Forum: NGINX File Not Found logging in w/ nginx+phpMyAdmin in URL subdir

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Stefan S. (Guest)
on 2009-02-14 00:49
Hello -

I'm using the nginx.conf file below to try to run phpMyAdmin with SSL
and FastCGI in a subdirectory (eg, mydom.myvpshost.com/phpmyadmin).

It works except after I hit GO on the phpMyAdmin login screen - when the
rewrite rule drops the "phpmyadmin" from the middle of the URL and the
browser displays "404 Not Found - nginx/0.6.33" - then if I add
"phpmyadmin" back in the middle of the rewritten URL it works fine for
the rest of the phpMyAdmin session.

server {
  listen 443;
  server_name mydom.myvpshost.com;

  ssl                 on;
  ssl_certificate     /etc/ssl/certs/myssl.crt;
  ssl_certificate_key /etc/ssl/private/myssl.key;

  access_log /usr/local/nginx/logs/phpmyadmin.access_log;
  error_log  /usr/local/nginx/logs/phpmyadmin.error_log;

  ssl_session_timeout  5m;

  ssl_protocols  SSLv2 SSLv3 TLSv1;
  ssl_ciphers
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
  ssl_prefer_server_ciphers   on;

  location /phpmyadmin/ {
    rewrite ^/phpmyadmin(/.*)$ $1 break;
    index index.php;
    fastcgi_index index.php;
    fastcgi_pass 127.0.0.1:9000;
    root /home/myname/sources/phpmyadmin/;

    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_param HTTPS on;
    include /usr/local/nginx/conf/fastcgi_params.phpmyadmin;
    }
}

server {
  listen     80;
  server_name mydom.myvpshost.com;
  location / {
    rewrite ^/phpmyadmin(.*) https://mydom.myvpshost.com/phpmyadmin$1
permanent;
  }
}

So I can display the phpMyAdmin login screen (and get the self-signed
SSL certificate dialog the first time around), by going here:

http://mydom.myvpshost.com/phpmyadmin

I enter the Username and Password and hit GO, and then the browser shows
a new URL like this:

https://mydom.myvpshost.com/index.php?token=290761...

So it redirected from http to https, and it also dropped the
"phpmyadmin" part in the middle, because of the rewrite rule. Since the
root directive is /home/myname/sources/phpmyadmin/ (the location of
phpMyAdmin on my server), I thought this would work - but it doesn't.

I'm actually able to manually fix this by altering this URL in the
browser just this one time, inserting the "phpmyadmin" part in the
middle, like this:

https://mydom.myvpshost.com/phpmyadmin/index.php?t...

From then on everything works fine for the rest of the phpMyAdmin
session.

I know this problem wouldn't be happening if I used a vhost in the URL
(eg, phpmyadmin.mydom.myhost.com) - but in this case I want to use a
subdir in the URL (eg, mydom.myhost.com/phpmyadmin).

I've been sitting here for two days pulling my hair out trying to get
this right. Can anyone tell me what's wrong with my nginx.conf file
here?

Thanks.

- Stefan S.
Stefan S. (Guest)
on 2009-02-14 02:27
Hi -

I have a solution which seems to work now - I'm just not sure if this is
the best and most secure way to do this.

I want to use a URL like:

    http://mydom.myhost.com/phpmyadmin

And phpMyAdmin is installed on the server in directory:

    /home/myname/sources/phpmyadmin


Previously I was using a rewrite to remove the "phpmyadmin" part from
the of all requests, and I was using /home/myname/sources/phpmyadmin as
the root:

    rewrite ^/phpmyadmin(/.*)$ $1 break;

    root /home/myname/sources/phpmyadmin/;


Now, I'm doing something equivalent which doesn't involve 'rewrite': I
keep the "phpmyadmin" part at start of the requests, and I use a shorter
root which no longer has "phpmyadmin" at the end:

    # no rewrite

    root /home/myname/sources/;

This seems simpler and it does work.

There's a few things I'm worried about though:

1) The directory /home/myname/sources has lots of other programs in it.
Supposedly they can't be accessed since the location is /phpmyadmin/ -
is this true? If I point the browser at another program in the sources
directory, eg:

   http://mydom.myhost.com/anotherprogram

I get a 404 File Not Found error - which is good.

2) Because of the rewrite from http to https, the above URL actually
changes to https protocol before returning 404 File Not Found. Not quite
perfect, but OK I guess.

3) Ultimately I'd like to rewrite from http to https only for the
phpMyAdmin login page, and then use http (no SSL) while I'm already
logged into the phpMyAdmin session, so it will be faster. I'll look into
this later.

- Stefan S.
Stefan S. (Guest)
on 2009-02-14 02:56
Yeah, this "solution" is definitely a security risk.

I just did some testing, and I'm able to open *any* file in
/home/myname/sources/phpmyadmin.

For example, if I point the browser at:

  http://mydom.myhost.com/phpmyadmin/index.php

then Firefox offers to download the index.php file.

If I point the browser at:

  http://mydom.myhost.com/phpmyadmin/README

then it displays the README file in the browser, etc.

So this is not good.

How do I set up my directories and my nginx.conf file so that people can
browse to a site like:

  http://mydom.myhost.com/mysub-url

without exposing all the files in the directory $root/mysub-url?

Thanks.
Jim O. (Guest)
on 2009-02-14 03:48
(Received via mailing list)
How are you handling php files in your config file? They shouldn't be
served as text. Are you using php-fcgi?

Once you have that sorted out, you can use a rewrite something like:

location /path/to/phymyadmin/  {
  if ( $uri !~ .*\.php$" )  {
    rewrite  ^/(.*)$ /index.php  last;
  }
}

I think that should work to rewrite every non-php request to the index
page.

Alternatively you can delete the readme file and other similar
non-essential files.
Rob S. (Guest)
on 2009-02-14 04:06
(Received via mailing list)
Yea but using that would kill all css, js, image files in that folder.

And it doesn't sound like you have php setup at all to be served on
that location. If you have php location block and a phpmyadmin
location block then you need to copy your php fastcgi/proxy pass
directives into your phpmyadmin section also. Since only 1 location
will be matched.
Stefan S. (Guest)
on 2009-02-14 05:06
Hi -

Thanks @Jim - I am using php-fcgi - you'll see it in the nginx.conf file
below.

The nginx.conf file shown below now works in most cases - except for two
nagging problems:

(1) When I browse to http://mydom.myhost.com/phpmyadmin/index.php
(non-SSL protocol, with the index.php file explicitly provided), then
instead of rewriting http -> https and rendering index.php in the
browser, it displays a dialog offering to *save* the index.php file.

The http->https rewrite in the server listening at port 80 isn't getting
done when I enter a URL http://mydom.myhost.com/phpmyadmin/index.php -
but it is getting done when I just enter
http://mydom.myhost.com/phpmyadmin. I don't know why - I thought
"location /" matched *all* queries.

(2) Certain graphics on the main page of phpMyAdmin are missing - for
example, the "Rainbow" graphic next to the Custom Color button (img
id="myRainbow" src="js/mooRainbow/images/rainbow.png") .

Here's the nginx.conf file:
server {
  listen 443;
  server_name mydom.myhost.com;

  ssl                 on;
  ssl_certificate     /etc/ssl/certs/myssl.crt;
  ssl_certificate_key /etc/ssl/private/myssl.key;

  access_log /usr/local/nginx/logs/phpmyadmin.access_log;
  error_log  /usr/local/nginx/logs/phpmyadmin.error_log;

  ssl_session_timeout  5m;

  ssl_protocols  SSLv2 SSLv3 TLSv1;
  ssl_ciphers
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
  ssl_prefer_server_ciphers   on;

  location /phpmyadmin/ {
    root /home/myname/sources/;
    index index.php;
    fastcgi_index index.php;
    fastcgi_pass 127.0.0.1:9000;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_param HTTPS on;
    include /usr/local/nginx/conf/fastcgi_params.phpmyadmin;
    }
}

server {
  listen     80;
  server_name myhost.mydom.com;
    location / {
    rewrite ^/phpmyadmin(.*) https://myhost.mydom.com/phpmyadmin$1
permanent;
  }
}

This seems like it should be straightforward - I just want to serve
phpMyAdmin from a sub-URL (mydom.myhost.com/phpmyadmin) instead of from
a vhost (phpmyadmin.mydom.myhost.com) And I want to use SSL. (Actually I
really just want to use SSL on the POST on the login page - but I
haven't figured out how to shut off SSL for the other pages yet - which
is gonna be a whole 'nother can of worms I guess.)

Thanks for any help.

- Stefan S.
Rob S. (Guest)
on 2009-02-14 05:33
(Received via mailing list)
On Feb 13, 2009, at 9:06 PM, Stefan S. wrote:
> is gonna be a whole 'nother can of worms I guess.)
>

You are going to open yourself up to security issues if you go to a
http after authentication. All your information will be able to be
sniffed and potentially get the session id for your current session
and get into your phpmyadmin install that way. if you want it to be
secure you need to start on https and stay on https.
Stefan S. (Guest)
on 2009-02-14 06:40
Rob S. wrote:
> On Feb 13, 2009, at 9:06 PM, Stefan S. wrote:
>> is gonna be a whole 'nother can of worms I guess.)
>>
>
> You are going to open yourself up to security issues if you go to a
> http after authentication. All your information will be able to be
> sniffed and potentially get the session id for your current session
> and get into your phpmyadmin install that way. if you want it to be
> secure you need to start on https and stay on https.

OK, thanks for the heads-up! I'll just stay in https for the whole
session then.
Stefan S. (Guest)
on 2009-02-14 06:59
Stefan S. wrote:

> (1) When I browse to http://mydom.myhost.com/phpmyadmin/index.php
> (non-SSL protocol, with the index.php file explicitly provided), then
> instead of rewriting http -> https and rendering index.php in the
> browser, it displays a dialog offering to *save* the index.php file.

This is fixed now. I had fixed the nginx.conf file and the problem kept
on happening - till I realized that Firefox was saving the index.php
file in its disk cache, and therefore offering to download it (before
giving nginx a chance to rewrite the http to https!).

I cleared the cache, and now when I open:

http://mydom.myhost.com/myphpadmin/index.php

it rewrites to https:

http://mydom.myhost.com/myphpadmin/index.php

and Firefox renders index.php rather than trying to download it.


Regarding the other issue (labeled (2) in my earlier post), where some
img graphics are missing, that's still happening.

This img graphic in the source of the main frame on the phpMyAdmin main
page (having a relative path starting with "js") is getting lost:

img id="myRainbow" src="js/mooRainbow/images/rainbow.png"

But other files in the same frame specified using a different kind of
path (having a pathname starting with a ".") seem to be fine:

img class="icon" src="./themes/original/img/s_host.png"

I probably need another 'location' block to serve static files. The "."
in the second pathname refers to the phpMyAdmin home directory, and
nginx is able to find this graphic - but it's currently unable to find
graphic whose pathname starts with the relative reference "js". I'm also
doing:

tail /usr/local/nginx/logs/phpmyadmin.access_log

to try to see exactly what URLs the browser is trying to GET.


Here's my nginx.conf:

  server {
    listen 443;
    server_name mydom.myhost.com;

    ssl         on;
    ssl_certificate   /etc/ssl/certs/myssl.crt;
    ssl_certificate_key /etc/ssl/private/myssl.key;

    access_log /usr/local/nginx/logs/phpmyadmin.access_log;
    error_log  /usr/local/nginx/logs/phpmyadmin.error_log;

    ssl_session_timeout  5m;

    ssl_protocols  SSLv2 SSLv3 TLSv1;
    ssl_ciphers
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
    ssl_prefer_server_ciphers   on;

    location /phpmyadmin/ {
      root /home/myname/sources/;
      index index.php;
      include /usr/local/nginx/conf/fastcgi_params.phpmyadmin;
      }
  }

  server {
    listen   80;
    server_name mydom.myhost.com;
    location / {
      rewrite ^/phpmyadmin(.*) https://mydom.myhost.com/phpmyadmin$1
permanent;
    }
  }

And here's fastcgi_params.phpmyadmin:

fastcgi_index  index.php;
fastcgi_pass   127.0.0.1:9000;

fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param  HTTPS on;

fastcgi_param  QUERY_STRING       $query_string;
fastcgi_param  REQUEST_METHOD     $request_method;
fastcgi_param  CONTENT_TYPE       $content_type;
fastcgi_param  CONTENT_LENGTH     $content_length;

fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
fastcgi_param  REQUEST_URI        $request_uri;
fastcgi_param  DOCUMENT_URI       $document_uri;
fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SERVER_PROTOCOL    $server_protocol;

fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;

fastcgi_param  REMOTE_ADDR        $remote_addr;
fastcgi_param  REMOTE_PORT        $remote_port;
fastcgi_param  SERVER_ADDR        $server_addr;
fastcgi_param  SERVER_PORT        $server_port;
fastcgi_param  SERVER_NAME        $server_name;

# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param  REDIRECT_STATUS    200;

- Stefan S.
Stefan S. (Guest)
on 2009-02-14 07:02
TYPO:
> I cleared the cache, and now when I open:
>
> http://mydom.myhost.com/myphpadmin/index.php
>
> it rewrites to https:
>
> http://mydom.myhost.com/myphpadmin/index.php
>
> and Firefox renders index.php rather than trying to download it.

SHOULD SAY:

I cleared the cache, and now when I open:

http://mydom.myhost.com/myphpadmin/index.php

it rewrites to https:

httpS://mydom.myhost.com/myphpadmin/index.php

and Firefox renders index.php rather than trying to download it.

(Forgot the "S" in the second URL: httpS).
Igor S. (Guest)
on 2009-02-14 14:11
(Received via mailing list)
On Fri, Feb 13, 2009 at 08:38:11PM -0500, Jim O. wrote:

> How are you handling php files in your config file? They shouldn't be served as text. 
Are you using php-fcgi?
>
> Once you have that sorted out, you can use a rewrite something like:
>
> location /path/to/phymyadmin/  {
>   if ( $uri !~ .*\.php$" )  {
>     rewrite  ^/(.*)$ /index.php  last;
>   }
> }

There is much better way to this:

 location /path/to/phymyadmin/  {
   rewrite  ^/(.*)$ /index.php  last;
 }

 location /path/to/phymyadmin/.+\.php$ {
   ...
 }
Maxim D. (Guest)
on 2009-02-14 14:37
(Received via mailing list)
Hello!

On Sat, Feb 14, 2009 at 02:59:24PM +0300, Igor S. wrote:

> > }
>
> There is much better way to this:
>
>  location /path/to/phymyadmin/  {
>    rewrite  ^/(.*)$ /index.php  last;
>  }
>
>  location /path/to/phymyadmin/.+\.php$ {

-  location /path/to/phymyadmin/.+\.php$ {
+  location ~ /path/to/phymyadmin/.+\.php$ {

>    ...
>  }

[...]

Maxim D.
maria m. (Guest)
on 2012-04-16 22:27
server {
listen 80;
server_name support.example.com;
access_log /var/log/nginx/support.example.com.access.log;
error_log /var/log/nginx/support.example.com.error.log;

# this root dir below is to the thebuggenie htdocs folder
root /home/user/public_html/support.example.com/thebuggenie;
client_max_body_size 40M;
large_client_header_buffers 4 8k;
index index.php index.html;

location ^~ /files { }

#location ~ \..*/.*\.php$ { return 403; }

location ~ \.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}

location ~ /(?<suburi>.*){
set $suburi $1;
try_files $uri $uri/ /index.php?url=$suburi&$args;
}
Elton Lima (Guest)
on 2012-04-16 23:34
(Received via mailing list)
Hi,

server {
    listen 80;
    server_name localhost;
    #access_log /var/log/nginx/access.log main;

    location / {
      root  /var/www/nginx;
      index index.php index.html index.htm;
    }

    location /phpmyadmin {
       root /usr/share/;
       index index.php index.html index.htm;
       location ~ ^/phpmyadmin/(.+\.php)$ {
           try_files $uri =404;
           root /usr/share/;
           fastcgi_pass 127.0.0.1:9000;
           fastcgi_index index.php;
           fastcgi_param SCRIPT_FILENAME
$document_root$fastcgi_script_name;
           include /etc/nginx/fastcgi_params;
       }
       location ~*
^/phpmyadmin/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
           root /usr/share/;
       }
    }
    location /phpMyAdmin {
       rewrite ^/* /phpmyadmin last;
    }
}



Elton Lima
------------------------------------------------------
Analista de Suporte Linux
E-mail: removed_email_address@domain.invalid // 
removed_email_address@domain.invalid
Site: http://blog.eltonlima.com.br


________________________________
 De: maria m. <removed_email_address@domain.invalid>
Para: removed_email_address@domain.invalid
Enviadas: Segunda-feira, 16 de Abril de 2012 15:27
Assunto: Re: File Not Found logging in w/ nginx+phpMyAdmin in URL subdir

server {
listen 80;
server_name support.example.com;
access_log /var/log/nginx/support.example.com.access.log;
error_log /var/log/nginx/support.example.com.error.log;

# this root dir below is to the thebuggenie htdocs folder
root /home/user/public_html/support.example.com/thebuggenie;
client_max_body_size 40M;
large_client_header_buffers 4 8k;
index index.php index.html;

location ^~ /files { }

#location ~ \..*/.*\.php$ { return 403; }

location ~ \.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}

location ~ /(?<suburi>.*){
set $suburi $1;
try_files $uri $uri/ /index.php?url=$suburi&$args;
}

--
Posted via http://www.ruby-forum.com/.
This topic is locked and can not be replied to.