Nginx SSL Secured phpMyAdmin
Nginx SSL Secured phpMyAdmin can be done with a few lines of code in your Nginx server block. Securing your phpMyAdmin login is essential to protecting your databases. When you use a SSL certificate in conjunction with administering your database all information is sent encrypted giving you the best possible protection against your data being hijacked over an open connection.
In Nginx it is very easy to protect domains/subdomains using an SSL certificate.
So is it possible to protect other software in other areas of the server using the same certificate?
The answer is yes, thanks to the beautiful rewrite rules of Nginx.
In this example I am going to use the SSL certificate that was installed to protect a client area of a domain. Lets make it a subdomain:
|
1 |
https://clients.domain.com |
As a rule for subdomains the best practices are creating its own server block in your vhost or nginx.conf file
So we have a secured subdomain, the SSL cert is installed and working fine.
Heres an example of how to secure the subdomain
Now in this example phpMyAdmin is installed in the /usr/share/phpmyadmin/ directory on the server, far from the domains vhost file but with Nginx its right at home.
First rule of thumb is to rename the phpmyadmin folder. Scanners routinely look for phpmyadmin on the server and why make it easy?
Name it to whatever you want, I will use something generic devaccess for this example
|
1 |
# mv /usr/share/phpmyadmin usr/share/devaccess |
Here is our subdomain server block, I am removing all my extra stuff to make it clearer for members to view.
First create a port 80 insecure block for the subdomain and force a https connection with a rewrite rule. This way if the client goes to http he/she will be forced to the secure connection
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 |
server { listen IPADDRESS:80; server_name clients.domain.com; #################### SSL Only Please ############### rewrite ^ https://$server_name...me$request_uri? permanent; } ##########Now create your secure port 443 block for the subdomain ############## server { listen 443; server_name clients.domain.com; ########## ADD YOUR LOG PATHS ############### error_log /var/log/ispconfig/httpd/domain.com/clients_error.log; access_log /var/log/ispconfig/httpd/domain.com/clients_access.log combined; ########## ADD YOUR SUBDOMAIN ROOT ############### root /var/www/domain.com/web/clients; ########## ADD YOUR SSL DIRECTIVES ############### ssl on; ssl_certificate /var/www/domain.com/ssl/clients.domain.com.pem; ssl_certificate_key /var/www/domain.com/ssl/clients.domain.com.key; ssl_session_timeout 5m; ssl_protocols SSLv2 SSLv3 TLSv1; ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; ssl_prefer_server_ciphers on; ########## ADD YOUR FILE DIRECTIVES ############### index index.php index.html index.htm index.cgi index.pl index.xhtml; ########## ADD YOUR ERROR PAGES ############### error_page 400 /error/400.html; error_page 401 /error/401.html; error_page 403 /error/403.html; error_page 404 /error/404.html; error_page 405 /error/405.html; error_page 500 /error/500.html; error_page 502 /error/502.html; error_page 503 /error/503.html; ########## ADD YOUR STANDARD DIRECTIVES ############### ## Disable .htaccess and other hidden files location ~ /\. { deny all; access_log off; log_not_found off; } location = /favicon.ico { log_not_found off; access_log off; } location = /robots.txt { allow all; log_not_found off; access_log off; } location /stats { index index.html index.php; auth_basic "Members Only"; auth_basic_user_file /var/www/clients/client1/web1/.htpasswd_stats; } location /awstats-icon { alias /usr/share/awstats/icon; } # ADD YOUR ADMINISTRATION LOGIN (if applicable) UNDER THE SSL CERTIFICATE USING NGINX AUTH BASIC # location /administration/ { auth_basic "Clinet Admin Restricted Area"; auth_basic_user_file /etc/nginx/htpasswd; } location ~ ^/administration/.*\.php$ { auth_basic "Client Admin Restricted Area"; auth_basic_user_file /etc/nginx/htpasswd; fastcgi_pass 127.0.0.1:9010; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } ########## ADD YOUR PHP-FPM FastCGI DIRECTIVES ############### ########## MAKE SURE fastcgi_param HTTPS on; IS INCLUDED TO ACTIVATE HTTPS CONNECTIONS THROUGH FASTCGI ############## location ~ \.php$ { try_files $uri =404; include /etc/nginx/fastcgi_params; fastcgi_pass 127.0.0.1:9010; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param HTTPS on; fastcgi_buffer_size 128k; fastcgi_buffers 256 4k; fastcgi_busy_buffers_size 256k; fastcgi_temp_file_write_size 256k; fastcgi_intercept_errors on; } ########## SERVE YOUR STATIC FILES ############### location ~* ^.+.(jpg|jpeg|gif|css|png|js|ico|xml|txt|pdf)$ { access_log off; } ########## SECURE PHPMYADMIN WITH YOUR SSL CERTIFICATE ############### location /devaccess { ################ REALLY LOCK IT DOWN TO JUST YOUR IP FOR ACCESS ##################### allow MYIPADDRESS; deny all; root /usr/share/; index index.php index.html index.htm; location ~ ^/devaccess/(.+\.php)$ { try_files $uri =404; root /usr/share/; fastcgi_pass 127.0.0.1:9000; fastcgi_param HTTPS $fastcgi_https; # <-- add this line fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $request_filename; include /etc/nginx/fastcgi_params; fastcgi_param PATH_INFO $fastcgi_script_name; fastcgi_buffer_size 128k; fastcgi_buffers 256 4k; fastcgi_busy_buffers_size 256k; fastcgi_temp_file_write_size 256k; fastcgi_intercept_errors on; } location ~* ^/devaccess/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ { root /usr/share/; } } location /devaccess { rewrite ^/* /devaccess last; } } |
Restart or Reload Nginx
|
1 |
# /etc/init.d/nginx restart |
Now simply point your browser to:
|
1 |
https://clients.domain.com/devaccess/index.php |
And you are using your domain SSL certificate to access your databases securely.
Reference: Nginx HttpSslModule
More code, copy code ability, full support, and your comments here
