1

Topic: phpmyadmin: restrict access to local network only ?

==== Required information ====
- iRedMail version: 0.8.6
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):  LDAP
- Linux/BSD distribution name and version: Ubuntu 12.04.3 LTS
- Related log if you're reporting an issue:
====
Hello !

I want to restrict access to phpmyadmin only to local network.
Before, without iRedMail, i edit /etc/phpmyadmin/apache.conf and modify this:
[...]
<Directory /usr/share/phpmyadmin>
        Options FollowSymLinks
        DirectoryIndex index.php
        Order Deny,Allow
        Deny from all
        Allow from 127.0.0.1        # local
        Allow from 192.168.1.0/24    # local network
[...]

But now, it's seem don't work: I can always have access to php from internet

Thank you for your help.

Vincent

2

Re: phpmyadmin: restrict access to local network only ?

Try /etc/apache2/conf.d/phpmyadmin.conf instead.

3

Re: phpmyadmin: restrict access to local network only ?

Hello,

no phpmyadmin.conf in /etc/apache2/conf.d

I must copy /etc/phpmyadmin/apache.conf to /etc/apache2/conf.d/phpmyadmin.conf ?

Thanks

4

Re: phpmyadmin: restrict access to local network only ?

My mistake, phpMyAdmin is installed from Ubuntu apt repository, not from source tarball.
You should edit /etc/apache2/sites-enabled/default-ssl instead.

5

Re: phpmyadmin: restrict access to local network only ?

ZhangHuangbin wrote:

My mistake, phpMyAdmin is installed from Ubuntu apt repository, not from source tarball.
You should edit /etc/apache2/sites-enabled/default-ssl instead.

Hello,

il try it, but if:

[...]
        DocumentRoot /var/www
        <Directory />
                Options FollowSymLinks
                AllowOverride None
                Order Deny,Allow
                Deny from all
                Allow from 127.0.0.1            # local
                Allow from 192.168.1.0/24      # localnetwork
        </Directory>
[...]

all aliases are restricted: also alias /mail (roundcube) and I want to enter in roundcube since internet

No ?

Thanks

6

Re: phpmyadmin: restrict access to local network only ?

Show us what you did please. Pasting full config file is better. WARNING: replace/hide sensitive info before posting.

7 (edited by Vincent 2013-12-29 23:09:47)

Re: phpmyadmin: restrict access to local network only ?

ZhangHuangbin wrote:

Show us what you did please. Pasting full config file is better. WARNING: replace/hide sensitive info before posting.

 nano /etc/apache2/sites-available/default-ssl
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
        ServerAdmin webmaster@localhost

        DocumentRoot /var/www
        <Directory />
                Options FollowSymLinks
                AllowOverride None
                Order Deny,Allow
                Deny from all
                Allow from 127.0.0.1            # local
                Allow from 192.168.1.0/24      # localnetwork
        </Directory>
        <Directory /var/www/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>

        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log

        LogLevel warn

        CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined

        Alias /doc/ "/usr/share/doc/"
        <Directory "/usr/share/doc/">
                Options Indexes MultiViews FollowSymLinks
                AllowOverride None
                Order deny,allow
                Deny from all
                Allow from 127.0.0.0/255.0.0.0 ::1/128
        </Directory>

        SSLEngine on
        SSLCertificateFile /etc/ssl/certs/iRedMail_CA.pem
        SSLCertificateKeyFile /etc/ssl/private/iRedMail.key

        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                SSLOptions +StdEnvVars
        </Directory>
        BrowserMatch "MSIE [2-6]" \
                nokeepalive ssl-unclean-shutdown \
                downgrade-1.0 force-response-1.0
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

Alias /cluebringer "/usr/share/postfix-cluebringer-webui/webui/"
Alias /iredadmin/static "/usr/share/apache2/iredadmin/static/"
WSGIScriptAlias /iredadmin "/usr/share/apache2/iredadmin/iredadmin.py/"
Alias /awstats/icon "/usr/share/awstats/icon/"
Alias /awstatsicon "/usr/share/awstats/icon/"
ScriptAlias /awstats "/usr/lib/cgi-bin/"
Alias /mail "/usr/share/apache2/roundcubemail/"
Alias /phpldapadmin "/usr/share/phpldapadmin/"
Alias /ldap "/usr/share/phpldapadmin/"
Alias /phpmyadmin "/usr/share/phpmyadmin/"
</VirtualHost>
</IfModule>
 service apache2 reload 

with this, whole site is inacceesible from internet
So I would like to unblock access to roundcube from the internet.

May be, i can do this in addition:

nano /etc/apache2/conf.d/roundcubemail.conf
Alias /mail "/usr/share/apache2/roundcubemail/"
<Directory "/usr/share/apache2/roundcubemail/">
    Options -Indexes
    Order Allow,Deny
    Allow from all
</Directory>

Right ?

Thank you

8

Re: phpmyadmin: restrict access to local network only ?

Vincent wrote:

        <Directory "/usr/share/doc/">
                Options Indexes MultiViews FollowSymLinks
                AllowOverride None
                Order deny,allow
                Deny from all
                Allow from 127.0.0.0/255.0.0.0 ::1/128
        </Directory>

If you want to restrict phpMyAdmin, please use this directory:

<Directory /usr/share/phpmyadmin>

9

Re: phpmyadmin: restrict access to local network only ?

ZhangHuangbin wrote:

If you want to restrict phpMyAdmin, please use this directory:

<Directory /usr/share/phpmyadmin>

Thank you very much, it works very well.

But for awstats, it does not seem to work...
Do you have an idea for this module?

thank you

10

Re: phpmyadmin: restrict access to local network only ?

Vincent wrote:

But for awstats, it does not seem to work...

Do you want to restrict access for Awstats? Then do it the way same as phpMyAdmin, just add one more <Directory> directive. If it doesn't work, show us what you did (full config file).

11

Re: phpmyadmin: restrict access to local network only ?

ZhangHuangbin wrote:

Do you want to restrict access for Awstats? Then do it the way same as phpMyAdmin, just add one more <Directory> directive. If it doesn't work, show us what you did (full config file).

Yes, i do the same way as phpmyadmin:

=> nano /etc/apache2/sites-available/default-ssl

IfModule mod_ssl.c>
<VirtualHost _default_:443>
        ServerAdmin webmaster@localhost

        DocumentRoot /var/www
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>

        <Directory /var/www/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>

# Restrict awstats access
        <Directory /usr/share/awstats/icon/>
                Order Deny,Allow
                Deny from all
                Allow from 127.0.0.1            # local
                Allow from 192.168.1.0/24      # localnetwork
        </Directory>


        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log

        LogLevel warn

        CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined

        Alias /doc/ "/usr/share/doc/"
        <Directory "/usr/share/doc/">
                Options Indexes MultiViews FollowSymLinks
                AllowOverride None
                Order deny,allow
                Deny from all
                Allow from 127.0.0.0/255.0.0.0 ::1/128
        </Directory>

        SSLEngine on
        SSLCertificateFile /etc/ssl/certs/iRedMail_CA.pem
        SSLCertificateKeyFile /etc/ssl/private/iRedMail.key

        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                SSLOptions +StdEnvVars
        </Directory>
        BrowserMatch "MSIE [2-6]" \
                nokeepalive ssl-unclean-shutdown \
                downgrade-1.0 force-response-1.0
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

Alias /cluebringer "/usr/share/postfix-cluebringer-webui/webui/"
Alias /iredadmin/static "/usr/share/apache2/iredadmin/static/"
WSGIScriptAlias /iredadmin "/usr/share/apache2/iredadmin/iredadmin.py/"
Alias /awstats/icon "/usr/share/awstats/icon/"
Alias /awstatsicon "/usr/share/awstats/icon/"
ScriptAlias /awstats "/usr/lib/cgi-bin/"
Alias /mail "/usr/share/apache2/roundcubemail/"
Alias /phpldapadmin "/usr/share/phpldapadmin/"
Alias /ldap "/usr/share/phpldapadmin/"
Alias /phpmyadmin "/usr/share/phpmyadmin/"
</VirtualHost>
</IfModule>

=> service apache2 reload
=> service apache2 restart

But for:
        - https://mail.mysite.com/awstats/awstats.pl
        - https://mail.mysite.com/awstats/awstats.pl?config=web
        - https://mail.mysite.com/awstats/awstats.pl?config=smtp
I can identify and enter statistics with a internet access.

I'm not an experienced user liux.
Maybe this is the normal operation of cgi?

I just wanted to see statistics only from the local network because I think in my case (self-hosting), it is unnecessary to let the access from internet
Maybe this is too difficult to change this part? In this case, it does not matter.

Thank you for your patience and availability

12

Re: phpmyadmin: restrict access to local network only ?

I guess you should restrict directory "/usr/share/awstats/" instead of "/usr/share/awstats/icon/".

Vincent wrote:

I just wanted to see statistics only from the local network

It's protected by username/password by default.

13 (edited by tyllee 2014-01-04 00:45:54)

Re: phpmyadmin: restrict access to local network only ?

Hi, I'm trying to restrict iredadmin-pro

Debian 6
iredmail 0.8.6 MySQL

/etc/apache2/sites-available/default-ssl

        <Directory /usr/share/apache2/iRedAdmin-Pro-MySQL-1.8.1>
                Options Indexes MultiViews FollowSymLinks
                AllowOverride None
                Order deny,allow
                Deny from all
                Allow from 127.0.0.0/255.0.0.0 ::1/128
        </Directory>

I can still access from internet…

What am I doing wrong.

14

Re: phpmyadmin: restrict access to local network only ?

Did you try below one:

<Directory /usr/share/apache2/iredadmin>

15

Re: phpmyadmin: restrict access to local network only ?

ZhangHuangbin wrote:

Did you try below one:

<Directory /usr/share/apache2/iredadmin>

Thank you!

16 (edited by tyllee 2014-01-05 04:59:37)

Re: phpmyadmin: restrict access to local network only ?

ZhangHuangbin wrote:

I guess you should restrict directory "/usr/share/awstats/" instead of "/usr/share/awstats/icon/".

Vincent wrote:

I just wanted to see statistics only from the local network

It's protected by username/password by default.

Debian 6
iredmail 0.8.6 MySQL

This did not work for me:
<Directory /usr/share/awstats


But this restricted awstats for me:

<Directory /usr/lib/cgi-bin>
          DirectoryIndex awstats.pl
          Options ExecCGI
          Options FollowSymLinks
          order deny,allow
          deny from all
          allow from 127.0.0.1
  </Directory>

Is this an unclean way of solving it?

17

Re: phpmyadmin: restrict access to local network only ?

tyllee wrote:

Is this an unclean way of solving it?

This is the right one on Ubuntu.