Roundcube: improve serving of static resources.

We only serve whitelisted extensions (css, js, png, etc.), and only for some selected sub-directories. Access to everything else (incl. log files and config files) is denied with a 404. This is unlike upstream's .htaccess file, which blacklists restricted locations and happily serves the rest: https://github.com/roundcube/roundcubemail/blob/master/.htaccess#L8 To find out which extensions exist on the file system, run find -L /var/lib/roundcube/{plugins,program/js,program/resources,skins} -type f \ | sed -n 's/.*\.//p' | sort | uniq -c
author: Guilhem Moulin <guilhem@fripost.org> 2018-12-06 14:56:19 +0100
committer: Guilhem Moulin <guilhem@fripost.org> 2018-12-06 14:56:19 +0100
commit: fc0ae167c7db24bcec6d3b3125fa610c8384ac1e (patch)
tree: 6cfebfb74f6d0459623691677828e6bab3c5971f /roles/webmail/files
parent: a98522cc7e5c1a6e64ee8b65648a005aa7494d1c (diff)
1 files changed, 5 insertions, 6 deletions
diff --git a/roles/webmail/files/etc/nginx/sites-available/roundcube b/roles/webmail/files/etc/nginx/sites-available/roundcube
index 8e0695d..ae73562 100644
--- a/roles/webmail/files/etc/nginx/sites-available/roundcube
+++ b/roles/webmail/files/etc/nginx/sites-available/roundcube
@@ -50,27 +50,26 @@ server {
 
     access_log  /var/log/nginx/roundcube.access.log;
     error_log   /var/log/nginx/roundcube.error.log info;
 
     client_max_body_size 64m;
     location = / { index index.php; }
     location = /index.php {
         include snippets/fastcgi-php-ssl.conf;
 
         # From /var/lib/roundcube/.htaccess
         fastcgi_param PHP_VALUE "upload_max_filesize=25M
                                  post_max_size=30M
                                  memory_limit=64M
                                  session.gc_maxlifetime=21600
                                  session.gc_divisor=500
                                  session.gc_probability=1";
         fastcgi_param PHP_ADMIN_VALUE "open_basedir=$document_root:/usr/share/roundcube:/etc/roundcube:/var/log/roundcube:/usr/share/php:/usr/share/javascript:/usr/share/tinymce:/usr/share/misc/magic:/dev
                                        upload_tmp_dir=$document_root/temp";
     }
 
-    location /plugins/           {}
-    location /program/js/        {}
-    location /program/resources/ {}
-    location /skins/             {}
-    location /     { internal; }
-    location ~ /\. { internal; }
+    location ~ "^/(?:plugins|program/js|program/resources|skins)/.*[^./]\.(?:css|eot|gif|html|ico|jpg|js|pdf|png|svg|tif|ttf|woff)$" {
+        try_files $uri =404;
+        expires 30d;
+    }
+    location / { internal; }
 }
author	Guilhem Moulin <guilhem@fripost.org>	2018-12-06 14:56:19 +0100
committer	Guilhem Moulin <guilhem@fripost.org>	2018-12-06 14:56:19 +0100
commit	fc0ae167c7db24bcec6d3b3125fa610c8384ac1e (patch)
tree	6cfebfb74f6d0459623691677828e6bab3c5971f /roles/webmail/files
parent	a98522cc7e5c1a6e64ee8b65648a005aa7494d1c (diff)