Blocking phpmyadmin from internet, allow only from lan in nginx

Question

I'm running 2 websites on a LEMP stack with nginx configured as a reverse proxy server. I have successfully installed phpmyadmin in the root folder of one of my sites root directories. When I go to www.example.com/phpmyadmin, I am able to access phpmyadmin login page on public internet as well as on my lan. What I would like to do is configure nginx to block any traffic to phpmyadmin that doesn't originate from my local area network. Currently I also have a /admin folder in the root of my site, and I HAVE SUCCESSFULLY set up a way to block all traffic to that folder that doesn't originate from my LAN. I figured blocking phpmyadmin from the outside world would be as easy using the same ngninx virtual configuration lines I used to block the /admin/ directory, but just changing the location to /phpmyadmin. However, when doing this, phpmyadmin is still blocked on the local network.

Below is the relevant parts of my nginx virtual host configuration for example.com. You can see what blocking configurations work and don't work as noted in the comments. Help me fix the #Not working lines. Note: My Server's local ip address is 192.168.1.20.

server {   
        listen 443 ssl http2;
        listen [::]:443 ssl http2;
        ssl on;
        ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
        server_name example.com  www.example.com;
        root /var/www/example.com;

        index index.php;
    
        location / {
        # try_files $uri $uri/ =404;
        try_files $uri $uri/ /index.php?$args;
        }


        # Disallow PHP In Upload Folder
        location /wp-content/uploads/ {
                location ~ \.php$ {
                        deny all;
                }
        }
        # LAN ONLY ACCESS WORKING
        location ^~ /admin {
                allow 192.168.1.0/24;
                deny all;
                include snippets/fastcgi-php.conf;
                fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
                fastcgi_split_path_info ^(.+\.php)(/.+)$;
        }
        # LAN ONLY ACCESS NOT WORKING!!!
        location ^~ /phpmyadmin {
                allow 192.168.1.0/24;
                deny all;
                include fastcgi.conf;
                fastcgi_intercept_errors on;
                fastcgi_pass local_php;
                fastcgi_buffers 16 16k;
                fastcgi_buffer_size 32k;
        }

        location ~ \.php$ {
                include fastcgi.conf;
                fastcgi_intercept_errors on;
                fastcgi_pass local_php;
                fastcgi_buffers 16 16k;
                fastcgi_buffer_size 32k;
        }
}

What edits to my virtual host config file must I make to properly restrict phpmyadmin to my LAN in Nginx?

score 0 · Answer 1 · edited Dec 31 '21 at 13:38

0

Try this one, works for me.

location ~phpmyadmin {
            allow 192.168.1.0/24;
            deny all;
            include snippets/fastcgi-php.conf;
            fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
            fastcgi_split_path_info ^(.+\.php)(/.+)$;
}

edited Dec 31 '21 at 13:38

Paul

3,037
6
27
40

answered Dec 31 '21 at 13:17

JRA

1

I can't say all of the differences, but back when I configured this I used `location /phpmyadmin/ {`. – Paul Dec 31 '21 at 13:37
The location is a Symbolic link, then you use location ~phpmyadmin { – JRA Dec 31 '21 at 14:06
Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Dec 31 '21 at 17:42
thanks @JRA I will check this one out and report back! – DanRan Jan 07 '22 at 15:43

score 0 · Answer 2 · answered Jan 27 '22 at 04:32

Unfortunately, @JRA's answer did not work. What did work was adding the restrict directives without using them as a location directive to the very top of the server blocks in the .conf file, like so...

server {
  # Restrict access to LAN.
  allow 192.168.1.0/24;
  deny all;
  error_page 403 =444;
  
  listen 80;
  listen [::]:80;
  server_name example.com  www.example.com;
  return 301 https://$host$request_uri;
}

server {
  # Restrict access to LAN.
  allow 192.168.1.0/24;
  deny all;
  error_page 403 =444;

  ####
  # SSL configuration
  ####

  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  ...

score 0 · Answer 3 · answered Jul 03 '22 at 00:10

Your issue is the order in which nginx applies location blocks. Specifically, the ~.php$ location is being processed before the ~/phpmyadmin block. Assuming that the phpmyadmin directory is in your webroot, using a literal prefix instead of a regex should give the behaviour you expect....

location /phpmyadmin {

Although /admin is currently behaving as you expect, it would be a good idea to make that a literal prefix too.

Blocking phpmyadmin from internet, allow only from lan in nginx

3 Answers3