Today I was playing with my database in PHPMyAdmin, when I suddenly realized that it’s up there open to anyone who can guess the path (which isn’t a very hard task). I decided to only allow connections to it from my home IP, which shouldn’t be such a difficult thing to do. Except Apache is behind an nginx reverse proxy, so it kinda is.

I’ve noticed before that all Apache access logs show the remote IP as 127.0.0.1, localhost where nginx is running (and proxying requests). I didn’t really care about it, since it’s just a personal site, but now that I wanted to use the actual visitor’s IP address to limit access, it was a whole different story.

The solution isn’t very complicated, but finding it was. Most of what I could find online were referring to a now-deprecated Apache module called RPAF (short for reverse proxy add forward). Then scrolling down on Stack Overflow I found out that it’s been deprecated and mod_remoteip should be used instead. It then wasn’t that hard to find out how to use it.

1. a2enmod remoteip
2. add the following to apache2.conf
   RemoteIPHeader X-Real-IP
RemoteIPInternalProxy 127.0.0.1/8
3. change the %hs to %a in the LogFormat lines in apache2.conf
4. add proxy_set_header X-Real-IP $remote_addr; to the nginx site’s conf under location, where the other proxy settings are (you can use X-Forwarded-For too if that’s what you prefer)
5. /etc/init.d/nginx restart and /etc/init.d/apache2 restart

Boom now all the Apache logs have the correct remote IPs. Restricting access to PHPMyAdmin then only took editing the /etc/apache2/conf-enabled/phpmyadmin.conf and adding the restricting directives to the first Directory. (Of course Apache reload required.)

Order Allow,Deny
Allow from my home IP

Two birds with one stone. Better logs and secured PHPMyAdmin!