Closed winux1 closed 1 year ago
I think it could close #71 if the user adds something like this to the per domain Nginx conf file:
# Roundcube Webmail configuration.
location / {
index index.php;
alias /usr/local/lib/roundcubemail/;
}
location ~ /config/.* {
# A ~-style location is needed to give this precedence over the next block.
return 403;
}
location ~ ^/(?!\/)[^/]*\.php$ {
# note: ~ has precendence over a regular location block
include fastcgi_params;
fastcgi_split_path_info ^(/.*)()$;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /usr/local/lib/roundcubemail/$fastcgi_script_name;
fastcgi_pass php-fpm;
# Outgoing mail also goes through this endpoint, so increase the maximum
# file upload limit to match the corresponding Postfix limit.
client_max_body_size 128M;
}
@ddavness Any thoughts?
Edit: Updated Nginx config for serving webmail on /
By removing session_path it becomes possible (you can set it up in a custom Nginx config file) to access Roundcube from multiple paths and/or custom domains. I believe it would be a big improvement for many people compared to the security risk that the leaking of session could have.