Today I was playing with my database in PHPMyAdmin, when I suddenly realized that it’s up there open to anyone who can guess the path (which isn’t a very hard task). I decided to only allow connections to it from my home IP, which shouldn’t be such a difficult thing to do. Except Apache is behind an nginx reverse proxy, so it kinda is.
I’ve noticed before that all Apache access logs show the remote IP as 127.0.0.1, localhost where nginx is running (and proxying requests). I didn’t really care about it, since it’s just a personal site, but now that I wanted to use the actual visitor’s IP address to limit access, it was a whole different story.
The solution isn’t very complicated, but finding it was. Most of what I could find online were referring to a now-deprecated Apache module called RPAF (short for reverse proxy add forward). Then scrolling down on Stack Overflow I found out that it’s been deprecated and mod_remoteip should be used instead. It then wasn’t that hard to find out how to use it.
- add the following to apache2.conf
- change the
LogFormatlines in apache2.conf
proxy_set_header X-Real-IP $remote_addr;to the nginx site’s conf under
location, where the other proxy settings are (you can use X-Forwarded-For too if that’s what you prefer)
Boom now all the Apache logs have the correct remote IPs. Restricting access to PHPMyAdmin then only took editing the /etc/apache2/conf-enabled/phpmyadmin.conf and adding the restricting directives to the first
Directory. (Of course Apache reload required.)
Allow from my home IP
Two birds with one stone. Better logs and secured PHPMyAdmin!