Roundcube Update From Debian Jessie to Stretch (8 -> 9)
Guess what I did the whole weekend….yes, I was updating Jessie to Stretch. In some ways it was a bit painful and I’m happy it’s over. I just need to set up Let’s Encrypt.
However updating Roundcube was pain (1.1.x -> 1.2.6). Here is what you should do:
- update roundcube package (
- there will be a dialog about conflict in files - keep installed current version
- the update script will copy a new version of conflicting files into
/etc/roundcubewith .dist-new extension, i.e. defaults.inc.php.dist-new. You should update config.inc.php, defaults.inc.php and htaccess
- diff it!, i.e.
diff defaults.inc.php defaults.inc.php.dist-newand copy new configuration options manually into the old file
- run database migrations 2014042900.sql, 2015030800.sql, 2015111100.sql by hand from
/usr/share/roundcube/SQL/mysql. For postgres, mssql, sqlite or oracle go to respective folders. I did it via phpmyadmin (sigh)
- Stretch has PHP7, so I removed PHP5 altogether. Update
<IfModule mod_php7.c>in /etc/roundcube/htaccess
- Restart Apache with
systemctl restart apache2and it should work now
Well, there are things not to do or be careful:
- manual upgrade from https://github.com/roundcube/roundcubemail/wiki/Upgrade#run-the-installer doesn’t work. Forget about installer
/usr/share/roundcube/bin/update.shdoesn’t work. With some hacking it will, but won’t be useful since we’ve merged our config manually anyways
/usr/share/roundcube/bin/updatedb.shalso doesn’t work and I wasn’t able to get it working. This should migrate the database. Fuck this, I was really disappointed…and enraged
Apache 2 pitfalls
Uncommenting this useful setting is fine and works
<Directory /> AllowOverride None Require all denied </Directory>
However keep this commented out. Roundcube will get stuck with it:
#Header set X-Frame-Options: "sameorigin"
Apache config https://cipherli.st/
SSL configuration from cipherli.st is the best and ultra paranoid. However I removed HSTS (my SSL certs are self signed).
And comment out X-Frame-Options:
#Header always set X-Frame-Options DENY
That will break Roundcube for sure. When I think about it the option in security.conf could work….but I don’t have energy to tinker with it anymore.
So the whole file /etc/apache2/conf-enabled/ssl-settings.conf contains this:
# https://cipherli.st/ SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 SSLHonorCipherOrder On Header always set X-Content-Type-Options nosniff # Requires Apache >= 2.4 SSLCompression off SSLUseStapling on SSLStaplingCache "shmcb:logs/stapling-cache(150000)" # Requires Apache >= 2.4.11 SSLSessionTickets Off
That’s all guys. I’m really exhausted after two days and I need to chill now….