Commit Graph

132 Commits (72a5bbf53d439bc2676ab7e0ce6302dc7aea82eb)

Author SHA1 Message Date
Will 72a5bbf53d Update roundcube to 1.5.3 and rcmcarddav plugin
bors[bot] e50f6c58c0
Merge
2360: roundcube: disable apache2 access log r=mergify[bot] a=pommi

## What type of PR?

bug-fix

## What does this PR do?

It disables the access log of apache2 in the roundcube webmail container. Requests are already logged by the front container. The requests logged in the roundcube container contained contained the wrong client IP: the IP address of the front container.

----

Original PR:

~~Roundcube webmail is accessed through the nginx reverse proxy in the front container. Each access logline logged by apache2 in the roundcube container did not contain the actual client IP address, but the IP address of the front container, for example:~~

```
192.168.203.3 - - [28/May/2022:12:33:52 +0000] "POST /?_task=mail&_action=refresh HTTP/1.1" 200 677 "https://[REDACTED]/roundcube/?_task=mail&_mbox=INBOX" "Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0"
^
IP address of the front container
```

~~By enabling the apache2 remoteip module and configuring it to get the actual client IP address from the X-Forwarded-For header, it logs the correct client IP address to the access log.~~

### Related issue(s)
- None

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

**No changelog or documentation necessary for this minor change.**


Co-authored-by: Pim van den Berg <pim@nethuis.nl>
Pim van den Berg 6f884c6c93 roundcube: disable access log
As per discussion in : The front container (nginx reverse proxy) is
already logging all requests, disable the access logs for apache2 in the
roundcube container completely.
Eddy Vervest baea3d4086
Update Dockerfile
missed this one
Eddy Vervest c4c442d000
Update Dockerfile
apt is intended for interactive usage, for scripts use apt-get (https://manpages.debian.org/bullseye/apt/apt.8.en.html) to avoid warnings.
Pim van den Berg e8b7d6afed roundcube: log actual client ip by using apache2 remoteip
Roundcube webmail is accessed through the nginx reverse proxy in the
front container. Each access logline logged by apache2 in the roundcube
container did not contain the actual client IP address, but the IP
address of the front container, for example:

> 192.168.203.3 - - [28/May/2022:12:33:52 +0000] "POST /?_task=mail&_action=refresh HTTP/1.1" 200 677 "https://[REDACTED]/roundcube/?_task=mail&_mbox=INBOX" "Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0"
  ^
  IP address of the front container

By enabling the apache2 remoteip module and configuring it to get the
actual client IP address from the X-Forwarded-For header, it logs the
correct client IP address to the access log.
bors[bot] bcecbda9de
Merge
2195: roundcube: Add /overrides directory in include r=mergify[bot] a=mnival

Added the /overrides directory in the roundcube config.inc.php file

## What type of PR?

bug-fix

## What does this PR do?

### Related issue(s)
none

Co-authored-by: mnival <1595998+mnival@users.noreply.github.com>
Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
mnival 5695bbb0f6 Configuring pwstore_scheme in carddav plugin with des_key because Mailu is incompatible with encrypted
mnival 4b9781210f Add /overrides directory in include
Alexander Graf 37855153b8
fixed plugin path
willofr 93a94d33ce
update roundcube to 1.5.2 (security fix)
New roundcube release (1.5.2) where a XSS is addressed: https://roundcube.net/news/2021/12/30/update-1.5.2-released
Dimitri Huisman b248026933 Fix . Gpg-agent package was missing for roundcube image.
Florent Daigniere 6d5926ef29 prettify
Dimitri Huisman 385cb28bf2 Correctly calculate and set SESSION_TIMEOUT in roundcube
Dimitri Huisman ab80316df6 Fix error in roundcube config
Florent Daigniere 3a46ee073c Make roundcube use SESSION_TIMEOUT
Alexander Graf 1a41657f90
add documentation, allow overrides, clean plugins
Alexander Graf b3d48cc20f
fixed health check
Alexander Graf e7e283663d
Merge remote-tracking branch 'upstream/master' into update_roundcube
Alexander Graf 64acfacc73
duh. typo
Alexander Graf 547ad253e1
added plugin selection, derive key, clean env
Alexander Graf 7c2c2dc65a
updated to carddav 4.3.0
Alexander Graf 1ebdb26979
updated to rc 1.5.1
Dimitri Huisman f7677543c6 Process code review remarks
- Moved run to bottom of Dockerfile to allow using unmodified / cached states.
- Simplified bash code in deploy.sh.
- Improved the large bash one-liner in CI.yml. It could not handle >9 for 1.x.
Dimitri Huisman 56dd70cf4a Implement versioning for CI/CD workflow (see ).
Alexander Graf 423b8a6b9b
Merge branch 'master' into update_roundcube
DjVinnii a6beb234ff Set timezone in roundcube.ini
DjVinnii 225160610b Set default TZ in Dockerfiles
Alexander Graf 6003e11533 duh. add timezone (again)
Alexander Graf 949efcf537 prevent endless redirect loop on nginx failure
Alexander Graf c89045ed03 duh
Alexander Graf 920ac4cd21 updated to php8. fixed login. fixed max_filesize.
Alexander Graf 46d27e48ff Merge remote-tracking branch 'upstream/master' into update_roundcube
DjVinnii a1f0c20583 Add tzdata to webmails
Alexander Graf ee45475567 updated roundcube. added cleanup run at startup
Dimitri Huisman 5232bd38fd Simplify webmail logout.
Dimitri Huisman 44d2448412 Updated SSO logic for webmails. Fixed small bug rate limiting.
Alexander Graf ef9e1ac279 remove health check from log
Alexander Graf 7380b248cf direct logging of php errors to stderr
Alexander Graf cd17aa0c43 repair failing health-check
Alexander Graf 16691e83ad re-enable mod_rewrite in roundcube
moved chown/mkdir/symlink from start.py to Dockerfile
Diman0 7083b3f7c6 Fix roundcube sso header issue
Removed apache rewrite module.
Alexander Graf 6c510e2e86 enabled caching via .htaccess
Florent Daigniere defea3258d update arm builds too
Alexander Graf 14bdeb5e1e Update version of roundcube webmail and carddav plugin.
This is a security update.

- roundcube 1.4.11
- carddav 4.1.2
bors[bot] fc1a663da2
Merge
1754: centralize Webmail authentication behind the admin panel (SSO) r=mergify[bot] a=nextgens

## What type of PR?

Enhancement: it centralizes the authentication of webmails to the admin interface.

## What does this PR do?

It implements the glue required for webmails to do SSO using the admin interface.
One of the main advantages of centralizing things this way is that it reduces significantly the attack surface available to an unauthenticated attacker (no webmail access until there is a valid Flask session).

Others include the ability to implement 2FA down the line and rate-limit things as required.

### Related issue(s)
- 

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
parisni a9548e4cbd Remove mailu/roundcube shared host
parisni 5386e33af3 Reformat python
parisni 49c5c0eba6 Split mailu / roundcube db config
There is no reason to share the flavor since at least the dbname shall be different.
Florent Daigniere dd3d03f06d Merge remote-tracking branch 'upstream/master' into webmail-sso