roundcube web install 403 error

exact steps/commands you used ?

 

If on Centmin Mod 123.09beta01, you may have ran into the new tools/autoprotect.sh cronjob feature outlined at Beta Branch - autoprotect.sh - apache .htaccess check & migration to nginx deny all | Centmin Mod Community You uploaded scripts may have .htaccess deny from all type files in their directories which may need bypassing autoprotect. It's a security feature that no other nginx based stack has as far as I know

So instead, all .htaccess 'deny from all' detected directories now get auto generated Nginx equivalent location match and deny all setups except if you want to manually bypass the directory from auto protection via a .autoprotect-bypass file - details below here.

You can read a few threads below on how autoprotect.sh may have caught some folks web apps falsely and the workarounds or improvements made to autoprotect.sh with the help of users feedback and troubleshooting.

• Is it better to add an exeption for 127.0.0.1 for autoprotect rules? | Centmin Mod Community
• IP.Board - Query on autoprotect + IPB forums | Centmin Mod Community
• Wordpress - Akismet JS and CSS - Forbidden? | Centmin Mod Community
• Nginx - Error 403 nginx with sngine script

Check if your nginx vhost at either or both /usr/local/nginx/conf/conf.d/domain.com.conf and/or /usr/local/nginx/conf/conf.d/domain.com.ssl.conf has include file for autoprotect example

Code (Text):

include /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf;

see if your directory for the script which has issues is caught in an autoprotect include entry in /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf which has a deny all entry

Code (Text):

cat /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf

i.e.

Code (Text):

# /home/nginx/domains/domain.com/public/subdirectory/js
location ~* ^/subdirectory/js/ { allow 127.0.0.1; deny all; }

If caught you can whitelist it by autoprotect bypass .autoprotect-bypass file - details below here. So if problem js file is at domain.com/subdirectory/js/file.js then it is likely /subdirectory/js has a .htaccess with deny all in it - make sure that directory is meant to be publicly accessible by contacting author of script and if so, you can whitelist it and re-run autoprotect script to regenerate your /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf include file

Code (Text):

cd /home/nginx/domains/domain.com/public/subdirectory/js
touch .autoprotect-bypass
/usr/local/src/centminmod/tools/autoprotect.sh
nprestart

it maybe you need to also whitelist /subdirectory then it would be as follows creating bypass files at /home/nginx/domains/domain.com/public/subdirectory/.autoprotect-bypass and /home/nginx/domains/domain.com/public/subdirectory/js/.autoprotect-bypass

Code (Text):

cd /home/nginx/domains/domain.com/public/subdirectory/
touch .autoprotect-bypass
cd /home/nginx/domains/domain.com/public/subdirectory/js
touch .autoprotect-bypass
/usr/local/src/centminmod/tools/autoprotect.sh
nprestart

then double check to see if updated /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf include file now doesn't show an entry for /subdirectory/js

 

you may need nginx rewrite rules for web gui roundcube so ask the developers if they have nginx rules