4

So to help prevent brute force attacks against my phpmyadmin install I've configured nginx to require HTTP Basic Auth (extra username and password) and then the requests need to come from a whitelisted IP Address. However the IP Address whitelist works fine if I run https://example.com/phpmyadmin/ however without adding the extra .php block I could load https://example.com/phpmyadmin/index.php without my IP being whitelisted. This issue doesn't affect the HTTP Basic Auth. Is there a reason this happens? Anyway to get around having to add extra .php blocks? A copy of the config area for phpmyadmin is below.

# Setup and secure phpMyAdmin
location /phpmyadmin/ {
  allow 1.2.3.4;
  deny all;
  auth_basic "phpMyAdmin - HTTP Basic Login";
      auth_basic_user_file /etc/nginx/pma_pass;
    location ~ \.php$ {
    include snippets/fastcgi-php.conf;
            fastcgi_pass unix:/run/php/php7.0-fpm.sock;
    allow 1.2.3.4;
    deny all;
    }
}

1 Answers1

5

In most PHP configurations, there is one location ~ \.php$ block that processes any URI that ends with .php, so adding restrictions to other location blocks will only affect the static files involved. See this document for more.

The cleanest solution is to use a prefix location with the ^~ modifier, which ensures that all URIs that begin with /phpmyadmin/ are processed by that block, and other locations at the top level do not bypass your security. See this document for more.

As you have discovered, you will need to add a nested location to handle PHP within that block, but the authentication statements should all be inherited and do not need to be repeated within the inner block.

For example:

location ^~ /phpmyadmin/ {
    allow 1.2.3.4;
    deny all;
    auth_basic "phpMyAdmin - HTTP Basic Login";
    auth_basic_user_file /etc/nginx/pma_pass;

    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/run/php/php7.0-fpm.sock;
    }
}
Richard Smith
  • 11,859
  • 2
  • 18
  • 26