Secure PHPmyadmin and restrict local acess only ?

Discussion in 'Tomato Firmware' started by ulyan, Jun 25, 2012.

  1. ulyan

    ulyan Networkin' Nut Member

    Hi again. I don't know if it is apropiate to ask here ...

    In the past 4 days I struggled to configure lighttpd+php+mysql+phpmyadmin. After a lot of effort I finally can say that it seens I have everything up and running. The only thing is that I supossed that phpmyadmin interface should not be acessible from wan.

    What i've done so far was to enable bluefish $cfg['blowfish_secret'] and set $cfg['Servers'][$i]['auth_type'] = 'cookie'; and remove default assigned user and password and leave them blank
    $cfg['Servers'][$i]['user'] = ' '; $cfg['Servers'][$i]['password'] = ' ';

    I aswell modified lighttpd configuration and added an alias url different from http://andress/phpmyadmin/

    But I don't think this is enough. Is there a way I can restrict acess to wan and allow only local users ? I've seen a lot of posts recommending creating the .htaccess or add rules here

    $cfg['Servers'][$i]['AllowDeny']['order'] // Host authentication order, leave blank to not use
    = '';
    $cfg['Servers'][$i]['AllowDeny']['rules'] // Host authentication rules, leave blank for defaults
    = array();

    Is there anyone that can give me a hand ? Thanks. :oops:
  2. rs232

    rs232 Network Guru Member

  3. koitsu

    koitsu Network Guru Member

    Since I'm a UNIX SA I'll chime in here:

    Yes, this is easily doable, assuming lighttpd has the ability to bind to a specific IP address (likely) or interface (less likely). This would keep, say, TCP port 8080 from even listening on the WAN IP, and instead only listen on the LAN IP. I don't know the specifics of your setup, so I'm going to assume that TomatoUSB's default webserver is already listening/running on port 80, thus lighttpd would have to be bound to a different IP or a different port (either or). So, let's see what the manual says...

    Ah, here we go: -- thus you want to use:

    server.port = 8080
    server.bind = ""
    ...assuming that's the LAN IP address of your TomatoUSB router. At that point, only machines on your LAN will be able to access, since lighttpd won't be listening on any other interface for traffic -- only

    If you want lighttpd to actually answer on the WAN and LAN, but you want to restrict only phpmyadmin to the LAN, then that's a little trickier. You'd want to do something similar to what's shown at the bottom of the "Conditional Configuration" example here:

    So you'd want something like this:

    $HTTP["remoteip"] !~ "^(192\.168\.1\.)" {
      $HTTP["url"] =~ "^/phpmyadmin/" {
        url.access-deny = ( "" )
    This would only allow requests from IP addresses to access the /phpmyadmin/ URL; e.g. if the URL is and the client connecting is, then it would work. But if the client connecting was, it would fail (HTTP 403 Forbidden I imagine).

    I'm amazed that lighttpd doesn't have CIDR support. Apache does ("allow from", for example), and many other webservers do too. They should really implement CIDR support. Silly to use regex matching like that; makes matching, say, a /20 a real pain in the ass. Silly silly silly.

    Hope this makes sense.

    P.S. -- Do not expect even remotely good performance running PHP on any router TomatoUSB runs on. PHP is an absolute CPU hog and has massive amounts of overhead (specifically RAM; it's memory footprint is humongous given all its built-in functions, and phpmyadmin requires many PHP extensions to work), so expect performance to be abysmal compared to an actual dedicated server-class piece of hardware.
  4. ulyan

    ulyan Networkin' Nut Member

    I appologize rs232. Thanks koitsu, it works. It throws the 404 error page.

    This might also work $cfg['PmaAbsoluteUri'] = 'localhost'; from the fount in the root folder of phpmyadmin.
  5. koitsu

    koitsu Network Guru Member

    No, using PmaAbsoluteUri will not solve the issue you're trying to address. In that situation the phpmyadmin code itself is still actually run, which you do not want. Please do security properly -- ensure the inbound requests from non-LAN devices can't run ANY of the phpmyadmin code! Don't take any chances.
  6. ulyan

    ulyan Networkin' Nut Member

    Oh, good to know. Thank you very much.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice