found my failure. I have used
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
instead of
fastcgi_param SCRIPT_FILENAME $request_filename;