File Not Found logging in w/ nginx+phpMyAdmin in URL subdir


#1

Hello -

I’m using the nginx.conf file below to try to run phpMyAdmin with SSL
and FastCGI in a subdirectory (eg, mydom.myvpshost.com/phpmyadmin).

It works except after I hit GO on the phpMyAdmin login screen - when the
rewrite rule drops the “phpmyadmin” from the middle of the URL and the
browser displays “404 Not Found - nginx/0.6.33” - then if I add
“phpmyadmin” back in the middle of the rewritten URL it works fine for
the rest of the phpMyAdmin session.

server {
listen 443;
server_name mydom.myvpshost.com;

ssl on;
ssl_certificate /etc/ssl/certs/myssl.crt;
ssl_certificate_key /etc/ssl/private/myssl.key;

access_log /usr/local/nginx/logs/phpmyadmin.access_log;
error_log /usr/local/nginx/logs/phpmyadmin.error_log;

ssl_session_timeout 5m;

ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;

location /phpmyadmin/ {
rewrite ^/phpmyadmin(/.*)$ $1 break;
index index.php;
fastcgi_index index.php;
fastcgi_pass 127.0.0.1:9000;
root /home/myname/sources/phpmyadmin/;

fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS on;
include /usr/local/nginx/conf/fastcgi_params.phpmyadmin;
}

}

server {
listen 80;
server_name mydom.myvpshost.com;
location / {
rewrite ^/phpmyadmin(.*) https://mydom.myvpshost.com/phpmyadmin$1
permanent;
}
}

So I can display the phpMyAdmin login screen (and get the self-signed
SSL certificate dialog the first time around), by going here:

http://mydom.myvpshost.com/phpmyadmin

I enter the Username and Password and hit GO, and then the browser shows
a new URL like this:

https://mydom.myvpshost.com/index.php?token=290761b728bd2bfac2953354fbf3e9bb

So it redirected from http to https, and it also dropped the
“phpmyadmin” part in the middle, because of the rewrite rule. Since the
root directive is /home/myname/sources/phpmyadmin/ (the location of
phpMyAdmin on my server), I thought this would work - but it doesn’t.

I’m actually able to manually fix this by altering this URL in the
browser just this one time, inserting the “phpmyadmin” part in the
middle, like this:

https://mydom.myvpshost.com/phpmyadmin/index.php?token=28f650a617ac1ae9b1842243eae2d8aa

From then on everything works fine for the rest of the phpMyAdmin
session.

I know this problem wouldn’t be happening if I used a vhost in the URL
(eg, phpmyadmin.mydom.myhost.com) - but in this case I want to use a
subdir in the URL (eg, mydom.myhost.com/phpmyadmin).

I’ve been sitting here for two days pulling my hair out trying to get
this right. Can anyone tell me what’s wrong with my nginx.conf file
here?

Thanks.

  • Stefan S.

#2

Hi -

I have a solution which seems to work now - I’m just not sure if this is
the best and most secure way to do this.

I want to use a URL like:

http://mydom.myhost.com/phpmyadmin

And phpMyAdmin is installed on the server in directory:

/home/myname/sources/phpmyadmin

Previously I was using a rewrite to remove the “phpmyadmin” part from
the of all requests, and I was using /home/myname/sources/phpmyadmin as
the root:

rewrite ^/phpmyadmin(/.*)$ $1 break;

root /home/myname/sources/phpmyadmin/;

Now, I’m doing something equivalent which doesn’t involve ‘rewrite’: I
keep the “phpmyadmin” part at start of the requests, and I use a shorter
root which no longer has “phpmyadmin” at the end:

# no rewrite

root /home/myname/sources/;

This seems simpler and it does work.

There’s a few things I’m worried about though:

  1. The directory /home/myname/sources has lots of other programs in it.
    Supposedly they can’t be accessed since the location is /phpmyadmin/ -
    is this true? If I point the browser at another program in the sources
    directory, eg:

    http://mydom.myhost.com/anotherprogram

I get a 404 File Not Found error - which is good.

  1. Because of the rewrite from http to https, the above URL actually
    changes to https protocol before returning 404 File Not Found. Not quite
    perfect, but OK I guess.

  2. Ultimately I’d like to rewrite from http to https only for the
    phpMyAdmin login page, and then use http (no SSL) while I’m already
    logged into the phpMyAdmin session, so it will be faster. I’ll look into
    this later.

  • Stefan S.

#3

Yeah, this “solution” is definitely a security risk.

I just did some testing, and I’m able to open any file in
/home/myname/sources/phpmyadmin.

For example, if I point the browser at:

http://mydom.myhost.com/phpmyadmin/index.php

then Firefox offers to download the index.php file.

If I point the browser at:

http://mydom.myhost.com/phpmyadmin/README

then it displays the README file in the browser, etc.

So this is not good.

How do I set up my directories and my nginx.conf file so that people can
browse to a site like:

http://mydom.myhost.com/mysub-url

without exposing all the files in the directory $root/mysub-url?

Thanks.


#4

How are you handling php files in your config file? They shouldn’t be
served as text. Are you using php-fcgi?

Once you have that sorted out, you can use a rewrite something like:

location /path/to/phymyadmin/ {
if ( $uri !~ ..php$" ) {
rewrite ^/(.
)$ /index.php last;
}
}

I think that should work to rewrite every non-php request to the index
page.

Alternatively you can delete the readme file and other similar
non-essential files.


#5

Yea but using that would kill all css, js, image files in that folder.

And it doesn’t sound like you have php setup at all to be served on
that location. If you have php location block and a phpmyadmin
location block then you need to copy your php fastcgi/proxy pass
directives into your phpmyadmin section also. Since only 1 location
will be matched.


#6

Hi -

Thanks @Jim - I am using php-fcgi - you’ll see it in the nginx.conf file
below.

The nginx.conf file shown below now works in most cases - except for two
nagging problems:

(1) When I browse to http://mydom.myhost.com/phpmyadmin/index.php
(non-SSL protocol, with the index.php file explicitly provided), then
instead of rewriting http -> https and rendering index.php in the
browser, it displays a dialog offering to save the index.php file.

The http->https rewrite in the server listening at port 80 isn’t getting
done when I enter a URL http://mydom.myhost.com/phpmyadmin/index.php -
but it is getting done when I just enter
http://mydom.myhost.com/phpmyadmin. I don’t know why - I thought
“location /” matched all queries.

(2) Certain graphics on the main page of phpMyAdmin are missing - for
example, the “Rainbow” graphic next to the Custom Color button (img
id=“myRainbow” src=“js/mooRainbow/images/rainbow.png”) .

Here’s the nginx.conf file:
server {
listen 443;
server_name mydom.myhost.com;

ssl on;
ssl_certificate /etc/ssl/certs/myssl.crt;
ssl_certificate_key /etc/ssl/private/myssl.key;

access_log /usr/local/nginx/logs/phpmyadmin.access_log;
error_log /usr/local/nginx/logs/phpmyadmin.error_log;

ssl_session_timeout 5m;

ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;

location /phpmyadmin/ {
root /home/myname/sources/;
index index.php;
fastcgi_index index.php;
fastcgi_pass 127.0.0.1:9000;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS on;
include /usr/local/nginx/conf/fastcgi_params.phpmyadmin;
}
}

server {
listen 80;
server_name myhost.mydom.com;
location / {
rewrite ^/phpmyadmin(.*) https://myhost.mydom.com/phpmyadmin$1
permanent;
}
}

This seems like it should be straightforward - I just want to serve
phpMyAdmin from a sub-URL (mydom.myhost.com/phpmyadmin) instead of from
a vhost (phpmyadmin.mydom.myhost.com) And I want to use SSL. (Actually I
really just want to use SSL on the POST on the login page - but I
haven’t figured out how to shut off SSL for the other pages yet - which
is gonna be a whole 'nother can of worms I guess.)

Thanks for any help.

  • Stefan S.

#7

On Feb 13, 2009, at 9:06 PM, Stefan S. wrote:

is gonna be a whole 'nother can of worms I guess.)

You are going to open yourself up to security issues if you go to a
http after authentication. All your information will be able to be
sniffed and potentially get the session id for your current session
and get into your phpmyadmin install that way. if you want it to be
secure you need to start on https and stay on https.


#8

Rob S. wrote:

On Feb 13, 2009, at 9:06 PM, Stefan S. wrote:

is gonna be a whole 'nother can of worms I guess.)

You are going to open yourself up to security issues if you go to a
http after authentication. All your information will be able to be
sniffed and potentially get the session id for your current session
and get into your phpmyadmin install that way. if you want it to be
secure you need to start on https and stay on https.

OK, thanks for the heads-up! I’ll just stay in https for the whole
session then.


#9

Stefan S. wrote:

(1) When I browse to http://mydom.myhost.com/phpmyadmin/index.php
(non-SSL protocol, with the index.php file explicitly provided), then
instead of rewriting http -> https and rendering index.php in the
browser, it displays a dialog offering to save the index.php file.

This is fixed now. I had fixed the nginx.conf file and the problem kept
on happening - till I realized that Firefox was saving the index.php
file in its disk cache, and therefore offering to download it (before
giving nginx a chance to rewrite the http to https!).

I cleared the cache, and now when I open:

http://mydom.myhost.com/myphpadmin/index.php

it rewrites to https:

http://mydom.myhost.com/myphpadmin/index.php

and Firefox renders index.php rather than trying to download it.

Regarding the other issue (labeled (2) in my earlier post), where some
img graphics are missing, that’s still happening.

This img graphic in the source of the main frame on the phpMyAdmin main
page (having a relative path starting with “js”) is getting lost:

img id=“myRainbow” src=“js/mooRainbow/images/rainbow.png”

But other files in the same frame specified using a different kind of
path (having a pathname starting with a “.”) seem to be fine:

img class=“icon” src="./themes/original/img/s_host.png"

I probably need another ‘location’ block to serve static files. The “.”
in the second pathname refers to the phpMyAdmin home directory, and
nginx is able to find this graphic - but it’s currently unable to find
graphic whose pathname starts with the relative reference “js”. I’m also
doing:

tail /usr/local/nginx/logs/phpmyadmin.access_log

to try to see exactly what URLs the browser is trying to GET.

Here’s my nginx.conf:

server {
listen 443;
server_name mydom.myhost.com;

ssl         on;
ssl_certificate   /etc/ssl/certs/myssl.crt;
ssl_certificate_key /etc/ssl/private/myssl.key;

access_log /usr/local/nginx/logs/phpmyadmin.access_log;
error_log  /usr/local/nginx/logs/phpmyadmin.error_log;

ssl_session_timeout  5m;

ssl_protocols  SSLv2 SSLv3 TLSv1;
ssl_ciphers 

ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;

location /phpmyadmin/ {
  root /home/myname/sources/;
  index index.php;
  include /usr/local/nginx/conf/fastcgi_params.phpmyadmin;
  }

}

server {
listen 80;
server_name mydom.myhost.com;
location / {
rewrite ^/phpmyadmin(.*) https://mydom.myhost.com/phpmyadmin$1
permanent;
}
}

And here’s fastcgi_params.phpmyadmin:

fastcgi_index index.php;
fastcgi_pass 127.0.0.1:9000;

fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS on;

fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;

fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;

fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;

fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;

PHP only, required if PHP was built with --enable-force-cgi-redirect

fastcgi_param REDIRECT_STATUS 200;

  • Stefan S.

#10

On Fri, Feb 13, 2009 at 08:38:11PM -0500, Jim O. wrote:

How are you handling php files in your config file? They shouldn’t be served as text. Are you using php-fcgi?

Once you have that sorted out, you can use a rewrite something like:

location /path/to/phymyadmin/ {
if ( $uri !~ ..php$" ) {
rewrite ^/(.
)$ /index.php last;
}
}

There is much better way to this:

location /path/to/phymyadmin/ {
rewrite ^/(.*)$ /index.php last;
}

location /path/to/phymyadmin/.+.php$ {

}


#11

TYPO:

I cleared the cache, and now when I open:

http://mydom.myhost.com/myphpadmin/index.php

it rewrites to https:

http://mydom.myhost.com/myphpadmin/index.php

and Firefox renders index.php rather than trying to download it.

SHOULD SAY:

I cleared the cache, and now when I open:

http://mydom.myhost.com/myphpadmin/index.php

it rewrites to https:

httpS://mydom.myhost.com/myphpadmin/index.php

and Firefox renders index.php rather than trying to download it.

(Forgot the “S” in the second URL: httpS).


#12

server {
listen 80;
server_name support.example.com;
access_log /var/log/nginx/support.example.com.access.log;
error_log /var/log/nginx/support.example.com.error.log;

this root dir below is to the thebuggenie htdocs folder

root /home/user/public_html/support.example.com/thebuggenie;
client_max_body_size 40M;
large_client_header_buffers 4 8k;
index index.php index.html;

location ^~ /files { }

#location ~ …/..php$ { return 403; }

location ~ .php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}

location ~ /(?.*){
set $suburi $1;
try_files $uri $uri/ /index.php?url=$suburi&$args;
}


#13

Hello!

On Sat, Feb 14, 2009 at 02:59:24PM +0300, Igor S. wrote:

}

There is much better way to this:

location /path/to/phymyadmin/ {
rewrite ^/(.*)$ /index.php last;
}

location /path/to/phymyadmin/.+.php$ {

  • location /path/to/phymyadmin/.+.php$ {
  • location ~ /path/to/phymyadmin/.+.php$ {


}

[…]

Maxim D.


#14

Hi,

server {
listen 80;
server_name localhost;
#access_log /var/log/nginx/access.log main;

location / {
  root  /var/www/nginx;
  index index.php index.html index.htm;
}

location /phpmyadmin {
   root /usr/share/;
   index index.php index.html index.htm;
   location ~ ^/phpmyadmin/(.+\.php)$ {
       try_files $uri =404;
       root /usr/share/;
       fastcgi_pass 127.0.0.1:9000;
       fastcgi_index index.php;
       fastcgi_param SCRIPT_FILENAME 

$document_root$fastcgi_script_name;
include /etc/nginx/fastcgi_params;
}
location ~*
^/phpmyadmin/(.+.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
root /usr/share/;
}
}
location /phpMyAdmin {
rewrite ^/* /phpmyadmin last;
}
}

Elton Lima

Analista de Suporte Linux
E-mail: removed_email_address@domain.invalid // removed_email_address@domain.invalid
Site: http://blog.eltonlima.com.br


De: maria m. removed_email_address@domain.invalid
Para: removed_email_address@domain.invalid
Enviadas: Segunda-feira, 16 de Abril de 2012 15:27
Assunto: Re: File Not Found logging in w/ nginx+phpMyAdmin in URL subdir

server {
listen 80;
server_name support.example.com;
access_log /var/log/nginx/support.example.com.access.log;
error_log /var/log/nginx/support.example.com.error.log;

this root dir below is to the thebuggenie htdocs folder

root /home/user/public_html/support.example.com/thebuggenie;
client_max_body_size 40M;
large_client_header_buffers 4 8k;
index index.php index.html;

location ^~ /files { }

#location ~ …/..php$ { return 403; }

location ~ .php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}

location ~ /(?.*){
set $suburi $1;
try_files $uri $uri/ /index.php?url=$suburi&$args;
}


Posted via http://www.ruby-forum.com/.