从我的办公室网络访问 phpmyadmin（位于非标准端口上）

Question

不要以为不使用 HTTP 标准端口就会更安全。

您的办公室更有可能为传出连接打开 HTTP 和 HTTPS 的标准端口，因此确保phpmyadmin安装安全的最安全方法是运行安全的 Web 服务器并使用相互 SSL 认证：

Listen                   443 https
<VirtualHost 1.2.3.4:443>
  DocumentRoot           "/srv/www/html"
  ServerAdmin            [email protected]
  SSLCACertificateFile   /etc/pki/CA/cacert.pem
  SSLCertificateFile     /etc/pki/tls/private/phpmyadmin.domain.com/cert.pem
  SSLCertificateKeyFile  /etc/pki/tls/private/phpmyadmin.domain.com/key.pem
  SSLCARevocationCheck   chain
  SSLCARevocationFile    /etc/pki/CA/crl/crl.pem
  SSLEngine              on
  SSLStrictSNIVHostCheck on
  SSLVerifyClient        require
  SSLVerifyDepth         5
  ServerName             phpmyadmin.domain.com
  RewriteEngine          on
  RewriteCond            %{REMOTE_ADDR} !^127\.0\.0\.1$
  RewriteCond            %{HTTPS} !=on
  RewriteRule            . - [F]
  Alias                  /console /usr/share/phpMyAdmin
  ErrorLog               "|/usr/sbin/rotatelogs -L /var/log/httpd/phpmyadmin/error.log -f /var/log/httpd/phpmyadmin/error.log.%Y%m%d 86400"
  CustomLog              "|/usr/sbin/rotatelogs -L /var/log/httpd/phpmyadmin/access.log -f /var/log/httpd/phpmyadmin/access.log.%Y%m%d 86400" combinedio

  <Directory /usr/share/phpMyAdmin/>
    Require              ssl
    Require              ssl-verify-client
    SSLRequireSSL
    SSLOptions           +FakeBasicAuth +StrictRequire
    SSLRequire           %{SSL_CIPHER_USEKEYSIZE} >= 256
    SSLRequire           %{SSL_CLIENT_S_DN_O} eq "Company" \
                     and %{SSL_CLIENT_S_DN_OU} eq "Development" \
                     and %{SSL_CLIENT_S_DN_CN} in {"John Doe", "Jane Doe"}
    SSLRenegBufferSize   131072
  </Directory>

  <Directory /usr/share/phpMyAdmin/setup/>
    Require              ssl
    Require              ssl-verify-client
    SSLRequireSSL
    SSLOptions           +FakeBasicAuth +StrictRequire
    SSLRequire           %{SSL_CIPHER_USEKEYSIZE} >= 128
    SSLRequire           %{SSL_CLIENT_S_DN_O}  eq "Comapny" \
                     and %{SSL_CLIENT_S_DN_OU} eq "Development" \
                     and %{SSL_CLIENT_S_DN_CN} in {"John Doe", "Jane Doe"}
    SSLRenegBufferSize   131072
  </Directory>

  <Directory /usr/share/phpMyAdmin/libraries/>
      Order Deny,Allow
      Deny from All
      Allow from None
  </Directory>

  <Directory /usr/share/phpMyAdmin/setup/lib/>
      Order Deny,Allow
      Deny from All
      Allow from None
  </Directory>

  <Directory /usr/share/phpMyAdmin/setup/frames/>
      Order Deny,Allow
      Deny from All
      Allow from None
  </Directory>

  # This configuration prevents mod_security at phpMyAdmin directories from
  # filtering SQL etc.  This may break your mod_security implementation.
  #
  #<IfModule mod_security.c>
  #    <Directory /usr/share/phpMyAdmin/>
  #        SecRuleInheritance Off
  #    </Directory>
  #</IfModule>

</VirtualHost>

例如，您可以通过使用有限的允许 IP 列表（Deny和Allow指令）以及配置mod_security和mod_evasive来进一步保护此类服务器的安全。fail2ban

Answer 1

不要以为不使用 HTTP 标准端口就会更安全。

您的办公室更有可能为传出连接打开 HTTP 和 HTTPS 的标准端口，因此确保phpmyadmin安装安全的最安全方法是运行安全的 Web 服务器并使用相互 SSL 认证：

Listen                   443 https
<VirtualHost 1.2.3.4:443>
  DocumentRoot           "/srv/www/html"
  ServerAdmin            [email protected]
  SSLCACertificateFile   /etc/pki/CA/cacert.pem
  SSLCertificateFile     /etc/pki/tls/private/phpmyadmin.domain.com/cert.pem
  SSLCertificateKeyFile  /etc/pki/tls/private/phpmyadmin.domain.com/key.pem
  SSLCARevocationCheck   chain
  SSLCARevocationFile    /etc/pki/CA/crl/crl.pem
  SSLEngine              on
  SSLStrictSNIVHostCheck on
  SSLVerifyClient        require
  SSLVerifyDepth         5
  ServerName             phpmyadmin.domain.com
  RewriteEngine          on
  RewriteCond            %{REMOTE_ADDR} !^127\.0\.0\.1$
  RewriteCond            %{HTTPS} !=on
  RewriteRule            . - [F]
  Alias                  /console /usr/share/phpMyAdmin
  ErrorLog               "|/usr/sbin/rotatelogs -L /var/log/httpd/phpmyadmin/error.log -f /var/log/httpd/phpmyadmin/error.log.%Y%m%d 86400"
  CustomLog              "|/usr/sbin/rotatelogs -L /var/log/httpd/phpmyadmin/access.log -f /var/log/httpd/phpmyadmin/access.log.%Y%m%d 86400" combinedio

  <Directory /usr/share/phpMyAdmin/>
    Require              ssl
    Require              ssl-verify-client
    SSLRequireSSL
    SSLOptions           +FakeBasicAuth +StrictRequire
    SSLRequire           %{SSL_CIPHER_USEKEYSIZE} >= 256
    SSLRequire           %{SSL_CLIENT_S_DN_O} eq "Company" \
                     and %{SSL_CLIENT_S_DN_OU} eq "Development" \
                     and %{SSL_CLIENT_S_DN_CN} in {"John Doe", "Jane Doe"}
    SSLRenegBufferSize   131072
  </Directory>

  <Directory /usr/share/phpMyAdmin/setup/>
    Require              ssl
    Require              ssl-verify-client
    SSLRequireSSL
    SSLOptions           +FakeBasicAuth +StrictRequire
    SSLRequire           %{SSL_CIPHER_USEKEYSIZE} >= 128
    SSLRequire           %{SSL_CLIENT_S_DN_O}  eq "Comapny" \
                     and %{SSL_CLIENT_S_DN_OU} eq "Development" \
                     and %{SSL_CLIENT_S_DN_CN} in {"John Doe", "Jane Doe"}
    SSLRenegBufferSize   131072
  </Directory>

  <Directory /usr/share/phpMyAdmin/libraries/>
      Order Deny,Allow
      Deny from All
      Allow from None
  </Directory>

  <Directory /usr/share/phpMyAdmin/setup/lib/>
      Order Deny,Allow
      Deny from All
      Allow from None
  </Directory>

  <Directory /usr/share/phpMyAdmin/setup/frames/>
      Order Deny,Allow
      Deny from All
      Allow from None
  </Directory>

  # This configuration prevents mod_security at phpMyAdmin directories from
  # filtering SQL etc.  This may break your mod_security implementation.
  #
  #<IfModule mod_security.c>
  #    <Directory /usr/share/phpMyAdmin/>
  #        SecRuleInheritance Off
  #    </Directory>
  #</IfModule>

</VirtualHost>

例如，您可以通过使用有限的允许 IP 列表（Deny和Allow指令）以及配置mod_security和mod_evasive来进一步保护此类服务器的安全。fail2ban

从我的办公室网络访问 phpmyadmin（位于非标准端口上）

答案1

相关内容