Is there a way to secure a Roundcube installation, so that it is not possible to access the sub-folder via a browser? For example, if i install Roundcube in a sub-folder called "roundcube" on my web-server, I'm greeted with the login form if i access this folder. File indexing is disabled, so no one can list the filenames of such folder or a sub-folder like "plugins". but when i know a filename of such sub-folder, i could see that file. For example, if there is a plugin called "enigma" with enigma.js inside this, i could view this file if i enter the whole path in the address-bar of my browser. is there anything i could do, to not allow such direct accessing of a file?
I know, this is a problem i have to address with my server software (apache, nginx) but maybe someone has some tips or maybe concern in that way, that Roundcube doesn't work after such a manipulation?
You may want to read the "Protect your installation" section in the installation directions https://github.com/roundcube/roundcubemail/wiki/Installation#protect-your-installation
thx for the link. but if i get this correct, files in the directory's plugins and skins are again unprotected, if i know the right path. Or do i understand it wrong?
Well files like enigma.js are run by the browser meaning they have to be publicly accessible same goes for the css and image files of the skins.
Yes, thats the problem. So we can hope only, that no plugin developer stores sesnsible information in such accessible files.
BTW: I have one problem with the instructions on github. It recommends to set the document root to public_html directory. but in my case i have roundcube in a subdirectory "roundcube". the realpath to this folder is /var/www/docroot/roundcube. roundcube istself is installed in /media/mountpoint/hdd3/roundcube_1.3.3/ and /var/www/docroot/roundcube is a symlink to this directory. this works for now. reason is, that i keep old versions for some time in the install folder for the case, if there is a problem with a new installation, thats way i use symlinks. But when i now symlink /media/mountpoint/hdd3/roundcube_1.3.3/public_html to /var/www/docroot/roundcube, i get http 500 server error as response. it fails to include the boostratp.php
if i put a test.php in that folder with echo realpath(__DIR__ . '/..') . '/'; i get the correct path to /media/mountpoint/hdd3/roundcube_1.3.3/. What could i do to use public_html but inside a directory? im using nginx as a server...
I would just point the nginx config to the Roundcube public_html directory instead of using a symlink.
Ahhh i have found my failure. I have used
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
instead of
fastcgi_param SCRIPT_FILENAME $request_filename;