Configure to allow an user to conect from a subnet (or portion of it)

How to use phpmyadmin.... phpmyadmin related arguments. Even phpMyAdmin issues

Moderators: egami, macek, gesf

Post Reply
otalado
New php-forum User
New php-forum User
Posts: 3
Joined: Sun Mar 20, 2022 4:33 am

It seems that $cfg['Servers'][$i]['host'] does not allow wilcards like 192.168.1.% or 192.168.1.*

So I tried approach I found in the manual (for user named xxyyzz):

$cfg['Servers'][$i]['AllowDeny']['order'] = 'allow,deny';
$cfg['Servers'][$i]['AllowDeny']['rules'] = array('allow xxyyzz from 192.168.100.[10-50]');


Unfortunatelly this is not working, as I get Access Denied error when I try to log in to phpMyAdmin. I guess that I don't understand the manual correctly.
I have mysql user xxyyzz in the db:

Code: Select all

+-------------+-------------+-------------------------------------------+
| User        | Host        | Password                                  |
+-------------+-------------+-------------------------------------------+
| mariadb.sys | localhost   |                                           |
| lado        | 192.168.1.% | *C979990636F0FD3A713EA90111608F3C9E530C6C |
| root        | .....       |   .....                                   |
+-------------+-------------+-------------------------------------------+
Below is the relevant (I think) portion of config.inc.php:

$cfg['Servers'][$i]['auth_type'] = 'cookie';
$cfg['Servers'][$i]['AllowDeny']['order'] = 'allow,deny';
$cfg['Servers'][$i]['AllowDeny']['rules'] = array('allow xxyyzz from 192.168.100.[10-50]');
//$cfg['Servers'][$i]['host'] = 'localhost';
$cfg['Servers'][$i]['compress'] = false;
$cfg['Servers'][$i]['AllowNoPassword'] = true;

(it does not matter if the statement $cfg['Servers'][$i]['host'] = 'localhost'; is comented out or or noncomented)

So, any help will be appreciated.
tekmunkey
php-forum Active User
php-forum Active User
Posts: 34
Joined: Wed Apr 27, 2022 11:24 am

I have never, ever used or looked at phpMyAdmin but I would be surprised if they did not accept CIDR notation.

So if your goal is 192.168.1.* then your CIDR is 192.168.1.0/24

If it does not accept CIDR then try to see if there is any notation which allows a subnet.

192.168.1.0/24 is identical to an IP/Subnet pair like 192.168.1.<anything> in the 255.255.255.0 subnet
otalado
New php-forum User
New php-forum User
Posts: 3
Joined: Sun Mar 20, 2022 4:33 am

Unfortunately, I have tried CIDR even before I posted the question. It did not work. However, my question turned out to be pointless, because I am hosting the website in a DMZ zone on my LAN, every request (even if it is IP Address) is redirected to an SSL port and it shows in Apache access logs as coming from 192.168.1.1. So what's left to me is to drop using the phpMyAdmin alltogether, or to trust that SSL protection with a robust cypher suite is adequate. I guess I'll do the first and start using one of the managers, perhaps HeidiSql which also supports SQLite which I use for many projects ...
tekmunkey
php-forum Active User
php-forum Active User
Posts: 34
Joined: Wed Apr 27, 2022 11:24 am

otalado wrote: Tue May 17, 2022 12:34 am I am hosting the website in a DMZ zone on my LAN, every request (even if it is IP Address) is redirected to an SSL port and it shows in Apache access logs as coming from 192.168.1.1.
This is just confusing. If you have a DMZ set up in the router, why would you also redirect from HTTP to HTTPS? Also, if you had the server in a DMZ, then the router would treat that server's LAN IP as if that LAN IP was the actual device sitting on whatever WAN IP the router has and everything would be forwarded raw.

It sounds more like you are port-forwarding from 80 to 443 at the router side, instead of using a legitimate redirect directive in your webserver's site configuration file, which is the wrong way to do that job with or without DMZ. It is possible that you have both things set up, but that the router is running the forwarding before checking for DMZ.

In order to achieve what you describe using my Cisco RV325 I have to set up Port Forwarding and disable DMZ altogether. At that point the only requests that Apache sees as coming from the router's LAN IP are the requests which originated inside my own LAN, whether those requests were to the server's LAN IP, the router's WAN IP, or the public domain name. All requests originating from outside the LAN still show the WAN IP from which the request originated. I set this up deliberately so that I could use the router's built-in firewall instead of having to run a separate firewall process in my webserver.
Post Reply