Basic hardening

tests/compose/webmail/01_ensure_admin_unreachable.sh

@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 
-[[ `curl -I -so /dev/null -w "%{http_code}" http://localhost/` -ne 200 ]] && echo "The default page of rainloop hasn't returned 200!" >>/dev/stderr && exit 1
-[[ `curl -I -so /dev/null -w "%{http_code}" http://localhost/?admin` -ne 403 ]] && echo "The admin of rainloop is not disabled!" >>/dev/stderr && exit 1
+[[ `curl -I -so /dev/null -w "%{http_code}" http://localhost/` -ne 200 ]] && echo "The default page of snappymail hasn't returned 200!" >>/dev/stderr && exit 1
+[[ `curl -I -so /dev/null -w "%{http_code}" http://localhost/?admin` -ne 403 ]] && echo "The admin of snappymail is not disabled!" >>/dev/stderr && exit 1

webmails/nginx-webmail.conf

@@ -16,6 +16,11 @@ server {
 
     # set maximum body size to configured limit
     client_max_body_size {{ MESSAGE_SIZE_LIMIT|int + 8388608 }};
+    fastcgi_hide_header X-Powered-By;
+    add_header X-Download-Options "noopen" always;
+    add_header X-Robots-Tag "none" always;
+    add_header X-Permitted-Cross-Domain-Policies "none" always;
+    add_header Referrer-Policy "no-referrer" always;
 
     location / {
         try_files $uri $uri/ /index.php$args;
@@ -42,10 +47,14 @@ server {
         {% endif %}
     }
 
-    location ~ /\. {
+    location ~ (^|/)\. {
         deny all;
     }
 
+    location ~* ^/(config|temp|logs) {
+       deny all;
+    }
+
     location ^~ /data {
        deny all;
     }

webmails/php.ini

@@ -6,3 +6,6 @@ session.auto_start=Off
 mbstring.func_overload=Off
 file_uploads=On
 error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
+display_errors=Off
+log_errors=On
+zlib.output_compression=Off