From 1379a583525351458d2675d3fc81840eec7f73fe Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Sat, 12 Nov 2022 14:50:30 +0100 Subject: [PATCH] Basic hardening --- tests/compose/webmail/01_ensure_admin_unreachable.sh | 6 +++--- webmails/nginx-webmail.conf | 11 ++++++++++- webmails/php.ini | 3 +++ 3 files changed, 16 insertions(+), 4 deletions(-) diff --git a/tests/compose/webmail/01_ensure_admin_unreachable.sh b/tests/compose/webmail/01_ensure_admin_unreachable.sh index c4afc76a..a3864b78 100755 --- a/tests/compose/webmail/01_ensure_admin_unreachable.sh +++ b/tests/compose/webmail/01_ensure_admin_unreachable.sh @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/bash -[[ `curl -I -so /dev/null -w "%{http_code}" http://localhost/` -ne 200 ]] && echo "The default page of rainloop hasn't returned 200!" >>/dev/stderr && exit 1 -[[ `curl -I -so /dev/null -w "%{http_code}" http://localhost/?admin` -ne 403 ]] && echo "The admin of rainloop is not disabled!" >>/dev/stderr && exit 1 +[[ `curl -I -so /dev/null -w "%{http_code}" http://localhost/` -ne 200 ]] && echo "The default page of snappymail hasn't returned 200!" >>/dev/stderr && exit 1 +[[ `curl -I -so /dev/null -w "%{http_code}" http://localhost/?admin` -ne 403 ]] && echo "The admin of snappymail is not disabled!" >>/dev/stderr && exit 1 diff --git a/webmails/nginx-webmail.conf b/webmails/nginx-webmail.conf index 5e5f8ec3..b1149c49 100644 --- a/webmails/nginx-webmail.conf +++ b/webmails/nginx-webmail.conf @@ -16,6 +16,11 @@ server { # set maximum body size to configured limit client_max_body_size {{ MESSAGE_SIZE_LIMIT|int + 8388608 }}; + fastcgi_hide_header X-Powered-By; + add_header X-Download-Options "noopen" always; + add_header X-Robots-Tag "none" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header Referrer-Policy "no-referrer" always; location / { try_files $uri $uri/ /index.php$args; @@ -42,10 +47,14 @@ server { {% endif %} } - location ~ /\. { + location ~ (^|/)\. { deny all; } + location ~* ^/(config|temp|logs) { + deny all; + } + location ^~ /data { deny all; } diff --git a/webmails/php.ini b/webmails/php.ini index af9ce8c5..884dda72 100644 --- a/webmails/php.ini +++ b/webmails/php.ini @@ -6,3 +6,6 @@ session.auto_start=Off mbstring.func_overload=Off file_uploads=On error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT +display_errors=Off +log_errors=On +zlib.output_compression=Off