Block phpMyAdmin from public internet DSM6.x without te use of .htaccess

Discuss the phpMyAdmin Package Here.
Forum rules
Synology Community is the new platform for the enthusiasts' interaction, and it will soon be available to replace the Forum.
barisart
I'm New!
I'm New!
Posts: 1
Joined: Mon Apr 18, 2016 9:18 pm

Block phpMyAdmin from public internet DSM6.x without te use of .htaccess

Unread post by barisart » Tue Apr 19, 2016 11:35 pm

Greetings fellow Synology people..

I'm faced with the annoying problem of having my phpMyAdmin package accessible via the internet.
I fixed similar web folders via a .htaccess file but phpMyAdmin does not care about that sort of mechanism.

For 2 day's I've search the web in search for a way to fix this, jet all I found where solution's like disabling the service when not used.
I (like most others) tend to forget to disable this in the end, and that would leave me with a internet facing phpMyAdmin and I don't like that.
so I set to do some troubleshooting of my own, and after 2 hours of tracing I found a workable solution, at least for me that is.

This is what I found.
If phpMyAdmin is installed via the packet center there are 2 files controlling the starting and stopping the package.
By editing the enable script I'm able to do the same as a .htaccess file would do.

To do this we need to edit a .conf file via a ssh session as root.

The file we need to edit is: /var/packages/phpMyAdmin/target/synology_added/www.phpMyAdmin.enable.conf

Here is the original content

Code: Select all

location ~ ^/phpMyAdmin/(.*)/\. {
        deny all;
}
location ~* ^/phpMyAdmin/(.*)\.(jpg|jpeg|png|gif|css|js|ico)$ {
        root /var/services/web/;
        expires max;
        log_not_found off;
}
location ~ ^/phpMyAdmin/(.*)\.php$ {
        root /var/services/web/;
        include fastcgi.conf;
        fastcgi_pass unix:/run/php-fpm/php56-fpm.sock;
}
location ~ ^/phpMyAdmin {
        root /var/services/web/;
        try_files $uri $uri/ /phpMyAdmin/index.php$is_args$args;
}
We need to edit it to somthing like this.
Where 10.1.1.0/24 is my local network, and 10.8.0.0/24 is my VPN subnet.

Code: Select all

location ~ ^/phpMyAdmin/(.*)/\. {
        deny all;
}
location ~* ^/phpMyAdmin/(.*)\.(jpg|jpeg|png|gif|css|js|ico)$ {
        allow 10.1.1.0/24;
        allow 10.8.0.0/24;
        deny all;
        root /var/services/web/;
        expires max;
        log_not_found off;
}
location ~ ^/phpMyAdmin/(.*)\.php$ {
        allow 10.1.1.0/24;
        allow 10.8.0.0/24;
        deny all;
        root /var/services/web/;
        include fastcgi.conf;
        fastcgi_pass unix:/run/php-fpm/php56-fpm.sock;
}
location ~ ^/phpMyAdmin {
        allow 10.1.1.0/24;
        allow 10.8.0.0/24;
        deny all;
        root /var/services/web/;
        try_files $uri $uri/ /phpMyAdmin/index.php$is_args$args;
}
The situation I have now is:
- phpMyAdmin is accessabel via the LAN (that's good)
- phpMyAdmin is accessabel via a VPN connection (nice)
- phpMyAdmin is not found via the public internet (wooohoooo)

Keep in mind that this .conf file can be overwriten when the package is updated by Synology.
Just let my know if this is working for you !!

Barisart out !!

pgreslin
Novice
Novice
Posts: 43
Joined: Sun Mar 31, 2013 10:45 pm
Location: France

Re: Block phpMyAdmin from public internet DSM6.x without te use of .htaccess

Unread post by pgreslin » Sun Oct 09, 2016 8:57 pm

Thank you very much barisart.
Just have to stop/run the package after "www.phpMyAdmin.enable.conf" modification and it works perfectly.
Nice post.
DS415+, 8GB Ram, 4 x WD40EFRX (btrfs, Raid 5) & DX513 Extension Unit

mikepo
I'm New!
I'm New!
Posts: 8
Joined: Sat Nov 19, 2016 5:16 pm

Re: Block phpMyAdmin from public internet DSM6.x without te use of .htaccess

Unread post by mikepo » Fri Dec 02, 2016 7:55 pm

Hi,
Just want to add to this post, as the above didn't suit me.

I'm using DSM6.0 update 5, and after trying a couple a things to secure phpMyAdmin from public access I used the following:
(previous attempts by editing existing files caused a problem and the os had to be reinstalled!)

if you look in
/etc/nginx/conf.d/www.phpMyAdmin.enable.conf

you will see an include statement, something like this:
include /usr/syno/etc/packages/phpMyAdmin/nginx/*.conf;

this directory was empty on my DS.

So I created a file in this directory called phpMyAdmin.conf, and put the following statements in:
allow 192.168.2.0/24;
allow 127.0.0.1;
deny all;
auth_basic "Administrator Login";
auth_basic_user_file /volume1/homes/xxxxxxxxxxx/xxxxxxxxx/.htpasswd;

192.168.2.0/24 is my local network, so this will deny all other IP addresses.
The statement:
auth_basic "Administrator Login";
is similar to .htaccess in apache and required the user name and password which in stored in the auth_basic_user_file

format
username:password

password is encrypted using the .htaccess tools

don't forget to stop/start phpMyAdmin in the package center to make the settings work!

I hope this helps, as I spent a few hours to find a solution (and a few more reinstalling the os ;-(

pgreslin
Novice
Novice
Posts: 43
Joined: Sun Mar 31, 2013 10:45 pm
Location: France

Re: Block phpMyAdmin from public internet DSM6.x without te use of .htaccess

Unread post by pgreslin » Fri Jan 13, 2017 10:22 pm

Thank you mikepo

After system update, all my modifications were overwritten in the phpMyAdmin.enable.conf
I tried to put them back and, I had the same issue than you: the system health of the NAS becomes AMBER (or RED I don't remember).
I recovered the original file and the system health came back in GREEN (Good).
I guess that there is now a checksum verification done by the DSM to check if a system file has been modified. This is the problem.
So it's not mandatory to reinstall the entire DSM system. Always make a backup of modified files, just in case !

You're right, there is now an include statement in the conf file
So any *.conf file can be created in /usr/syno/etc/packages/phpMyAdmin/nginx/

It's better and easier.
DS415+, 8GB Ram, 4 x WD40EFRX (btrfs, Raid 5) & DX513 Extension Unit

vigilian
Beginner
Beginner
Posts: 20
Joined: Thu Nov 05, 2015 3:35 am

Re: Block phpMyAdmin from public internet DSM6.x without te use of .htaccess

Unread post by vigilian » Wed Aug 23, 2017 7:07 pm

I can confirm the diagnostic about checksum and also that if nginx detect a problem it goes to failsafe and install by itself a failsafe version of the DSM and so deleting the conf.d in the /etc/nginx.
<p>
@mikepo Which part of a normal .conf for nginx is this? because normally a full nginx file is presented as server { something something } . So is it a new /location part added? BecauseI would like to completely delete the port 80 from phpmy admin but without the server{} at the beginning I don't htink it's possible in nginx...is it?

User avatar
AngryBlackMan
Trainee
Trainee
Posts: 11
Joined: Fri Feb 15, 2013 9:20 pm
Contact:

Re: Block phpMyAdmin from public internet DSM6.x without te use of .htaccess

Unread post by AngryBlackMan » Thu Nov 23, 2017 6:48 pm

God bless you barisart! And extra thanks to both mikepo & pgreslin as well.

ashey120000
I'm New!
I'm New!
Posts: 1
Joined: Mon Jan 15, 2018 12:17 pm

Re: Block phpMyAdmin from public internet DSM6.x without te use of .htaccess

Unread post by ashey120000 » Mon Jan 15, 2018 12:25 pm

Hello,

I see that this is still an ongoing issue within the community and i have been looking at a way around this for some while.

However.... It appears that the easiest way to block remote access to phpMyAdmin is to edit the index.php file of the phpMyAdmin it self.

I have added the following to the top of the index.php in web/phpMyAdmin folder directly below the opening <?php tag:

Code: Select all

$ip0 = ip2long("192.168.0.1");
$ip1 = ip2long("192.168.0.255"); // i am not sure if its a valid IP address but!
$ip  = ip2long($_SERVER['REMOTE_ADDR']);

if ($ip0 <= $ip && $ip <= $ip1) {
   
}
else {
    exit();
}
Hope this helps!!!

Post Reply

Return to “phpMyAdmin”