tony
/
mb-admin
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix SSL cert on phpMyadmin

main
Anthony 2025-10-21 02:03:05 +08:00
parent 8b26f32418
commit 7608e38ba3
1 changed files with 142 additions and 58 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

186
scripts/pma-gateway/create_pma_gateway.sh
View File

@ -187,64 +187,155 @@ fi
token="$base.$mac" token="$base.$mac"
# Create symlinks for phpMyAdmin and gateway in main document root # phpMyAdmin vhost configuration will be handled below
# This serves both through the main domain (port 443) with valid SSL certificate
sudo mkdir -p "$MAIN_DOCROOT"
# Symlink entire phpMyAdmin directory for full access # ==============================================================================
sudo ln -sf "/usr/share/phpMyAdmin" "$MAIN_DOCROOT/phpmyadmin" # Step 4: Configure phpMyAdmin vhost with SSL certificate detection
# ==============================================================================
# Symlink the gateway script for public access
sudo ln -sf "$GATEWAY_FILE" "$PUBLIC_GATEWAY_FILE"
# Remove the phpMyAdmin vhost to avoid exposing port 8443 publicly
VHOST_CONFIG="/usr/share/phpMyAdmin/vhost.conf" VHOST_CONFIG="/usr/share/phpMyAdmin/vhost.conf"
if [[ -f "$VHOST_CONFIG" ]]; then NEEDS_RESTART=0
echo "Removing phpMyAdmin vhost configuration to prevent public exposure on port 8443..." >&2
sudo rm -f "$VHOST_CONFIG" # If vhost config is missing or empty, recreate it from a known-good default.
if [ ! -s "$VHOST_CONFIG" ]; then
echo "Warning: $VHOST_CONFIG is empty or missing. Recreating from default." >&2
sudo tee "$VHOST_CONFIG" > /dev/null <<'EOF'
<?xml version="1.0" encoding="UTF-8"?>
<virtualHostConfig>
<docRoot>/usr/share/phpMyAdmin/</docRoot>
<enableGzip>1</enableGzip>
<logging>
<log>
<useServer>0</useServer>
<fileName>$SERVER_ROOT/logs/error.log</fileName>
<logLevel>DEBUG</logLevel>
<rollingSize>10M</rollingSize>
</log>
<accessLog>
<useServer>0</useServer>
<fileName>$SERVER_ROOT/logs/access.log</fileName>
<rollingSize>10M</rollingSize>
<keepDays>30</keepDays>
<compressArchive>0</compressArchive>
</accessLog>
</logging>
<index>
<useServer>0</useServer>
<indexFiles>index.php, index.html</indexFiles>
<autoIndex>0</autoIndex>
<autoIndexURI>/_autoindex/default.php</autoIndexURI>
</index>
<customErrorPages>
<errorPage>
<errCode>404</errCode>
<url>/error404.html</url>
</errorPage>
</customErrorPages>
<htAccess>
<allowOverride>31</allowOverride>
<accessFileName>.htaccess</accessFileName>
</htAccess>
<expires>
<enableExpires>1</enableExpires>
</expires>
<security>
<wpProtectAction>0</wpProtectAction>
<hotlinkCtrl>
<enableHotlinkCtrl>0</enableHotlinkCtrl>
<suffixes>gif, jpeg, jpg</suffixes>
<allowDirectAccess>1</allowDirectAccess>
<onlySelf>1</onlySelf>
</hotlinkCtrl>
<accessControl>
<allow>*</allow>
</accessControl>
<wpProtectLimit>10</wpProtectLimit></security>
<cache>
<storage>
<cacheStorePath>/tmp/lscache/vhosts/$VH_NAME</cacheStorePath>
</storage>
</cache>
<rewrite>
<enable>0</enable>
<logLevel>0</logLevel>
<rules>RewriteCond %{HTTP_USER_AGENT} ^NameOfBadRobot
RewriteRule ^/nospider/ - [F]</rules>
</rewrite>
<vhssl>
<keyFile>__KEY_FILE_PLACEHOLDER__</keyFile>
<certFile>__CERT_FILE_PLACEHOLDER__</certFile>
<certChain>1</certChain>
</vhssl>
<frontPage>
<enable>0</enable>
<disableAdmin>0</disableAdmin>
</frontPage>
<awstats>
<updateMode>0</updateMode>
<workingDir>$VH_ROOT/awstats</workingDir>
<awstatsURI>/awstats/</awstatsURI>
<siteDomain>localhost</siteDomain>
<siteAliases>127.0.0.1 localhost</siteAliases>
<updateInterval>86400</updateInterval>
<updateOffset>0</updateOffset>
</awstats>
</virtualHostConfig>
EOF
# Inject the discovered certificate paths using sed
# Escape special characters (/, $, &, \, ') in paths for use with sed
ESCAPED_KEY_PATH=$(printf '%s\n' "$KEY_FILE_PATH" | sed 's/[\/&$\\'"'"']/\\&/g')
ESCAPED_CERT_PATH=$(printf '%s\n' "$CERT_FILE_PATH" | sed 's/[\/&$\\'"'"']/\\&/g')
# Replace placeholders with actual certificate paths
sudo sed -i "s|__KEY_FILE_PLACEHOLDER__|$ESCAPED_KEY_PATH|g" "$VHOST_CONFIG"
sudo sed -i "s|__CERT_FILE_PLACEHOLDER__|$ESCAPED_CERT_PATH|g" "$VHOST_CONFIG"
echo "SSL certificate paths injected into vhost configuration." >&2
NEEDS_RESTART=1 NEEDS_RESTART=1
fi fi
# ============================================================================== if [ -f "$VHOST_CONFIG" ]; then
# Step 4: Automatically inject security rules into main vhost configuration MARKER="# PMA Gateway Security Rules"
# ==============================================================================
MAIN_VHOST_CONFIG="/var/www/conf/vhosts/$PUBLIC_HOST/vhconf.xml"
# Ensure main vhost config exists (critical for automation) # If rules are not already in place, add them.
if [[ ! -f "$MAIN_VHOST_CONFIG" ]]; then if ! sudo grep -qF "$MARKER" "$VHOST_CONFIG"; then
echo "FATAL: Main vhost config not found at $MAIN_VHOST_CONFIG" >&2
echo "Expected location: /var/www/conf/vhosts/$PUBLIC_HOST/vhconf.xml" >&2 # Ensure xmlstarlet is installed, as it's the safest way to edit XML.
if ! command -v xmlstarlet &> /dev/null; then
echo "xmlstarlet not found. Installing for safe XML editing..." >&2
if ! sudo dnf install -y xmlstarlet; then
echo "FATAL: Failed to install xmlstarlet. Cannot safely modify vhost." >&2
exit 1 exit 1
fi fi
fi
MARKER="# PMA Gateway Security Rules" # Define the new rules content. Note the lack of indentation.
if ! sudo grep -qF "$MARKER" "$MAIN_VHOST_CONFIG"; then # xmlstarlet will handle the formatting.
echo "Injecting PMA gateway security rules into main vhost..." >&2 NEW_RULES_CONTENT=$(cat <<'EOF'
# Define comprehensive security rules for phpMyAdmin protection
NEW_RULES=$(cat <<'EOF'
# PMA Gateway Security Rules # PMA Gateway Security Rules
# Allow access to the gateway scripts themselves # Allow access to the gateway scripts themselves
RewriteCond %{REQUEST_URI} ^/access-db-.*\.php$ RewriteCond %{REQUEST_URI} ^/access-db-.*\.php$
RewriteRule .* - [L] RewriteRule .* - [L]
# Block all phpMyAdmin paths unless security cookie is present # For all other requests, block if the security cookie is not present
RewriteCond %{HTTP_COOKIE} !pma_access_granted RewriteCond %{HTTP_COOKIE} !pma_access_granted
RewriteCond %{REQUEST_URI} ^/(phpmyadmin/|index\.php|url\.php|js/|css/|libraries/|themes/|favicon\.ico)
RewriteRule .* - [F,L] RewriteRule .* - [F,L]
EOF EOF
) )
# Enable rewrite and inject comprehensive rules # Use xmlstarlet to atomically update the rewrite block in-place.
# This is far safer than sed/awk for structured XML.
if ! sudo xmlstarlet ed -L \ if ! sudo xmlstarlet ed -L \
-u "//virtualHostConfig/rewrite/enable" -v "1" \ -u "//virtualHostConfig/rewrite/enable" -v "1" \
-u "//virtualHostConfig/rewrite/rules" -v "$(sudo xmlstarlet sel -t -v "//virtualHostConfig/rewrite/rules" "$MAIN_VHOST_CONFIG" 2>/dev/null)$NEW_RULES" \ -u "//virtualHostConfig/rewrite/rules" -v "$NEW_RULES_CONTENT" \
"$MAIN_VHOST_CONFIG"; then "$VHOST_CONFIG"; then
echo "FATAL: Failed to update main vhost rewrite rules." >&2 echo "FATAL: xmlstarlet failed to update $VHOST_CONFIG." >&2
exit 1 exit 1
fi fi
echo "✅ PMA security rules injected into main vhost configuration" >&2
NEEDS_RESTART=1 NEEDS_RESTART=1
fi
else
echo "Warning: phpMyAdmin vhost config not found at $VHOST_CONFIG. Cannot apply security rules." >&2
fi fi
sudo tee "$GATEWAY_FILE" >/dev/null <<'PHP' sudo tee "$GATEWAY_FILE" >/dev/null <<'PHP'
@ -302,13 +393,7 @@ PHP
sudo chown litespeed:litespeed "$GATEWAY_FILE" sudo chown litespeed:litespeed "$GATEWAY_FILE"
sudo chmod 644 "$GATEWAY_FILE" sudo chmod 644 "$GATEWAY_FILE"
# Set proper permissions on the public symlink as well # Gateway file permissions are already set above
if [[ -L "$PUBLIC_GATEWAY_FILE" ]]; then
sudo chown --no-dereference litespeed:litespeed "$PUBLIC_GATEWAY_FILE"
sudo chmod 644 "$PUBLIC_GATEWAY_FILE"
else
echo "WARNING: Public symlink $PUBLIC_GATEWAY_FILE does not exist. Skipping chown/chmod." >&2
fi
# Restart LiteSpeed if we modified the config # Restart LiteSpeed if we modified the config
if [[ "${NEEDS_RESTART:-0}" -eq 1 ]]; then if [[ "${NEEDS_RESTART:-0}" -eq 1 ]]; then
@ -318,9 +403,8 @@ if [[ "${NEEDS_RESTART:-0}" -eq 1 ]]; then
fi fi
fi fi
# Generate URL using public hostname (port 443) with valid SSL certificate # Generate URL using phpMyAdmin vhost (port 8443) with detected SSL certificate
# This bypasses CDN protections and uses the trusted certificate URL="https://$PUBLIC_HOST:8443/access-db-$SLUG.php?token=$token"
URL="https://$PUBLIC_HOST/access-db-$SLUG.php?token=$token"
# Output JSON response for Cloud Scripting compatibility # Output JSON response for Cloud Scripting compatibility
# Cloud Scripting expects structured JSON output from custom actions # Cloud Scripting expects structured JSON output from custom actions
@ -344,9 +428,9 @@ EOF
# Display security information to stderr (not part of JSON response) # Display security information to stderr (not part of JSON response)
echo "🔐 SECURITY NOTICE:" >&2 echo "🔐 SECURITY NOTICE:" >&2
echo " • Gateway URL uses valid Let's Encrypt certificate" >&2 echo " • Gateway URL uses detected SSL certificate: $CERT_FILE_PATH" >&2
echo " • Served through main domain (port 443) with CDN protection" >&2 echo " • Served through phpMyAdmin vhost (port 8443)" >&2
echo " • Port 8443 exposure has been removed for security" >&2 echo " • SSL certificate automatically detected and configured" >&2
echo " • phpMyAdmin symlinked to /phpmyadmin/ with full protection" >&2 echo " • Security rules automatically injected into vhost" >&2
echo " • Security rules automatically injected into main vhost" >&2 echo " • Time-limited access with HMAC-signed tokens" >&2
echo "" >&2 echo "" >&2