From fc0ae167c7db24bcec6d3b3125fa610c8384ac1e Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Thu, 6 Dec 2018 14:56:19 +0100
Subject: Roundcube: improve serving of static resources.

We only serve whitelisted extensions (css, js, png, etc.), and only for
some selected sub-directories.  Access to everything else (incl. log
files and config files) is denied with a 404.  This is unlike upstream's
.htaccess file, which blacklists restricted locations and happily serves
the rest:

    https://github.com/roundcube/roundcubemail/blob/master/.htaccess#L8

To find out which extensions exist on the file system, run

    find -L /var/lib/roundcube/{plugins,program/js,program/resources,skins} -type f \
        | sed -n 's/.*\.//p' | sort | uniq -c
---
 roles/webmail/files/etc/nginx/sites-available/roundcube | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/roles/webmail/files/etc/nginx/sites-available/roundcube b/roles/webmail/files/etc/nginx/sites-available/roundcube
index 8e0695d..ae73562 100644
--- a/roles/webmail/files/etc/nginx/sites-available/roundcube
+++ b/roles/webmail/files/etc/nginx/sites-available/roundcube
@@ -67,10 +67,9 @@ server {
                                        upload_tmp_dir=$document_root/temp";
     }
 
-    location /plugins/           {}
-    location /program/js/        {}
-    location /program/resources/ {}
-    location /skins/             {}
-    location /     { internal; }
-    location ~ /\. { internal; }
+    location ~ "^/(?:plugins|program/js|program/resources|skins)/.*[^./]\.(?:css|eot|gif|html|ico|jpg|js|pdf|png|svg|tif|ttf|woff)$" {
+        try_files $uri =404;
+        expires 30d;
+    }
+    location / { internal; }
 }
-- 
cgit v1.2.3