>>>> Should I disallow access to certain roundcube directories in nginx? >>>> I'm especially concerned about arbitrary PHP execution in the user >>>> upload directory >>> >>> any directory containing user uploads has execution >>> disabled by definition >>> >>> Apache: >>> <IfModule mod_php5.c> >>> php_flag engine off >>> </IfModule> >>> >>> any directory only containing libraries and no directly >>> accessed files has access denied by definition >>> >>> that is completly independent of roundcube or whatever webserver >>> that are best practices in any case and not a question >>> >>> Apache: >>> <IfModule !mod_version.c> >>> Order deny,allow >>> Deny from all >>> </IfModule> >>> <IfModule mod_version.c> >>> <IfVersion < 2.4> >>> Order deny,allow >>> Deny from all >>> </IfVersion> >>> <IfVersion >= 2.4> >>> Require all denied >>> </IfVersion> >>> </IfModule> >> >> Are the default permissions you reference set via .htaccess files? > > it does not matter if you put them in .htaccess or <Directory>-directives > the final goal is the same and depends on your environment > > hence in my own applications they are deployed as part of packages > in .htaccess while with LocationMatch / Location for folders > like "upload" or "tmp" they are in global policies
Ah, I misread that the first time around. It sounds like I need to be sure I disallow access and execution in certain directories. Which directories are those for roundcube? - Grant _______________________________________________ Roundcube Users mailing list [email protected] http://lists.roundcube.net/mailman/listinfo/users
