I'm trying to secure my web server by changing the url of phpmyadmin (/phpmyadmin).
I have edited the file /etc/phpmyadmin/apache.conf :
Alias /secure-db /usr/share/phpmyadmin
<Directory /usr/share/phpmyadmin>
Options FollowSymLinks
DirectoryIndex index.php
<IfModule mod_php5.c>
AddType application/x-httpd-php .php
php_flag magic_quotes_gpc Off
php_flag track_vars On
php_flag register_globals Off
php_admin_flag allow_url_fopen Off
php_value include_path .
php_admin_value upload_tmp_dir /var/lib/phpmyadmin/tmp
php_admin_value open_basedir /usr/share/phpmyadmin/:/etc/phpmyadmin/:/var/lib/phpmyadmin/
</IfModule>
Now, I can access phpmyadmin via /secure-db, and also via /phpmyadmin
I do not understand why /phpmyadmin is still available. Of course, I did restart apache.
By the way, I'm using ISPConfig 3.0.5.4p1
Any idea? Is there another kind of vhost somewhere?
EDIT :
I had another file "phpmyadmin.conf.bak.20140429" in the same folder which contained the alias /phpmyadmin. After removing it I could not go to the url /phpmyadmin. So I guess that this backup file was read by apache.
Related
I've looked at quite a few answers for this, but all seem apparently out of date. I'm using Ubuntu 14.04 and Apache 2.4.7. My /etc/apache2/conf.d/phppgadmin file looks like this:
Alias /phppgadmin /usr/share/phppgadmin
<Directory /usr/share/phppgadmin>
DirectoryIndex index.php
AllowOverride all
order deny,allow
#deny from all
#allow from 127.0.0.0/255.0.0.0 ::1/128
Require all granted
<IfModule mod_php5.c>
php_flag magic_quotes_gpc Off
php_flag track_vars On
#php_value include_path .
</IfModule>
<IfModule !mod_php5.c>
<IfModule mod_actions.c>
<IfModule mod_cgi.c>
AddType application/x-httpd-php .php
Action application/x-httpd-php /cgi-bin/php
</IfModule>
<IfModule mod_cgid.c>
AddType application/x-httpd-php .php
Action application/x-httpd-php /cgi-bin/php
</IfModule>
</IfModule>
</IfModule>
</Directory>
Also have a file 000-default in /etc/apache2/sites-enabled while looks like:
<Directory "/usr/share/phpPgAdmin">
AuthUserFile /etc/phpPgAdmin/.htpasswd
AuthName "Restricted Area"
AuthType Basic
require valid-user
</Directory>
And I've modified /etc/phppgadmin/.htpasswd appropriately.
Nonetheless, when I try to log into it remotely I get a 403: Forbidden error.
Any ideas? Further, could this error be imposed by the type of network I'm on? (it's a campus network).
Try is
sudo cp /etc/apache2/conf.d/phppgadmin /etc/apache2/conf-enabled/phppgadmin.conf
Restart httpd2 (Apache)
sudo /etc/init.d/apache2 restart
or
sudo service apache2 start
For Ubuntu 14.04
There is a number of similar questions, but none of them help.
I have the following rule in my .htaccess
RewriteRule ^images/.*$ - [F]
so for folders like /images/goods/ or /images/nonexistentfile.jpg I get 'Forbidden' which is what I want. The problem is if an existent file is requested, my rules are ignored and the file is served. In fact if I make a deliberate mistake in .htaccess I don't get an Internal Server Error as I would when requesting folders or non-existent files. What should I look for?
apache2.conf
<VirtualHost 1.2.3.4:8080>
ServerName domain.com
DocumentRoot /var/www/s3/data/www/domain.com
SuexecUserGroup s3 s3
CustomLog /var/www/httpd-logs/domain.com.access.log combin$
ErrorLog /var/www/httpd-logs/domain.com.error.log
ServerAlias www.domain.com
ServerAdmin example#domain.com
AddDefaultCharset utf-8
php_admin_value open_basedir "/var/www/s3/data:.:/tmp"
php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f example#domain.com
php_admin_value upload_tmp_dir "/var/www/s3/data/mod-tmp"
php_admin_value session.save_path "/var/www/s3/data/mod-tmp"
AddType application/x-httpd-php .php .php3 .php4 .php5 .phtml
AddType application/x-httpd-php-source .phps
</VirtualHost>
anything else I should post here?
I had a similar issue.
I put the following .htaccess in to the images folder to forbid access to jpg files (in my case)
IndexIgnore */*
<Files ~ ".*\.jpg$">
Order deny,allow
Deny from all
</Files>
It looks like you're htaccess file isn't being applied. Try adding an AllowOverride directive in your vhost config:
<Directory "/var/www/s3/data/www/domain.com/">
AllowOverride All
</Directory>
By default, AllowOverride should be set to All, but it's possible your host set it to something else at the server config level.
in case someone has the same problem, it is painfully trivial. The default ISPManager installation puts nginx in front of Apache for static files...
For security reasons I have put my yii folder below the html root, so my structure looks like this
/conf
/httpdocs
/httpsdocs
/yii
when running the site I get an error open_basedir restriction in effect that yii.php which is called by index.php out of httpdocs is not in the allowed path. Because this site is a subdomain do I edit the vhosts.conf of the main domain or of the subdomain?
What would the proper setting be to allow
/var/www/vhosts/example.com/subdomains/mysubdomain/yii
Path to be accessible?
EDIT
So my /var/www/vhosts/example.com/conf/vhost.conf file looks like this now:
AddHandler fcgid-script .php
<Directory /var/www/vhosts/example.com/httpdocs>
php_admin_value open_basedir ".:/var/www/vhosts/example.com/subdomains/mysubdomain/httpdocs:/tmp/:/var/www/vhosts/example.com/subdomains/mysubdomain/yii"
FCGIWrapper /var/www/vhosts/example.com/bin/php-cgi .php
Options +ExecCGI +FollowSymLinks
allow from all
</Directory>
I've reconfigured and restarted the web server but I still get the error:
Warning: require_once() [function.require-once]: open_basedir restriction in effect.
File(/var/www/vhosts/example.com/subdomains/mysubdomain/httpdocs/../yii/yii.php) is not within the allowed path(s):
(/var/www/vhosts/example.com/subdomains/mysubdomain/httpdocs:/tmp)
in /var/www/vhosts/example.com/subdomains/mysubdomain/httpdocs/index.php on line 26
In the virtualhost:
php_admin_value open_basedir ".:/var/www/vhosts/example.com/subdomains/mysubdomain/httpdocs:/my/own/tmp:/var/www/vhosts/example.com/subdomains/mysubdomain/yii"
I found the answer. You have to specify the different modules or else simply editing the vhost file doens't have much of an effect. This is to turn off the open_basedir but you can edit the settings accordingly.
<Directory /var/www/vhosts/YOURDOMAIN.COM/subdomains/YOUSUBDOMAIN/httpdocs>
<IfModule sapi_apache2.c>
php_admin_value open_basedir none
</IfModule>
<IfModule mod_php5.c>
php_admin_value open_basedir none
</IfModule>
</Directory>
then
# /usr/local/psa/admin/bin/websrvmng --reconfigure-vhost --vhost-name=YOURDOMAIN.COM
# apachectl stop
# apachectl start
Full article can be found here: http://prattski.com/2008/09/13/plesk-open_basedir-fix/
I've got full control of my Apache / WHM / CPanel server. I have a default PHP.ini file set up for everything and that is just fun for the production server.
On the same server, I have a staging/testing server - and on it I want display_errors to be ON instead of OFF (as it is in the production site of course). How can I tell the server to use a local PHP.ini file in that directory?
Thanks!
add an htaccess file to the dir with the rule php_flag display_errors on
In complement to #i_forget answer: You can use the php_admin_value & php_value & php_flag & php_admin_flag directives to alter specific settings on a Virtualhost or on a directory.
<Directory /path/to/foo>
php_value include_path ".:/var/www/foo/lib:/usr/share/php5/apc"
php_admin_flag file_uploads on
php_admin_value upload_tmp_dir "/my/tmp/upload/"
</Directory>
php_admin_value is safer than php_value (idem for flag) as the application cannot use ini_set to alter the value.
Here's it's one a Directory tag, so it could be as well on a .htaccess but you should'nt use .htaccess files if you have access to the configuration, use AllowOverride None :-). It could be as well on the VirtualHost, so before the the Directory tag.
I have apache+mysql+phpmyadmnin under Gentoo.
phpmyadmin-3.2.2
It worked fine before, but now, when I'm loading http://localhost/phpmyadmin I get a list of flies in phpmyadmin-directory, and when I chose index.php, I get it's own code.
What I did wrong?
It means that apache does not recognizes neither of your files as php executables. Maybe you run an 'emerge update world' and then an 'env-update' which install a new apache2 version and then re-write the old apache config file. As LiraNuna mentioned, you need to check that the phpMyAdmin directory contains the proper instruction to load the proper PHP module. In this way apache will know how to handle the php files.
This is what I have on /etc/apache2/vhosts.d/default_vhost.include under the phpMyAdmin Directory definition:
Alias /phpMyAdmin /var/www/localhost/htdocs/phpMyAdmin
<Directory /var/www/localhost/htdocs/phpMyAdmin>
Options Indexes FollowSymLinks
DirectoryIndex index.php
# Authorize for setup
<Files setup.php>
# For Apache 1.3 and 2.0
<IfModule mod_auth.c>
AuthType Basic
AuthName "phpMyAdmin Setup"
AuthUserFile /etc/phpmyadmin/htpasswd.setup
</IfModule>
# For Apache 2.2
<IfModule mod_authn_file.c>
AuthType Basic
AuthName "phpMyAdmin Setup"
AuthUserFile /etc/phpmyadmin/htpasswd.setup
</IfModule>
Require valid-user
</Files>
<IfModule mod_php4.c>
AddType application/x-httpd-php .php
php_flag magic_quotes_gpc Off
php_flag track_vars On
php_flag register_globals Off
php_value include_path .
</IfModule>
<IfModule mod_php5.c>
AddType application/x-httpd-php .php
php_flag magic_quotes_gpc Off
php_flag track_vars On
php_flag register_globals Off
php_value include_path .
</IfModule>
</Directory>
This should solve your problem.
Is mod_php5 installed? If so, do you have the php handler set up to handle .php files?
<IfModule mod_php5.c>
AddType application/x-httpd-php .php .phtml .php4 .php3
AddType application/x-httpd-php-source .phps
</IfModule>
If you are not using mod_php5, do you use any form of CGI? Do the .php files have execute permissions?