From fc0ae167c7db24bcec6d3b3125fa610c8384ac1e Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Thu, 6 Dec 2018 14:56:19 +0100 Subject: Roundcube: improve serving of static resources. We only serve whitelisted extensions (css, js, png, etc.), and only for some selected sub-directories. Access to everything else (incl. log files and config files) is denied with a 404. This is unlike upstream's .htaccess file, which blacklists restricted locations and happily serves the rest: https://github.com/roundcube/roundcubemail/blob/master/.htaccess#L8 To find out which extensions exist on the file system, run find -L /var/lib/roundcube/{plugins,program/js,program/resources,skins} -type f \ | sed -n 's/.*\.//p' | sort | uniq -c --- roles/webmail/files/etc/nginx/sites-available/roundcube | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) (limited to 'roles/webmail/files') diff --git a/roles/webmail/files/etc/nginx/sites-available/roundcube b/roles/webmail/files/etc/nginx/sites-available/roundcube index 8e0695d..ae73562 100644 --- a/roles/webmail/files/etc/nginx/sites-available/roundcube +++ b/roles/webmail/files/etc/nginx/sites-available/roundcube @@ -67,10 +67,9 @@ server { upload_tmp_dir=$document_root/temp"; } - location /plugins/ {} - location /program/js/ {} - location /program/resources/ {} - location /skins/ {} - location / { internal; } - location ~ /\. { internal; } + location ~ "^/(?:plugins|program/js|program/resources|skins)/.*[^./]\.(?:css|eot|gif|html|ico|jpg|js|pdf|png|svg|tif|ttf|woff)$" { + try_files $uri =404; + expires 30d; + } + location / { internal; } } -- cgit v1.2.3