I am trying to config my server phpmyadmin to access only from the localhost and not from the remote. Below is the configuration on server /etc/phpmyadmin/apache.conf
Alias /phpmyadmin /usr/share/phpmyadmin
<Directory /usr/share/phpmyadmin>
Order deny,allow
Deny from all
Allow from 127.0.0.1
Options FollowSymLinks
DirectoryIndex index.php
</Directory>
So, while I access phpmyadmin from remote I am getting 403 forbidden which is good but when I access phpmyadmin from localhost (that is from server using remote desktop), I am still getting 403 while I think this should give access to phpmyadmin from localhost. Anything I am missing here?
Thank you
My guess is you are using Apache 2.4.x. The syntax for access control changed between 2.2 and 2.4. The Order and Deny syntax you're using is for Apache 2.2, but won't work for 2.4. In 2.4 it would be something like:
<Directory /usr/share/phpmyadmin>
Require ip 127.0.0.1
Options FollowSymLinks
DirectoryIndex index.php
</Directory>
Reference from Apache upgrade doc, and Access Control docs.
Logical mistake
You make one big mistake, every one of you.
PhpMyAdmin is NOT a server, it's just a client written as a PHP script and served by some HTTP server (Apache in this case).
That what you want(ed) and others suggested doing is trying to disable access for phpmyadmin vhost of the HTTP server, but it will be still possible to log in into the base with any other client from terminal's mysql command, to GUI client like MySQL Workbench or IDE's build in DB clients. Where's the logic?
Of course, you can join both techniques (HTTP securing and MySQL securing) however without the second your database will be still unsafe. PhpMyAdmin is just a client! It has even own mechanics for controlling access, but if someone will use any other client (mentioned above) your effort will be absolutely worthless).
Solution:
To maintain your case you should create a dedicated MySQL account with localhost access (I can bed, that at the moment of writing this post it is/was % which means global), then MySQL will control all incoming connections to check if they are from local machine or from the world.
Just don't forget to remove the account with global access (%) and flush the privileges after all changes.
Also, I always suggest creating exactly one user with all privileges to exactly one dedicated database (ofc, other than root). That way, even if you are only admin who works at the many databases, you minimize the risk of accidental changes in other databases. (Pro-tip, good password manager will be your friendly ghost-guard).
I'd suggest googling it and get overall knowledge over this topic, as it's quite crucial for DB security, however that'll be also enough if you'll implement simple solution from very first answer found. Using localhost restriction on MySQL, preferably with setting blocking of 3306 port on the firewall side, is a perfect solution to access your data with locally installed PhpMyAdmin script 100% securely(if that's possible at all).
Below cite answer from another post
GRANT ALL PRIVILEGES ON *.* TO db_user #'localhost' IDENTIFIED BY 'db_passwd';
GRANT ALL PRIVILEGES ON *.* TO db_user #'127.0.0.1' IDENTIFIED BY 'db_passwd';
[mysqld]
bind-address = 127.0.0.1
P.S. You dont need even to write SQL command for this, you can change it for each user with... PhpMyAdmin.
I think this should work, and make it so that you can only access it locally, it should be something like this mostly, but :
<Directory /usr/share/phpmyadmin>
Require local
#......otherthings (also, only copy the line Require local)
Related
I am replacing an old web server running IIS 7 (?) with a new server running XAMPP (Apache 2.4) on a Windows Server 2019 Standard machine. I have a couple of network shares with content I need to display, but I cannot get Apache configured correctly. I am calling one such network folder "eom".
I created a new user specfically to run the Apache service, the user account has network access, and I have the service running as that user. That user (as well as my own user account) has full control/access to the network folder identified below.
I have tried simply identifying the network location with a block, like this:
<Directory "//OLDSERVER/data/eom">
AllowOverride None
Allow from All
Options +FollowSymLinks
</Directory>
Alias /eom/ "//OLDSERVER/data/eom"
In this case, "/data" is a shared folder. If I try it with the drive letter identified like "//OLDSERVER/c$/data/eom", Apache doesn't like it. It says the path is invalid.
I have also tried creating a symbolic link called "eom" and pointing to the same folder with this command:
mklink /D eom \\OLDSERVER\data\eom
When I created the symlink, I commented out the block in the config file. Nothing is working. No matter how I try it, the response I get is "403 Forbidden You don't have permission to access this resource."
I have also tried starting the web service as myself, especially when testing the symbolic link, but I always get the same result.
Any help is appreciated.
FINALLY figured it out! The steps are (all from the web server):
make sure you have access rights to the content you are trying to share
find the IP address of the remote server with the needed content
ping -a \OLDSERVER
navigate to your web root folder, in my case "c:\xampp\htdocs".
use "mklink" to create a symbolic link:
mklink /D eom \10.20.30.40\data\eom
add block in your httpd.conf file:
<Directory "/eom">
AllowOverride none
Allow from All
Options +FollowSymLinks
restart Apache
Now you can test. There may be other ways to do it, but this is what has finally worked for me.
I run apache locally, on one of my homeservers. I am able to access the domain once or twice, but then it will time out. It simply wont allow me to access it from my ip (the same IP the site is hosted on). Others are able to type in the domain name, and access the server as much as they want. If i use a proxy, then i am also able to access it. The only times it messes up is when i try to access it without a vpn, or by using another computer that is on the network.
TL;DR cant access site from own network, other networks can access.
Could you tell us what operating system you use? It could also be that in the rules for that directory you are allowing access to it from any IP except localhost.
Example:
<Directory /var/www/html/>
Order Deny,Allow
Deny from 127.0.0.1
Allow from All
</Directory>
Such a configuration would deny everything from localhost and allow everything from any other IP.
Here is the situation: I was given a machine with a subversioned repository of an old website to update/add contents every now and then. The website is built using ColdFusion and Model-Glue MVC, AND I have no idea (zero) about ColdFusion. The other website we run is on CakePHP and that is good enough learning curve for me. ;(
With that said, I don't have a problem modifying it's contents because its all HTML and javascript. The problem is that with each minor change, I have to commit to the development repository on the server THEN go online to see how the change looks like!
It gets very frustrating just to try different values for a simple thing like the "height" attribute of an html tag!! And what frustrated me even more is trying to run a local copy on my machine for that repository!
What I tried so far:
I installed CF10 with WAMP.
Configured vhosts file for the new server.
Added my user to ColdFusion Application server service (windows 7x64)
But whenever I try to open it in the browser it gives me "Exception Service Error Application Exception"!! Any help please?
**Update: I forgot to ask! how to know the index.cfm file that the website starts with? For example, I know in CakePHP its app/webroot/index.php. What is that in (Coldfusion X Model-Glue)? there are so many index.cfm and application.cfm files!
my httpd-vhosts.conf block about this server is like the following:
<VirtualHost *>
ServerName localhost-CF
DocumentRoot "C:/wamp/www/my/webroot/directory/"
<Directory "C:/wamp/www/my/webroot/directory/">
Options Indexes FollowSymLinks Includes ExecCGI
allow from all
order allow,deny
# Enables .htaccess files for this site
AllowOverride All
</Directory>
# Apache will look for these two files, in this order, if no file is specified in the URL
DirectoryIndex index.cfm index.html index.php
</VirtualHost>
Here is a link to a Screen Cap --no enough rep ;{ -- of what I get using both servers (not at the same time though) apache and built-in:
CF10 Local Server Setup Issue
Also, here is a block from cfusion\logs\application.log:
"Error","ajp-bio-8012-exec-1","08/15/13","10:34:38","PREK","Error during init: Could not find the ColdFusion component or interface coldspring.beans.DefaultXmlBeanFactory. Ensure that the name is correct and that the component or interface exists."
"Error","ajp-bio-8012-exec-1","08/15/13","10:34:38","PREK","Error during exception service init: Element EXCEPTIONSERVICE is undefined in a Java object of type class [Ljava.lang.String;. "
"Error","ajp-bio-8012-exec-1","08/15/13","10:34:38","PREK","Error during application init: The datasource named cfclientstorage is not a valid client storage DSN. Define client storage DSN through the ColdFusion Administrator."
I do have cfclientstorage as a DSN storage and the Administrator tells me its verified!
However, I think, if this exact repository works fine on the server then I should not worry about the code! it most likely a system/server configuration or installation problem (on my local machine).
It looks like you're using ColdSpring. You need to login into ColdFusion Administrator and add a mapping to your ColdSpring directory for example:
/coldspring --> c:/ColdSpring
Also you will need to set a datasource to point to your "cfclientstorage" database. This is also in ColdFusion Administrator
I'm just a newbie for Apache. I just installed apache 2.2 on the FreeBSD box at my home office. The instruction on FreeBSD documentation is that I can change the DocumentRoot directive in order to use the customized directory data. Therefore, I replaced...
/usr/local/www/apache22/data
with
/usr/home/some_user/public_html
but something is not right. There's index.html file inside the directory, but it seems that apache could not read the directory/file.
Forbidden
You don't have permission to access / on this server.
The permission of
public_html
is
drwxr-xr-x
I wonder what could be wrong here. Also, in my case, I am not going to host more than one website for this FreeBSD box, so I didn't look at using VirtualHost at all. Is this a good practice just to change the DirectoryRoot directive?
Somewhere in the apache config is a line like:
# This should be changed to whatever you set DocumentRoot to.
#
<Directory "/usr/local/www/apache22/data">
You must change this path too, to make it work. This directive contains for example:
Order allow,deny
Allow from all
Which give initial user access to the directory.
one possibility that comes to mind is SELinux blocking web process from accessing that folder. If this is the case, you would see it in selinux log. You would have to check the context for your original web root with:
ls -Zl
and then apply it to your new web folder:
chcon whatevercontextyousaw public_html
Or, instead, if its not a production server that requires security (like a development machine behind a firewall), you might want to just turn selinux off.
Just one idea. Could be a number of other things.
I have on my laptop a WAMP server as my local server. On this server i am hosting a webpage just for local use.
I also have registered a free domain name for my server from dyndns.org. I'm using dynamic DNS by running a software from dyndns.org.
When i try to access my server and view the website which i am hosting on it using my browser, by typing localhost or my free domain name, it works just fine.
But the problem is that when a friend of mine sitting right next to me(on the same local network) tries to visit my webpage from his laptop, he gets an error message saying:
"You don't have permissions to access this server" .
I configure the httpd.conf file after i installed the WAMP server and changed only the DocumentRoot and the Directory to a folder of my choice inside the www folder.
Also i changed the ServerName to be my free domain name.
I don't think that the above are the problem. So , anyone has a clue of what might be wrong here ?
Did you try writing this:
<Directory yourdir>
Order Allow,Deny
Allow from all
</Directory>
Nope neither that worked. But after messing around with the httpd.conf file i found the solution. In the
< Directory yourdir >
Order Allow,Deny
Allow from all
# I had to put this line also
Require all granted
< /Directory>