1 Topic by Vincent

  • Vincent
  • Member
  • Offline
  • Registered: 2013-12-29
  • Posts: 8

Topic: phpmyadmin: restrict access to local network only ?

==== Required information ====
- iRedMail version: 0.8.6
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):  LDAP
- Linux/BSD distribution name and version: Ubuntu 12.04.3 LTS
- Related log if you're reporting an issue:
====
Hello !

I want to restrict access to phpmyadmin only to local network.
Before, without iRedMail, i edit /etc/phpmyadmin/apache.conf and modify this:
[...]
<Directory /usr/share/phpmyadmin>
        Options FollowSymLinks
        DirectoryIndex index.php
        Order Deny,Allow
        Deny from all
        Allow from 127.0.0.1        # local
        Allow from 192.168.1.0/24    # local network
[...]

But now, it's seem don't work: I can always have access to php from internet

Thank you for your help.

Vincent

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,502

Re: phpmyadmin: restrict access to local network only ?

Try /etc/apache2/conf.d/phpmyadmin.conf instead.

3 Reply by Vincent

  • Vincent
  • Member
  • Offline
  • Registered: 2013-12-29
  • Posts: 8

Re: phpmyadmin: restrict access to local network only ?

Hello,

no phpmyadmin.conf in /etc/apache2/conf.d

I must copy /etc/phpmyadmin/apache.conf to /etc/apache2/conf.d/phpmyadmin.conf ?

Thanks

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,502

Re: phpmyadmin: restrict access to local network only ?

My mistake, phpMyAdmin is installed from Ubuntu apt repository, not from source tarball.
You should edit /etc/apache2/sites-enabled/default-ssl instead.

5 Reply by Vincent

  • Vincent
  • Member
  • Offline
  • Registered: 2013-12-29
  • Posts: 8

Re: phpmyadmin: restrict access to local network only ?

ZhangHuangbin wrote:

My mistake, phpMyAdmin is installed from Ubuntu apt repository, not from source tarball.
You should edit /etc/apache2/sites-enabled/default-ssl instead.

Hello,

il try it, but if:

[...]
        DocumentRoot /var/www
        <Directory />
                Options FollowSymLinks
                AllowOverride None
                Order Deny,Allow
                Deny from all
                Allow from 127.0.0.1            # local
                Allow from 192.168.1.0/24      # localnetwork
        </Directory>
[...]

all aliases are restricted: also alias /mail (roundcube) and I want to enter in roundcube since internet

No ?

Thanks

6 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,502

Re: phpmyadmin: restrict access to local network only ?

Show us what you did please. Pasting full config file is better. WARNING: replace/hide sensitive info before posting.

7 Reply by Vincent (edited by Vincent 2013-12-29 23:09:47)

  • Vincent
  • Member
  • Offline
  • Registered: 2013-12-29
  • Posts: 8

Re: phpmyadmin: restrict access to local network only ?

ZhangHuangbin wrote:

Show us what you did please. Pasting full config file is better. WARNING: replace/hide sensitive info before posting.

 nano /etc/apache2/sites-available/default-ssl
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
        ServerAdmin webmaster@localhost

        DocumentRoot /var/www
        <Directory />
                Options FollowSymLinks
                AllowOverride None
                Order Deny,Allow
                Deny from all
                Allow from 127.0.0.1            # local
                Allow from 192.168.1.0/24      # localnetwork
        </Directory>
        <Directory /var/www/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>

        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log

        LogLevel warn

        CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined

        Alias /doc/ "/usr/share/doc/"
        <Directory "/usr/share/doc/">
                Options Indexes MultiViews FollowSymLinks
                AllowOverride None
                Order deny,allow
                Deny from all
                Allow from 127.0.0.0/255.0.0.0 ::1/128
        </Directory>

        SSLEngine on
        SSLCertificateFile /etc/ssl/certs/iRedMail_CA.pem
        SSLCertificateKeyFile /etc/ssl/private/iRedMail.key

        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                SSLOptions +StdEnvVars
        </Directory>
        BrowserMatch "MSIE [2-6]" \
                nokeepalive ssl-unclean-shutdown \
                downgrade-1.0 force-response-1.0
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

Alias /cluebringer "/usr/share/postfix-cluebringer-webui/webui/"
Alias /iredadmin/static "/usr/share/apache2/iredadmin/static/"
WSGIScriptAlias /iredadmin "/usr/share/apache2/iredadmin/iredadmin.py/"
Alias /awstats/icon "/usr/share/awstats/icon/"
Alias /awstatsicon "/usr/share/awstats/icon/"
ScriptAlias /awstats "/usr/lib/cgi-bin/"
Alias /mail "/usr/share/apache2/roundcubemail/"
Alias /phpldapadmin "/usr/share/phpldapadmin/"
Alias /ldap "/usr/share/phpldapadmin/"
Alias /phpmyadmin "/usr/share/phpmyadmin/"
</VirtualHost>
</IfModule>
 service apache2 reload

with this, whole site is inacceesible from internet
So I would like to unblock access to roundcube from the internet.

May be, i can do this in addition:

nano /etc/apache2/conf.d/roundcubemail.conf
Alias /mail "/usr/share/apache2/roundcubemail/"
<Directory "/usr/share/apache2/roundcubemail/">
    Options -Indexes
    Order Allow,Deny
    Allow from all
</Directory>

Right ?

Thank you

8 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,502

Re: phpmyadmin: restrict access to local network only ?

Vincent wrote:

        <Directory "/usr/share/doc/">
                Options Indexes MultiViews FollowSymLinks
                AllowOverride None
                Order deny,allow
                Deny from all
                Allow from 127.0.0.0/255.0.0.0 ::1/128
        </Directory>

If you want to restrict phpMyAdmin, please use this directory:

<Directory /usr/share/phpmyadmin>

9 Reply by Vincent

  • Vincent
  • Member
  • Offline
  • Registered: 2013-12-29
  • Posts: 8

Re: phpmyadmin: restrict access to local network only ?

ZhangHuangbin wrote:

If you want to restrict phpMyAdmin, please use this directory:

<Directory /usr/share/phpmyadmin>

Thank you very much, it works very well.

But for awstats, it does not seem to work...
Do you have an idea for this module?

thank you

10 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,502

Re: phpmyadmin: restrict access to local network only ?

Vincent wrote:

But for awstats, it does not seem to work...

Do you want to restrict access for Awstats? Then do it the way same as phpMyAdmin, just add one more <Directory> directive. If it doesn't work, show us what you did (full config file).

11 Reply by Vincent

  • Vincent
  • Member
  • Offline
  • Registered: 2013-12-29
  • Posts: 8

Re: phpmyadmin: restrict access to local network only ?

ZhangHuangbin wrote:

Do you want to restrict access for Awstats? Then do it the way same as phpMyAdmin, just add one more <Directory> directive. If it doesn't work, show us what you did (full config file).

Yes, i do the same way as phpmyadmin:

=> nano /etc/apache2/sites-available/default-ssl

IfModule mod_ssl.c>
<VirtualHost _default_:443>
        ServerAdmin webmaster@localhost

        DocumentRoot /var/www
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>

        <Directory /var/www/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>

# Restrict awstats access
        <Directory /usr/share/awstats/icon/>
                Order Deny,Allow
                Deny from all
                Allow from 127.0.0.1            # local
                Allow from 192.168.1.0/24      # localnetwork
        </Directory>


        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log

        LogLevel warn

        CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined

        Alias /doc/ "/usr/share/doc/"
        <Directory "/usr/share/doc/">
                Options Indexes MultiViews FollowSymLinks
                AllowOverride None
                Order deny,allow
                Deny from all
                Allow from 127.0.0.0/255.0.0.0 ::1/128
        </Directory>

        SSLEngine on
        SSLCertificateFile /etc/ssl/certs/iRedMail_CA.pem
        SSLCertificateKeyFile /etc/ssl/private/iRedMail.key

        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                SSLOptions +StdEnvVars
        </Directory>
        BrowserMatch "MSIE [2-6]" \
                nokeepalive ssl-unclean-shutdown \
                downgrade-1.0 force-response-1.0
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

Alias /cluebringer "/usr/share/postfix-cluebringer-webui/webui/"
Alias /iredadmin/static "/usr/share/apache2/iredadmin/static/"
WSGIScriptAlias /iredadmin "/usr/share/apache2/iredadmin/iredadmin.py/"
Alias /awstats/icon "/usr/share/awstats/icon/"
Alias /awstatsicon "/usr/share/awstats/icon/"
ScriptAlias /awstats "/usr/lib/cgi-bin/"
Alias /mail "/usr/share/apache2/roundcubemail/"
Alias /phpldapadmin "/usr/share/phpldapadmin/"
Alias /ldap "/usr/share/phpldapadmin/"
Alias /phpmyadmin "/usr/share/phpmyadmin/"
</VirtualHost>
</IfModule>

=> service apache2 reload
=> service apache2 restart

But for:
        - https://mail.mysite.com/awstats/awstats.pl
        - https://mail.mysite.com/awstats/awstats.pl?config=web
        - https://mail.mysite.com/awstats/awstats.pl?config=smtp
I can identify and enter statistics with a internet access.

I'm not an experienced user liux.
Maybe this is the normal operation of cgi?

I just wanted to see statistics only from the local network because I think in my case (self-hosting), it is unnecessary to let the access from internet
Maybe this is too difficult to change this part? In this case, it does not matter.

Thank you for your patience and availability

12 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,502

Re: phpmyadmin: restrict access to local network only ?

I guess you should restrict directory "/usr/share/awstats/" instead of "/usr/share/awstats/icon/".

Vincent wrote:

I just wanted to see statistics only from the local network

It's protected by username/password by default.

13 Reply by tyllee (edited by tyllee 2014-01-04 00:45:54)

  • tyllee
  • Member
  • Offline
  • Registered: 2013-03-27
  • Posts: 98

Re: phpmyadmin: restrict access to local network only ?

Hi, I'm trying to restrict iredadmin-pro

Debian 6
iredmail 0.8.6 MySQL

/etc/apache2/sites-available/default-ssl

        <Directory /usr/share/apache2/iRedAdmin-Pro-MySQL-1.8.1>
                Options Indexes MultiViews FollowSymLinks
                AllowOverride None
                Order deny,allow
                Deny from all
                Allow from 127.0.0.0/255.0.0.0 ::1/128
        </Directory>

I can still access from internet…

What am I doing wrong.

14 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,502

Re: phpmyadmin: restrict access to local network only ?

Did you try below one:

<Directory /usr/share/apache2/iredadmin>

15 Reply by tyllee

  • tyllee
  • Member
  • Offline
  • Registered: 2013-03-27
  • Posts: 98

Re: phpmyadmin: restrict access to local network only ?

ZhangHuangbin wrote:

Did you try below one:

<Directory /usr/share/apache2/iredadmin>

Thank you!

16 Reply by tyllee (edited by tyllee 2014-01-05 04:59:37)

  • tyllee
  • Member
  • Offline
  • Registered: 2013-03-27
  • Posts: 98

Re: phpmyadmin: restrict access to local network only ?

ZhangHuangbin wrote:

I guess you should restrict directory "/usr/share/awstats/" instead of "/usr/share/awstats/icon/".

Vincent wrote:

I just wanted to see statistics only from the local network

It's protected by username/password by default.

Debian 6
iredmail 0.8.6 MySQL

This did not work for me:
<Directory /usr/share/awstats


But this restricted awstats for me:

<Directory /usr/lib/cgi-bin>
          DirectoryIndex awstats.pl
          Options ExecCGI
          Options FollowSymLinks
          order deny,allow
          deny from all
          allow from 127.0.0.1
  </Directory>

Is this an unclean way of solving it?

17 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,502

Re: phpmyadmin: restrict access to local network only ?

tyllee wrote:

Is this an unclean way of solving it?

This is the right one on Ubuntu.

18 Reply by lordhelmet

  • lordhelmet
  • Member
  • Offline
  • Registered: 2016-03-05
  • Posts: 27

Re: phpmyadmin: restrict access to local network only ?

hy,
i am trying to do the same for iredadmin,awstats and phpmyadmin. as i have the directory-directive in the config-enabled config files i included the restriction there, but either i am locking me out completely or not. the ssl-default file contains the aliases, i tried to put directory there, but same result.
plz help. thx!

#ubuntu:
/etc/apache2/conf-enabled
iredamin.conf:

WSGISocketPrefix /var/run/wsgi
WSGIDaemonProcess iredadmin user=iredadmin threads=15
WSGIProcessGroup iredadmin

AddType text/html .py

<Directory /opt/www/iredadmin/>
                order deny,allow
                deny from all
                allow from 10.9.0.1
                allow from 127.0.0.1
                AuthType Basic
                AuthName root
                AuthUserFile /etc/apache2/passwords
                Require valid-user
#    Require all granted
</Directory>

10.9.0.1 is the vpn interface that should be allowed - i dont want acces from the internt to iredadmin.

19 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,502

Re: phpmyadmin: restrict access to local network only ?

Does it work if you place "allow from xx" in front of "order deny,allow"?

20 Reply by lordhelmet

  • lordhelmet
  • Member
  • Offline
  • Registered: 2016-03-05
  • Posts: 27

Re: phpmyadmin: restrict access to local network only ?

ZhangHuangbin wrote:

Does it work if you place "allow from xx" in front of "order deny,allow"?

no, it blocks everything, even if put
allow from <inet-nic-ip> in front it does not allow.

21 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,502

Re: phpmyadmin: restrict access to local network only ?

If you're running Apache 2.4, you should try different ACL directive. For example:

    <IfVersion < 2.4>      
        Order deny,allow
        Allow from all
    </IfVersion>
    <IfVersion >= 2.4>
        Require all granted
    </IfVersion>

22 Reply by lordhelmet (edited by lordhelmet 2016-12-09 02:08:14)

  • lordhelmet
  • Member
  • Offline
  • Registered: 2016-03-05
  • Posts: 27

Re: phpmyadmin: restrict access to local network only ?

no, it just does not seem to catch the rule, tried granted and denied. i need some debug thing  to look into what apache thinks its doing..

<Directory /opt/www/iredadmin/>
                #Require all denied
                #deny from all
                #allow from 10.9.0.1
                #allow from 10.9.0.0
                #allow from 10.9.0.0/11
                #allow from 127.0.0.1
                #deny from ....
                AuthType Basic
                AuthName root
                AuthUserFile /etc/apache2/passwords
                Require valid-user
<RequireAll>
  Require ip 10.9.0.0/24
  Require not ip ....
</RequireAll>
#    Require all granted
</Directory>

23 Reply by lordhelmet (edited by lordhelmet 2016-12-10 16:27:50)

  • lordhelmet
  • Member
  • Offline
  • Registered: 2016-03-05
  • Posts: 27

Re: phpmyadmin: restrict access to local network only ?

my error is that i thought that vpn-connections come from the vpn ip adress - range, but as they are tunneled, apache sees them as coming from the inet interface of the vpn client.

it works with

Require all granted
                allow from x.x.x.x
                deny from all

before the auth clauses.
thx!

24 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,502

Re: phpmyadmin: restrict access to local network only ?

Thanks for sharing. smile