So to help prevent brute force attacks against my phpmyadmin install I've configured nginx to require HTTP Basic Auth (extra username and password) and then the requests need to come from a whitelisted IP Address. However the IP Address whitelist works fine if I run https://example.com/phpmyadmin/ however without adding the extra .php block I could load https://example.com/phpmyadmin/index.php without my IP being whitelisted. This issue doesn't affect the HTTP Basic Auth. Is there a reason this happens? Anyway to get around having to add extra .php blocks? A copy of the config area for phpmyadmin is below.
# Setup and secure phpMyAdmin
location /phpmyadmin/ {
allow 1.2.3.4;
deny all;
auth_basic "phpMyAdmin - HTTP Basic Login";
auth_basic_user_file /etc/nginx/pma_pass;
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
allow 1.2.3.4;
deny all;
}
}
Best Answer
In most PHP configurations, there is one
location ~ \.php$
block that processes any URI that ends with.php
, so adding restrictions to otherlocation
blocks will only affect the static files involved. See this document for more.The cleanest solution is to use a prefix location with the
^~
modifier, which ensures that all URIs that begin with/phpmyadmin/
are processed by that block, and otherlocations
at the top level do not bypass your security. See this document for more.As you have discovered, you will need to add a nested
location
to handle PHP within that block, but the authentication statements should all be inherited and do not need to be repeated within the inner block.For example: