Hi @eris ,
After digging I managed to have the /var/lib/roundcube/xcalendar/caldav directory served by the subdomain caldav.example.com. However, when loading the index.php from the plugin I received 500 error and after checking the logs (as I usually do 
) I found the following:
[Sun Jan 15 19:11:55.298436 2023] [core:alert] [pid 24729:tid 281473211625664] [client XXX.XXX.XXX.XXX:0] /var/lib/roundcube/.htaccess: <IfModule not allowed here
The above occurred despite the fact that the AllowOverride All directive was already entered in the new root directory section within the newly created apache template.
After that I deselected the customized Apache template previously in place from the GUI and created two new templates:
- /usr/local/hestia/data/templates/web/php-fpm/caldav-PHP-8_0.tpl
- /usr/local/hestia/data/templates/web/nginx/caldavnginx.stpl and /usr/local/hestia/data/templates/web/nginx/caldavnginx.tpl
At this point the logs reported the warning message restriction about open_basedir (as per your comment):
[Sun Jan 15 19:48:15.169849 2023] [proxy_fcgi:error] [pid 49028:tid 281473046933696] [client 84.203.3.161:0] AH01071: Got error 'PHP message: PHP Warning: require_once(): open_basedir restriction in effect. File(/home/ivanobuffa/vendor/autoload.php) is not within the allowed path(s): (/home/ivanobuffa/.composer:/home/ivanobuffa/web/caldav.example.com/public_html:/home/ivanobuffa/web/caldav.example.com/private:/home/ivanobuffa/web/caldav.example.com/public_shtml:/home/ivanobuffa/tmp:/tmp:/bin:/usr/bin:/usr/local/bin:/usr/share:/opt) in /var/lib/roundcube/plugins/xcalendar/caldav/index.php on line 11PHP message: PHP Warning: require_once(/home/ivanobuffa/vendor/autoload.php): Failed to open stream: Operation not permitted in /var/lib/roundcube/plugins/xcalendar/caldav/index.php on line 11PHP message
After that I modified the PHP script from the purchased plugin by replacing this:
defined("RCUBE_INSTALL_PATH") || define("RCUBE_INSTALL_PATH", dirname(dirname(dirname(dirname($_SERVER["SCRIPT_FILENAME"])))) . "/");
with this:
define("RCUBE_INSTALL_PATH","/var/lib/roundcube/");
and created another web php-fpm template setting the php_admin_value[open_basedir] to none (I understand this is not safe).
As of now the plugin works fine with the following templates in place:
Where:
- The file /usr/local/hestia/data/templates/web/php-fpm/caldav-PHP-8_0_no_base_dir.tpl contains the following:
; origin-src: deb/php-fpm/multiphp.tpl
[%domain%]
listen = /run/php/php%backend_version%-fpm-%domain%.sock
listen.owner = %user%
listen.group = www-data
listen.mode = 0660
user = %user%
group = %user%
pm = ondemand
pm.max_children = 8
pm.max_requests = 4000
pm.process_idle_timeout = 10s
pm.status_path = /status
php_admin_value[upload_tmp_dir] = /home/%user%/tmp
php_admin_value[session.save_path] = /home/%user%/tmp
php_admin_value[open_basedir] = none
php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f admin@%domain%
env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /home/%user%/tmp
env[TMPDIR] = /home/%user%/tmp
env[TEMP] = /home/%user%/tmp
- The file /usr/local/hestia/data/templates/web/nginx/caldavnginx.stpl contains the following:
#=========================================================================#
# Default Web Domain Template #
# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS #
# https://docs.hestiacp.com/admin_docs/web.html#how-do-web-templates-work #
#=========================================================================#
server {
listen %ip%:%proxy_ssl_port% ssl http2;
server_name %domain_idn% %alias_idn%;
ssl_certificate %ssl_pem%;
ssl_certificate_key %ssl_key%;
ssl_stapling on;
ssl_stapling_verify on;
error_log /var/log/%web_system%/domains/%domain%.error.log error;
include %home%/%user%/conf/web/%domain%/nginx.hsts.conf*;
location / {
proxy_pass https://%ip%:%web_ssl_port%;
location ~* ^.+\.(%proxy_extensions%)$ {
root /var/lib/roundcube/plugins/xcalendar/caldav/;
access_log /var/log/%web_system%/domains/%domain%.log combined;
access_log /var/log/%web_system%/domains/%domain%.bytes bytes;
expires max;
try_files $uri @fallback;
}
}
location /error/ {
alias %home%/%user%/web/%domain%/document_errors/;
}
location @fallback {
proxy_pass https://%ip%:%web_ssl_port%;
}
location ~ /\.(?!well-known\/|file) {
deny all;
return 404;
}
proxy_hide_header Upgrade;
include %home%/%user%/conf/web/%domain%/nginx.ssl.conf_*;
}
- The file /usr/local/hestia/data/templates/web/nginx/caldavnginx.tpl contains the following:
#=========================================================================#
# Default Web Domain Template #
# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS #
# https://docs.hestiacp.com/admin_docs/web.html#how-do-web-templates-work #
#=========================================================================#
server {
listen %ip%:%proxy_port%;
server_name %domain_idn% %alias_idn%;
include %home%/%user%/conf/web/%domain%/nginx.forcessl.conf*;
location / {
proxy_pass http://%ip%:%web_port%;
location ~* ^.+\.(%proxy_extensions%)$ {
root /var/lib/roundcube/plugins/xcalendar/caldav/;
access_log /var/log/%web_system%/domains/%domain%.log combined;
access_log /var/log/%web_system%/domains/%domain%.bytes bytes;
expires max;
try_files $uri @fallback;
}
}
location /error/ {
alias %home%/%user%/web/%domain%/document_errors/;
}
location @fallback {
proxy_pass http://%ip%:%web_port%;
}
location ~ /\.(?!well-known\/|file) {
deny all;
return 404;
}
include %home%/%user%/conf/web/%domain%/nginx.conf_*;
}
As of now logs do not report any error message. I might consider the above procedure as a valid solution but I’m wondering if the variable php_admin_value[open_basedir] must be set to /usr/share/roundcube.
Any idea?
Note: the fragments of logs reported above have been filtered for privacy reason!
):
