Roundcube Community Forum

 

Securing Installation

Started by Loguithat1955, November 23, 2017, 02:55:22 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

Loguithat1955

November 23, 2017, 02:55:22 PM
Is there a way to secure a Roundcube installation, so that it is not possible to access the sub-folder via a browser? For example, if i install Roundcube in a sub-folder called "roundcube" on my web-server, I'm greeted with the login form if i access this folder. File indexing is disabled, so no one can list the filenames of such folder or a sub-folder like "plugins". but when i know a filename of such sub-folder, i could see that file. For example, if there is a plugin called "enigma" with enigma.js inside this, i could view this file if i enter the whole path in the address-bar of my browser. is there anything i could do, to not allow such direct accessing of a file?

I know, this is a problem i have to address with my server software (apache, nginx) but maybe someone has some tips or maybe concern in that way, that Roundcube doesn't work after such a manipulation?

SKaero

#1
November 23, 2017, 04:02:20 PM
You may want to read the "Protect your installation" section in the installation directions https://github.com/roundcube/roundcubemail/wiki/Installation#protect-your-installation

Loguithat1955

#2
November 23, 2017, 04:13:56 PM
thx for the link. but if i get this correct, files in the directory's plugins and skins are again unprotected, if i know the right path. Or do i understand it wrong?

SKaero

#3
November 24, 2017, 01:11:18 AM
Well files like enigma.js are run by the browser meaning they have to be publicly accessible same goes for the css and image files of the skins.

Loguithat1955

#4
November 24, 2017, 05:17:13 AM
Yes, thats the problem. So we can hope only, that no plugin developer stores sesnsible information in such accessible files.

BTW: I have one problem with the instructions on github. It recommends to set the document root to public_html directory. but in my case i have roundcube in a subdirectory "roundcube". the realpath to this folder is /var/www/docroot/roundcube. roundcube istself is installed in /media/mountpoint/hdd3/roundcube_1.3.3/ and /var/www/docroot/roundcube is a symlink to this directory. this works for now. reason is, that i keep old versions for some time in the install folder for the case, if there is a problem with a new installation, thats way i use symlinks. But when i now symlink /media/mountpoint/hdd3/roundcube_1.3.3/public_html to /var/www/docroot/roundcube, i get http 500 server error as response. it fails to include the boostratp.php

if i put a test.php in that folder with echo realpath(__DIR__ . '/..') . '/'; i get the correct path to /media/mountpoint/hdd3/roundcube_1.3.3/. What could i do to use public_html but inside a directory? im using nginx as a server...

SKaero

#5
November 24, 2017, 01:00:27 PM
I would just point the nginx config to the Roundcube public_html directory instead of using a symlink.

Loguithat1955

#6
November 27, 2017, 04:58:36 AM
Ahhh i have found my failure. I have used

fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

instead of

fastcgi_param SCRIPT_FILENAME $request_filename;                                                                                                                                                                                                                                 
Print
Go Up Pages1
User actions