Roundcube is my favourite webmail client - and has been for a very long time. Already back in 2010 I deployed Roundcube across a couple of shared hosting servers which used Confixx as hosting configuration application and combined the Roundcube password change setting with the Confixx database.
The Roundcube project is still alive (yay!) and the last time I took a closer look at it was back in 2020 when I tested the new responsive "Elastic" skin in Roundcube 1.4.
This time I needed to take a closer look at the security settings of Roundcube. A recent security scan from OpenVAS revealed that the "secure" cookie attribute was not set:
This can be verified with a simple HTTP request:
$ curl -I https://webmail.infiniroot.net
HTTP/2 200
server: nginx
date: Mon, 17 Jan 2022 11:08:02 GMT
content-type: text/html; charset=UTF-8
vary: Accept-Encoding
set-cookie: roundcube_sessid=a2322e894psu3c1f6r84c7j4l1; path=/; HttpOnly
expires: Mon, 17 Jan 2022 11:08:02 GMT
last-modified: Mon, 17 Jan 2022 11:08:02 GMT
cache-control: private, no-cache, no-store, must-revalidate, post-check=0, pre-check=0
pragma: no-cache
x-frame-options: sameorigin
content-language: en
strict-transport-security: max-age=2678400
The set-cookie response shows the relevant cookie data, however it is missing the "secure" attribute (or flag). This attribute is expected when the request happened over HTTPS, which is the case.
Because Roundcube runs behind a reverse proxy with TLS certificate termination, Roundcube itself thinks it runs on HTTP, therefore not sending the "secure" attribute in the set-cookie response.
To change this, the config option "use_https" needs to be changed. The defaults.inc.php configuration file shows the following two options, related to HTTPS configuration:
// Enforce connections over https
// With this option enabled, all non-secure connections will be redirected.
// It can be also a port number, hostname or hostname:port if they are
// different than default HTTP_HOST:443
$config['force_https'] = false;
// tell PHP that it should work as under secure connection
// even if it doesn't recognize it as secure ($_SERVER['HTTPS'] is not set)
// e.g. when you're running Roundcube behind a https proxy
// this option is mutually exclusive to 'force_https' and only either one of them should be set to true.
$config['use_https'] = false;
Both options are set to false in the default configuration. The latter (use_https) specificially mentions "running Roundcube behind a https proxy", which perfectly describes our setup.
By adding this configuration option in config.inc.php (which overwrites the defaults from defaults.inc.php), Roundcube is told that it actually runs under HTTPS:
$ grep use_https config.inc.php
$config['use_https'] = true;
Roundcube now automatically appends the "secure" attribute to the set-cookie header:
$ curl -I https://webmail.infiniroot.net
HTTP/2 200
server: nginx
date: Mon, 17 Jan 2022 11:10:39 GMT
content-type: text/html; charset=UTF-8
vary: Accept-Encoding
set-cookie: roundcube_sessid=rnea46cvt2h4uoqc6jkpmfglv2; path=/; secure; HttpOnly
expires: Mon, 17 Jan 2022 11:10:39 GMT
last-modified: Mon, 17 Jan 2022 11:10:39 GMT
cache-control: private, no-cache, no-store, must-revalidate, post-check=0, pre-check=0
pragma: no-cache
x-frame-options: sameorigin
content-language: en
strict-transport-security: max-age=2678400
No comments yet.
AWS Android Ansible Apache Apple Atlassian BSD Backup Bash Bluecoat CMS Chef Cloud Coding Consul Containers CouchDB DB DNS Database Databases Docker ELK Elasticsearch Filebeat FreeBSD Galera Git GlusterFS Grafana Graphics HAProxy HTML Hacks Hardware Icinga Influx Internet Java KVM Kibana Kodi Kubernetes LVM LXC Linux Logstash Mac Macintosh Mail MariaDB Minio MongoDB Monitoring Multimedia MySQL NFS Nagios Network Nginx OSSEC OTRS Office OpenSearch PGSQL PHP Perl Personal PostgreSQL Postgres PowerDNS Proxmox Proxy Python Rancher Rant Redis Roundcube SSL Samba Seafile Security Shell SmartOS Solaris Surveillance Systemd TLS Tomcat Ubuntu Unix VMWare VMware Varnish Virtualization Windows Wireless Wordpress Wyse ZFS Zoneminder