summaryrefslogtreecommitdiffstats
path: root/roles/webmail
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2018-12-06 14:56:19 +0100
committerGuilhem Moulin <guilhem@fripost.org>2018-12-06 14:56:19 +0100
commitfc0ae167c7db24bcec6d3b3125fa610c8384ac1e (patch)
tree6cfebfb74f6d0459623691677828e6bab3c5971f /roles/webmail
parenta98522cc7e5c1a6e64ee8b65648a005aa7494d1c (diff)
Roundcube: improve serving of static resources.
We only serve whitelisted extensions (css, js, png, etc.), and only for some selected sub-directories. Access to everything else (incl. log files and config files) is denied with a 404. This is unlike upstream's .htaccess file, which blacklists restricted locations and happily serves the rest: https://github.com/roundcube/roundcubemail/blob/master/.htaccess#L8 To find out which extensions exist on the file system, run find -L /var/lib/roundcube/{plugins,program/js,program/resources,skins} -type f \ | sed -n 's/.*\.//p' | sort | uniq -c
Diffstat (limited to 'roles/webmail')
-rw-r--r--roles/webmail/files/etc/nginx/sites-available/roundcube11
1 files changed, 5 insertions, 6 deletions
diff --git a/roles/webmail/files/etc/nginx/sites-available/roundcube b/roles/webmail/files/etc/nginx/sites-available/roundcube
index 8e0695d..ae73562 100644
--- a/roles/webmail/files/etc/nginx/sites-available/roundcube
+++ b/roles/webmail/files/etc/nginx/sites-available/roundcube
@@ -67,10 +67,9 @@ server {
upload_tmp_dir=$document_root/temp";
}
- location /plugins/ {}
- location /program/js/ {}
- location /program/resources/ {}
- location /skins/ {}
- location / { internal; }
- location ~ /\. { internal; }
+ location ~ "^/(?:plugins|program/js|program/resources|skins)/.*[^./]\.(?:css|eot|gif|html|ico|jpg|js|pdf|png|svg|tif|ttf|woff)$" {
+ try_files $uri =404;
+ expires 30d;
+ }
+ location / { internal; }
}