Allow PHPMyAdmin access on certain virtual hosts - Ubuntu and Nginx

Francis Daly francis at daoine.org
Sun Oct 9 19:41:34 UTC 2016


On Sun, Oct 09, 2016 at 12:50:50PM -0400, mrast wrote:

Hi there,

> I have no problem sharing the config files - ill just sanitize the actual
> websites. But everything else is 100% as is.

Thanks for this - it does give more information about what is happening.

A few notes, with the order switched...

>         if ($http_cookie ~* £PHPSESSID"){

If that is a copy-paste of the config file, then it probably won't match
some things that you would want it to.

> If i go to website1.com/phpmyadmin - the phpmyadmin login page is served.
> There are no changes to the url - it stays website1.com/phpmyadmin

That piece surprises me. I would expect that it would have issued a
redirect to website1.com/phpmyadmin/

That is because, for website1, with the following:

>         location / {
>         location ~ \.php$ {
>         location ~ /purge(/.*) {

a request for /phpmyadmin is handled in the first location, which has

>                 try_files $uri $uri/ /index.php?$args;

which, since you have 

>         root /var/www/html/website1.com/public/;

should check if /var/www/html/website1.com/public//phpmyadmin
is a file, and if so serve it; else check if
/var/www/html/website1.com/public//phpmyadmin is a directory, and if so
serve a redirect to /phpmyadmin/

Oh - unless /var/www/html/website1.com/public//phpmyadmin does not exist,
in which case it will be handled internally to nginx as a subrequest
to /index.php

That makes sense now -- I'm guessing that that path does not exist?

Your /index.php subrequest is handled in the second location, which does

>                 try_files $uri =404;
>                 fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
>                 include fastcgi_params;

where try_files checks that the file
/var/www/html/website1.com/public//index.php exists, and then contacts
your fastcgi server and asks it to process a file. That is probably
"SCRIPT_FILENAME" in your fastcgi_params file -- what is that set to?

Most likely it is $document_root$fastcgi_script_name, which corresponds
to the file /var/www/html/website1.com/public//index.php

What happens next is outside of the control of nginx, and is entirely
down to your fastcgi server and whatever that php file contains.


> Here is the full config for website.com - that does need access to
> phpmyadmin and does have an extra login prompt before /phpmyadmin is shown
> (which is what th e location /phpmyadmin block dictates

Just as an aside - it is possible that some other configuration will
protect against this; but it looks to me as though if you access
http://website.com/phpmyadmin/index.php you may get access to things
without having attempted the nginx basic authentication "extra login" step.


> This is the article i followd to install an secure phpmyadmin - i did
> everything on that page except change the /phpmyadmin location name. (this
> is where the symlink came into it)

The link to the article seems to be missing.

I'm not sure what exactly this symlink is.

For each of the files/directories named above that "try_files" tests,
what does "ls -lLd" say that they are? File, directory, or not there?

> So to me that symlink tells nginx too server phpmyadmin php pages for the
> web server - am i correct?

nginx does not "do" php. If php is involved, it is your fastcgi server
that handles it. nginx will tell your fastcgi server which file it should
attempt to process, though.

If the symlink you refer to is one of

/var/www/html/website1.com/public//phpmyadmin
/var/www/html/website1.com/public//index.php

then it will be relevant; if not then it should not be.

> eg - a symlink for website.com exisits pointing to /usr/share/phpmyadmin. So
> im telling nginx to serve phpmyadmin php files for that website only and not
> the whole server which the /usr/share/phpmyadmin /usr/share/nginx/html
> symlink does.

In the config that you have shown, /usr/share/nginx/html is not relevant,
I think.

> Here is the output of nginx -T | grep 'server\|location' as requested (ive
> cut out website2 and website3 bits as they are not relevant as they are just
> copies of .com and 1.com (.com and 2.com need access 1.com and 3.com dont

> server {
>         server_name website.com www.website.com;
>         location / {
>         location /phpmyadmin {
>         location ~ \.php$ {
>         location ~ /purge(/.*) {

> server {
>         server_name website1.com www.website1.com;
>         location / {
>         location ~ \.php$ {
>         location ~ /purge(/.*) {

Those are the initially-important bits. For each request (or internal
subrequest), you can tell which one location nginx will use to handle
it. Only the configuration in, or inherited into, that location is
relevant for this request.

>From the above, I think that the file

/var/www/html/website1.com/public//index.php

may be especially interesting. What is in it? Is it in any way related
to phpmyadmin?

Good luck with it,

	f
-- 
Francis Daly        francis at daoine.org



More information about the nginx mailing list