I recently configured a Debian 8 with Apache 2.4. Since I have a fairly recent version of Apache, I used ProxyPassMatch instead of FastCgiExternalServer.
But when configuring my alias for PhpMyAdmin, I wondered if this was secure. Here's my configuration :
<VirtualHost *:80>
ServerName www.my-website.com
DocumentRoot /var/www/html/
Alias /phpmyadmin/ "/usr/share/phpmyadmin/"
<Directory "/usr/share/phpmyadmin/">
Options FollowSymLinks
DirectoryIndex index.php
</Directory>
# Disallow web access to directories that don't need it
<Directory /usr/share/phpmyadmin/libraries>
Order Deny,Allow
Deny from All
Require all granted
</Directory>
<Directory /usr/share/phpmyadmin/setup/lib>
Order Deny,Allow
Deny from All
Require all granted
</Directory>
ProxyPassMatch "^/(.*\.php(/.*)?)$" "unix:/var/run/php5-fpm-pma.sock|fcgi://localhost/usr/share"
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
</VirtualHost>
What is bothering me is the ProxyPassMatch that allows to load any file in the /usr/share/ directory that ends with .php*. I only want to execute files in /usr/share/phpmyadmin/ but since it's an alias the /phpmyadmin/ part is already appended =>
ProxyPassMatch "^/(.*\.php(/.*)?)$" "unix:/var/run/php5-fpm-pma.sock|fcgi://localhost/usr/share/phpmyadmin/"
does not work, with the error that /usr/share/phpmyadmin/phpmyadmin/index.php was not found.
So is my actual configuration secure enough regarding the access of /usr/share/ ?
Thank you for your help!
Best Answer
I had the same problem, first it's possible to let :
ProxyPassMatch ^/(.*\.php(/.*)?)$ unix:/run/php/php7.0-fpm.sock|fcgi://localhost/var/www/html/in the
/etc/apache2/sites-available/000-default.confBut the trick is simply to create a symbolic link like that :
ln -s /usr/share/phpmyadmin /var/www/html/phpmyadminAfter, you have to execute "
systemctl reload apache2" and it works again.