>> Should I disallow access to certain roundcube directories in nginx?
>> I'm especially concerned about arbitrary PHP execution in the user
>> upload directory.
>
> Yes, you should. Have a look at the .htaccess file which holds some
> rewrite rules for Apache webserver:
>
> # security rules:
> # - deny access to files not containing a dot or starting with a dot
> # in all locations except installer directory
> RewriteRule ^(?!installer)(\.?[^\.]+)$ - [F]
> # - deny access to some locations
> RewriteRule
> ^/?(\.git|\.tx|SQL|bin|config|logs|temp|tests|program\/(include|lib|localization|steps))
> - [F]
> # - deny access to some documentation files
> RewriteRule /?(README\.md|composer\.json-dist|composer\.json|package\.xml)$
> - [F]
>
> If you manage to translate these into ngnix rules, we'd much
> appreciate if you could post your findings in order to have it added
> to the configuration guide here:
> http://trac.roundcube.net/wiki/Howto_Config/Webservers
The following translation seems to work for me:
location ~ ^/(?!installer)(\.?[^\.]+)$ {
deny all;
}
location ~
^/?(\.git|\.tx|SQL|bin|config|logs|temp|tests|program\/(include|lib|localization|steps))
{
deny all;
}
location ~ /?(README\.md|composer\.json-dist|composer\.json|package\.xml)$ {
deny all;
}
- Grant
_______________________________________________
Roundcube Users mailing list
[email protected]
http://lists.roundcube.net/mailman/listinfo/users
