On 10/01/2014 4:13 AM, Jim Ohlstein wrote:
Hello,
On 1/9/14, 9:42 AM, nano wrote:
I have attempted several variations of this format[1] you recommend and
continue to produce a broken site; dialog to download
application/octet-stream from the main servername.com and a 'File not
found.' from https://servername.com/phpmyadmin.
[1]
location / {
try_files $uri $uri/ /index.php?$args;
}
location ^~ /phpmyadmin {
alias /usr/local/www/phpMyAdmin/;
index index.php index.html;
location ~ \.php$ {
fastcgi_pass unix:/var/run/php-fpm.locatsock;
fastcgi_param DOCUMENT_ROOT /usr/local/www/phpMyAdmin;
fastcgi_param SCRIPT_FILENAME /usr/local/www/phpMyAdmin/$1;
fastcgi_param SCRIPT_FILENAME
/usr/local/www/site1/wordpress$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_script_name;
include fastcgi_params;
}
}
I eagerly anticipate a working example if and when you can provide one.
Thank you.
Next to "IfIsEvil" there should be a "DoNotUseAlias (unless necessary)".
Use the "root" directive and nested locations
location /phpMyAdmin {
root /usr/local/www;
index index.php;
# above probably not necessary as it is inherited from above
location ~ \.php$ {
fastcgi_pass ...;
...
}
}
If my recollection is correct, I believe I had problems when using root
instead of alias directive. I will try again though.
A few notes, in no particular order:
You *should* use auth_basic [0] at the very least as exposing this
functionality the world is a very bad idea.
You should consider using "https only" for this script.
If you want to enter phpmyadmin in all lower case in the URL (it is
easier), do it via rewrite.
Consider turning off access log on at least rewritten requests once you
know it's working.
Consider using your server's FQDN, not your server name. It's less
likely potential intruders would guess it, though far from impossible.
Something like (not tested but should get you very close if not there):
server {
listen 80;
server_name foo;
location ^~ /phpmyadmin {
access_log off;
rewrite ^ /phpMyAdmin/ permanent;
}
location /phpMyAdmin {
access_log off;
rewrite ^ https://foo$request_uri? break;
}
...
}
server {
listen 443 ssl;
server name foo;
ssl_certificate /path/to/cert;
ssl_certificate_key /path/to/key;
...
location ^~ /phpmyadmin {
access_log off;
rewrite ^ /phpMyAdmin/ permanent;
}
location /phpMyAdmin {
auth_basic "Blah";
auth_basic_usr_file /path/to/auth/file;
# access_log off; # optional
location ~ \.php$ {
fastcgi_pass ...;
include fastcgi_params;
fastcgi_index index.php;
fastcgi_param HTTPS on;
}
}
}
I would like the whole server accessible over SSL. Not just for
phpMyAdmin but WordPress administration.
[0] http://nginx.org/en/docs/http/ngx_http_auth_basic_module.html
Jim, thank you very much for your example(s) and advice, it is very much
appreciated. I had intended to secure phpMyAdmin access after resolving
my basic configuration issues. I will attempt to implement these changes
and report back with results.
--
syn.bsdbox.co
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
