Add static files server (#9294)

Make use of public_html mandatory

INSTALL

@@ -33,7 +33,7 @@ REQUIREMENTS
 INSTALLATION
 ============
 
-1. Decompress and put this folder somewhere inside your document root.
+1. Decompress and put this folder somewhere inside your server's filesystem.
   Note: Make sure files have proper owner/group for your setup. If you use
   tar command `--no-same-owner` option might be helpful.
 2. In case you don't use the so-called "complete" release package,
@@ -46,20 +46,18 @@ INSTALLATION
     - run `php composer.phar update --no-dev`
   2.2. Install Javascript dependencies by executing `bin/install-jsdeps.sh` script.
   2.3. Install some developer tools by executing `npm install`.
+  2.4. If you use git sources, compile css files for the Elastic skin as described
+    in the skins/elastic/README.md file.
 3. Make sure that the following directories (and the files within)
    are writable by the webserver
    - /temp
    - /logs
 4. Create a new database and a database user for Roundcube (see DATABASE SETUP)
-5. Point your browser to http://url-to-roundcube/installer/
-6. Follow the instructions of the install script (or see MANUAL CONFIGURATION)
-7. After creating and testing the configuration, remove the installer directory
-   ------------------------------------------
-   IMPORTANT: REMOVE THE INSTALLER DIRECTORY!
-   ------------------------------------------
-8. If you use git sources, compile css files for the Elastic skin as described
-   in the skins/elastic/README.md file.
-9. Check Known Issues section of this file
+5. Configure your HTTP server and point it to Roundcube's public_html directory.
+   This is the document root.
+6. Point your browser to http://url-to-roundcube/installer.php.
+7. Follow the instructions of the install script (or see MANUAL CONFIGURATION).
+8. Check Known Issues section of this file
 
 
 CONFIGURATION HINTS
@@ -161,35 +159,6 @@ PHP settings: upload_max_filesize and post_max_size. Read more about PHP
 settings at https://github.com/roundcube/roundcubemail/wiki/Installation#php-configuration.
 
 
-SECURE YOUR INSTALLATION
-========================
-
-Access through the webserver to the following directories should be denied:
-
-  /config
-  /temp
-  /logs
-
-Roundcube uses .htaccess files to protect these directories, so be sure to
-allow override of the Limit directives to get them taken into account. The
-package also ships a .htaccess file in the root directory which defines some
-rewrite rules. In order to properly secure your installation, please enable
-mod_rewrite for Apache webserver and double check access to the above listed
-directories and their contents is denied.
-
-NOTE: In Apache 2.4, support for .htaccess files has been disabled by
-default. Therefore you first need to enable this in your Apache main or
-virtual host config by with:
-
-  AllowOverride all
-
-For non-apache web servers add equivalent configuration parameters to deny
-direct access to these private resources.
-
-It is also recommended to change the document root to <install path>/public_html
-after installation if Roundcube runs at root of a dedicated virtual host. This
-will automatically keep sensitive files out of reach for http requests.
-
 CONTENT-SECURITY-POLICY
 -----------------------
 
@@ -208,73 +177,8 @@ please refer to the instructions in UPGRADING guide.
 OPTIMISING
 ==========
 
-There are two forms of optimization here, compression and caching, both aimed
-at increasing an end user's experience using Roundcube Webmail. Compression
-allows the static web pages to be delivered with less bandwidth. The index.php
-of Roundcube Webmail already enables compression on its output. The settings
-below allow compression to occur for all static files. Caching sets HTTP
-response headers that enable a user's web client to understand what is static
-and how to cache it.
-
-The caching directives used are:
- * Etags - sets at tag so the client can request is the page has changed
- * Cache-control - defines the age of the page and that the page is 'public'
-   This enables clients to cache javascript files that don't have private
-   information between sessions even if using HTTPS. It also allows proxies
-   to share the same cached page between users.
- * Expires - provides another hint to increase the lifetime of static pages.
-
-For more information refer to RFC 2616.
-
-Side effects:
--------------
-These directives are designed for production use. If you are using this in
-a development environment you may get horribly confused if your webclient
-is caching stuff that you changed on the server. Disabling the expires
-parts below should save you some grief.
-
-If you are changing the skins, it is recommended that you copy content to
-a different directory apart from 'default'.
-
-Apache:
--------
-To enable these features in apache the following modules need to be enabled:
- * mod_deflate
- * mod_expires
- * mod_headers
-
-The optimization is already included in the .htaccess file in the top
-directory of your installation.
-
-Lighttpd:
----------
-With Lighttpd the addition of Expire: tags by mod_expire is incompatible with
-the addition of "Cache-control: public". Using Cache-control 'public' is
-used below as it is assumed to give a better caching result.
-
-Enable modules in server.modules:
-    "mod_setenv"
-    "mod_compress"
-
-Mod_compress is a server side cache of compressed files to improve its performance.
-
-$HTTP["host"] == "www.example.com" {
-
-    static-file.etags = "enable"
-    # http://redmine.lighttpd.net/projects/lighttpd/wiki/Etag.use-mtimeDetails
-    etag.use-mtime = "enable"
-
-    # http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs:ModSetEnv
-    $HTTP["url"] =~ "^/roundcubemail/(plugins|skins|program)" {
-        setenv.add-response-header  = ( "Cache-Control" => "public, max-age=2592000")
-    }
-
-    # http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs:ModCompress
-    # set compress.cache-dir to somewhere outside the docroot.
-    compress.cache-dir   = var.statedir + "/cache/compress"
-
-    compress.filetype = ("text/plain", "text/html", "text/javascript", "text/css", "text/xml", "image/gif", "image/png")
-}
+Roundcube can be further optimized by using HTTP compression and caching.
+HTTP server setup is out of scope for this manual. (TODO: wiki page).
 
 
 KNOWN ISSUES

UPGRADING

@@ -31,22 +31,23 @@ WARNING: If you use MySQL < 5.7.7 or MariaDB < 10.2.2 make sure to configure it
 
 Updating manually
 -----------------
-If you don't have shell access to the Roundcube installation or if not running
+If you don't have shell access to the Roundcube installation or if do not run
 it on a unix system, you need to do the following operations by hand:
 
-1. Replace index.php and all files in
-   - ./bin/
-   - ./SQL/
-   - ./program/
-   - ./installer/
+1. Replace all files in
+   - bin/
+   - SQL/
+   - public_html/
+   - program/
+   - installer/
 2. Replace the configuration defaults files:
    - config/defaults.inc.php
    - config/mimetypes.php
 3. rsync the contents of the following folders from your installation
    directory into the target folder:
-   ./skins/
-   ./plugins/
-   ./vendor/
+   - skins/
+   - plugins/
+   - vendor/
 4. Update dependencies:
 4a. If you previously installed plugins through composer, update dependencies
    by running `php composer.phar update --no-dev`.
@@ -62,7 +63,7 @@ it on a unix system, you need to do the following operations by hand:
 4e. If you use git sources, compile css files for the Elastic skin as described
    in the skins/elastic/README.md file.
 5. Run `./bin/update.sh` from the commandline OR
-   open http://url-to-roundcube/installer/ in a browser and choose "3 Test config".
+   open http://url-to-roundcube/installer.php in a browser and choose "3 Test config".
    To enable the latter one, you have to temporary set 'enable_installer'
    to true in your local config/config.inc.php file.
    WARNING: See SQLite database upgrade below.

bin/installto.sh

@@ -58,7 +58,7 @@ if (strtolower($input) == 'y') {
     echo 'Copying files to target location...';
 
     $adds = [];
-    $dirs = ['bin', 'SQL', 'plugins', 'skins', 'program', 'public_html'];
+    $dirs = ['bin', 'SQL', 'plugins', 'skins', 'program'];
 
     if (is_dir(INSTALL_PATH . 'vendor') && (!is_file("{$target_dir}/composer.json") || rcmail_install::vendor_dir_untouched($target_dir))) {
         $dirs[] = 'vendor';
@@ -77,7 +77,11 @@ if (strtolower($input) == 'y') {
         }
     }
 
-    foreach (['index.php', 'config/defaults.inc.php', 'composer.json-dist', 'jsdeps.json', 'CHANGELOG.md', 'README.md', 'UPGRADING', 'LICENSE', 'INSTALL'] as $file) {
+    $files = ['config/defaults.inc.php', 'composer.json-dist', 'jsdeps.json',
+        'CHANGELOG.md', 'README.md', 'UPGRADING', 'LICENSE', 'INSTALL',
+        'public_html/index.php', 'public_html/installer.php', 'public_html/static.php'];
+
+    foreach ($files as $file) {
         $source_file = $file === 'composer.json-dist' ? 'composer.json' : $file;
         $command = 'rsync -a --out-format=%n ' . INSTALL_PATH . "{$source_file} {$target_dir}/{$file}";
 
@@ -87,7 +91,7 @@ if (strtolower($input) == 'y') {
     }
 
     // Copy .htaccess or .user.ini if needed
-    foreach (['.htaccess', '.user.ini'] as $file) {
+    foreach (['public_html/.htaccess', 'public_html/.user.ini'] as $file) {
         if (file_exists(INSTALL_PATH . $file)) {
             if (!file_exists("{$target_dir}/{$file}") || file_get_contents(INSTALL_PATH . $file) != file_get_contents("{$target_dir}/{$file}")) {
                 if (copy(INSTALL_PATH . $file, "{$target_dir}/{$file}.new")) {

composer.json

@@ -15,7 +15,8 @@
         "pear/net_smtp": "~1.12.0",
         "pear/pear-core-minimal": "~1.10.1",
         "roundcube/plugin-installer": "~0.3.5",
-        "roundcube/rtf-html-php": "^2.1"
+        "roundcube/rtf-html-php": "^2.1",
+        "symfony/polyfill-php80": "^1.31"
     },
     "require-dev": {
         "ergebnis/composer-normalize": "^2.13",

config/defaults.inc.php

@@ -875,11 +875,7 @@
 //    <FilesMatch ".(eot|ttf|woff)">
 //    Header set Access-Control-Allow-Origin "*"
 //    </FilesMatch>
-$config['assets_path'] = '';
-
-// While assets_path is for the browser, assets_dir informs
-// PHP code about the location of asset files in filesystem
-$config['assets_dir'] = '';
+$config['assets_path'] = null;
 
 // Options passed when creating Guzzle HTTP client, used to fetch remote content
 // For example: