locking phpmyadmin access on IP

Issues related to configuring your network
Post Reply
Blisk
Posts: 316
Joined: 2011/07/04 14:49:51
Contact:

locking phpmyadmin access on IP

Post by Blisk » 2022/04/22 10:48:28

I am trying to lock access to phpmyadmin to my IP.
Problem is because centos 8 serveri is behind haproxy.
How to setup apache to lock access on my IP and ban everything else?
below is phpmyadmin.conf in apache setting for access locked on IPs.
If I dont insert in haproxy IP 192.168.1.1 access doesn't work, when I incert 192.168.1.1 that everybody can access phpmyadmin.
<Directory /usr/share/phpMyAdmin/>
AddDefaultCharset UTF-8

<IfModule mod_authz_core.c>
# Apache 2.4
<RequireAny>
Require ip 127.0.0.1 123.123.123.123 192.168.1.1
Require ip ::1
</RequireAny>
</IfModule>
<IfModule !mod_authz_core.c>
# Apache 2.2
Order Deny,Allow
Deny from All
Allow from 127.0.0.1 123.123.123.123 192.168.1.1
Allow from ::1
</IfModule>
</Directory>

<Directory /usr/share/phpMyAdmin/setup/>
<IfModule mod_authz_core.c>
# Apache 2.4
<RequireAny>
Require ip 127.0.0.1
Require ip ::1
</RequireAny>
</IfModule>
<IfModule !mod_authz_core.c>
# Apache 2.2
Order Deny,Allow
Deny from All
Allow from 127.0.0.1 123.123.123.123 192.168.1.1
Allow from ::1
</IfModule>
</Directory>

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: locking phpmyadmin access on IP

Post by jlehtone » 2022/04/22 14:52:20

What is "haproxy"? I.e. does it do network address translation to hide client from the server?

Details on Apache config ... does Apache have support forums?

Blisk
Posts: 316
Joined: 2011/07/04 14:49:51
Contact:

Re: locking phpmyadmin access on IP

Post by Blisk » 2022/04/22 15:08:35

haproxy is proxy where you have one public IP and multiple servers with websites behind.

BShT
Posts: 584
Joined: 2019/10/09 12:31:40

Re: locking phpmyadmin access on IP

Post by BShT » 2022/04/22 18:03:19

you have to set haproxy to deliver X-Forwarded-For header and set your vhost to deny based on X-Forwarded-For

you can only do this with http mode. it will not work and it will never work in tcp mode.

Blisk
Posts: 316
Joined: 2011/07/04 14:49:51
Contact:

Re: locking phpmyadmin access on IP

Post by Blisk » 2022/04/22 19:57:19

BShT wrote:
2022/04/22 18:03:19
you have to set haproxy to deliver X-Forwarded-For header and set your vhost to deny based on X-Forwarded-For

you can only do this with http mode. it will not work and it will never work in tcp mode.
Sorry I dont understand this quite well, can you explain it a bit more?

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: locking phpmyadmin access on IP

Post by TrevorH » 2022/04/22 20:24:18

The problem is that all requests that come via haproxy appear to your web server to originate from the haproxy ip address. To address this, ha proxy adds an extra header to the http request "X-Forwarded-For:" which contains the original requestors ip address. You need to find a way to get your web server to look at that header instead of the originating ip address.

On CentOS 8 (and presumably Stream 8), apache httpd supplies a mod_remoteip.so that can be used to fix this. See https://httpd.apache.org/docs/2.4/mod/mod_remoteip.html
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Blisk
Posts: 316
Joined: 2011/07/04 14:49:51
Contact:

Re: locking phpmyadmin access on IP

Post by Blisk » 2022/04/23 08:27:57

TrevorH wrote:
2022/04/22 20:24:18
The problem is that all requests that come via haproxy appear to your web server to originate from the haproxy ip address. To address this, ha proxy adds an extra header to the http request "X-Forwarded-For:" which contains the original requestors ip address. You need to find a way to get your web server to look at that header instead of the originating ip address.

On CentOS 8 (and presumably Stream 8), apache httpd supplies a mod_remoteip.so that can be used to fix this. See https://httpd.apache.org/docs/2.4/mod/mod_remoteip.html
Thank you, I already looked for that remoteip mod, but didn't know if that will be solution, so I ask first.
I will use remote IP.

Post Reply