Roundcube gets 403 error after I have changed its default Webmail URL

Discussion in 'Installation/Configuration' started by concept21, Aug 10, 2021.

  1. concept21

    concept21 Active Member HowtoForge Supporter

    Hello,
    I change the default alias in file /etc/roundcube/apache.conf
    from
    Alias /webmail /var/lib/roundcube
    to
    Alias /random_string /var/lib/roundcube

    Then, when I browse https://server1.example.com:8080/random_string/
    Roundcube interface is blocked. Browser shows 403 error. It used to work after I had changed the default webmail url.

    How do I correct it? My system is Ubuntu 20.04, ISPConfig 3.2.5. :(
     
    Last edited: Aug 10, 2021
  2. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    What you probably want is the builtin 'use_secure_urls' feature rather than just a fixed random_string in the path. Set this in roundcube config:
    Code:
    $config['force_https'] = true;
    $config['http_received_header'] = true;
    $config['http_received_header_encrypt'] = true;
    $config['log_logins'] = true;
    $config['use_secure_urls'] = true;
    $config['assets_path'] = '/assets/';
    
    Incorporate these /etc/apache2/conf-available/roundcube.conf settings:
    Code:
    # this is so use_secure_urls works, though in practice these must be added to the virtualhost as well:
    RewriteEngine on
    RewriteRule ^/roundcube/[a-zA-Z0-9]{16}/(.*)$ /roundcube/$1 [PT]
    # do not rewrite all 16char base paths, only use /roundcube/ paths
    #RewriteRule ^/[a-zA-Z0-9]{16}/(.*)$ /roundcube/$1 [PT]
    
    # this is for /roundcube path and above passthrough when roundcube is document root
    Alias /roundcube /var/lib/roundcube
    #Alias /roundcube /var/lib/roundcube/public_html
    
    # proxy /webmail paths to /roundcube
    #Alias /webmail /var/lib/roundcube
    RewriteRule    "^/webmail/(.*)$"  "https://server1.example.com/roundcube/$1"  [P]
    ProxyPassReverse "/webmail/" "https://server1.example.com/roundcube/"
    
    # this is for assets_path set to /assets
    Alias /assets /var/lib/roundcube
    
    <Directory /var/lib/roundcube/>
    .... standard roundcube.conf stuff after this
    
    And these in /etc/apache2/sites-available/ispconfig.vhost (remember to make these update-safe using a conf-custom file):
    Code:
    <VirtualHost _default_:443>
      ServerAdmin [email protected]
      ServerName server1.example.com
    
      Alias /mail /var/www/ispconfig/mail
    
      RewriteEngine On
      RewriteRule ^/roundcube/[a-zA-Z0-9]{16}/(.*) /roundcube/$1 [PT]
    # do not rewrite all 16char base paths, only use /roundcube/ paths
    #  RewriteRule ^/roundcube/[a-zA-Z0-9]{16}/(.*) /$1 [PT]
    #  RewriteRule ^/[a-zA-Z0-9]{16}/(.*) /$1 [P]
    
      RewriteRule    "^/webmail/(.*)$"  "https://server1.example.com/roundcube/$1"  [P]
      ProxyPassReverse "/webmail/" "https://server1.example.com/roundcube/"
    
      <Directory /var/www/ispconfig/>
    ... standard ispconfig.vhost stuff from here
    
    And not necessary for secure urls, but if you like the extra functionality, create
    /etc/apache2/conf-enabled/webmail.conf with:
    Code:
    # This makes the 'webmail.*' convenience hostname work on each domain.
    # We redirect to the local server's hostname to avoid SSL errors.
    # (This only catches https sites, the default port 80 vhost config
    #  will catch these subdomain names on http.)
    
    <If "%{HTTP_HOST} =~ /^(webmail|roundcube)\./">
           RedirectMatch permanent "(.*)" https://server1.example.com/webmail/
    </If>
    
    # Same for /webmail paths unless the site is already using https
    <If "%{HTTPS} == 'off'">
           RedirectMatch permanent "^/webmail(/.*)?$" https://server1.example.com/webmail/
    </If>
    
    <Directory /var/lib/roundcube/>
           <IfModule mod_headers.c>
                   Header setifempty Strict-Transport-Security "max-age=15768000"
                   Header always set X-Content-Type-Options: nosniff
                   Header always set X-Frame-Options: SAMEORIGIN
                   Header always set X-XSS-Protection: "1; mode=block"
                   Header unset Content-Security-Policy
                   Header add Content-Security-Policy "default-src https: 'unsafe-inline' 'unsafe-eval';connect-src https: wss:"
                   Header always edit Set-Cookie (.*) "$1; HTTPOnly; Secure"
           </IfModule>
    </Directory>
    
    And ensure you have the proxy and proxy_http apache modules enabled.
     
    ahrasis likes this.
  3. concept21

    concept21 Active Member HowtoForge Supporter

    WOW!!!
    Your solution is always more complicated than I can handle! :eek:
     
  4. concept21

    concept21 Active Member HowtoForge Supporter

    It used to be very simple in Ubuntu 18.04. For Ubuntu 20.04, these 2 lines become indispensible:
    Code:
    $config['use_secure_urls'] = true;
    $config['assets_path'] = '/assets/';
    
     
  5. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Sorry; getting that working took a bit, but cut & paste of the working config should be pretty simple? I should note that the server that came from is running the ispconfig interface on port 443, not 8080, which is why that's in that config snippet - you will need to adjust the server1.example.com urls to include the port number.
     
  6. concept21

    concept21 Active Member HowtoForge Supporter

    I have found a much simpler working method but it may not be as secure as yours.
    I set in file /etc/roundcube/config.inc.php
    $config['use_secure_urls'] = false;

    Then, in file /etc/roundcube/apache.conf, add these 2 lines:
    RewriteRule ^/roundcubemail/[a-zA-Z0-9]{16}/(.*) /roundcubemail/$1 [PT]
    Alias /roundcubemail /var/lib/roundcube/

    "roundcubemail" can be any random string. Then, run:
    systemctl reload apache2.service

    Now, visit
    https://yourdomain.tld/roundcubemail/
    Your mail box is right there! :D
     
    Last edited: Aug 11, 2021

Share This Page