Today I was playing with my database in PHPMyAdmin, when I suddenly realized that it’s up there open to anyone who can guess the path (which isn’t a very hard task). I decided to only allow connections to it from my home IP, which shouldn’t be such a difficult thing to do. Except Apache is behind an nginx reverse proxy, so it kinda is.

I’ve noticed before that all Apache access logs show the remote IP as 127.0.0.1, localhost where nginx is running (and proxying requests). I didn’t really care about it, since it’s just a personal site, but now that I wanted to use the actual visitor’s IP address to limit access, it was a whole different story.