8

I have the following setup for phpmyadmin:

<Directory /usr/share/phpmyadmin>
        Options FollowSymLinks
        DirectoryIndex index.php
        Order Deny,Allow
        Allow from 127.0.0.1
        Deny from all

...

</Directory>

So essentially, I only allow phpmyadmin to be accessible from localhost. If someone from the outside world attempts to go to http://mydomain/phpmyadmin they'll get a 403 (Forbidden). This might tip them off to the fact it's there, but they just can't get to it.

Question: I'd rather have Apache return a 404 in this instance. Is that possible?

ThaDon
  • 7,826
  • 9
  • 52
  • 84
  • 1
    Sounds like bad practice to me. – You Jun 25 '11 at 17:00
  • Is this in your httpd.conf file, or included by being in the conf.d/ directory? – Corey Henderson Jun 25 '11 at 18:00
  • Actually it's within a phpmyadmin.conf file within /etc/apache2/conf.d – ThaDon Jun 26 '11 at 13:35
  • 6
    @You I wouldn't say so. It's like the difference between displaying "Either your username or password was entered incorrectly" vs "Your password was entered incorrectly" – ThaDon Jun 26 '11 at 13:39
  • To me, a HTTP 404 error should mean "the file doesn't exist". If the user is unauthorized, you should send a 403 forbidden error. This may be important for crawlers and other automated systems. – You Jun 26 '11 at 13:44
  • 1
    possible duplicate of [Is there a way to force apache to return 404 instead of 403?](http://stackoverflow.com/questions/1486304/is-there-a-way-to-force-apache-to-return-404-instead-of-403) –  Apr 27 '14 at 02:21
  • 5
    @you It is a good practice. you do not want to expose an additional information to outsiders who are possible attackers. Moreover search engines will not visit that page again if they see "404 does not exists" message. You can keep 403 for DMZ. – Teoman shipahi Jun 26 '15 at 21:36
  • @Teomanshipahi I disagree; that's security by obscurity. In general if there is a way to authenticate you should serve a 403. In this particular case it'd be better to just not run phpmyadmin on an instance of Apache that talks to the outside world. – You Jun 27 '15 at 13:35

1 Answers1

2

I've looked around the internet for an answer to a similar problem. While mod_rewrite is a possible solution, I find the best solution uses the "RedirectMatch" directive.

See StackOverflow: Problem redirecting 403 Forbidden to 404 Not Found

Community
  • 1
  • 1
Kevin
  • 117
  • 9