prevent direct access to PMA and Filemanager

    For all those who are just as paranoid as I am ;-)


    This modification prevents direct access to PMA and Filemanager, you have to login into the control panel first.


    IMPORTANT: this is working only with version starting @ Latest Stable-Release: 1.1.2
    because of different V-Host entrys in earlier version


    replace with your details:
    - YourSecret123456
    - YourCookieName
    - https://admin.YourPanelURL.tld



    Code
    1. a2enmod headersservice apache2 restart



    Code
    1. nano /etc/apache2/sites-available/00_master.confbelow: <LocationMatch ^/.*/themes/.*/assets/.*$> Allow from all </LocationMatch>add: <LocationMatch /client> Header set Set-Cookie: "YourCookieName=YourSecret123456; path=/;" </LocationMatch> <LocationMatch /admin> Header set Set-Cookie: "YourCookieName=YourSecret123456; path=/;" </LocationMatch> <Location /pma> RewriteEngine On RewriteCond %{HTTP_COOKIE} !YourCookieName=YourSecret123456 [NC] RewriteRule .* https://admin.YourPanelURL.tld [L] </Location> <Location /filemanager> RewriteEngine On RewriteCond %{HTTP_COOKIE} !YourCookieName=YourSecret123456 [NC] RewriteRule .* https://admin.YourPanelURL.tld [L] </Location> <Location /tools/pma> RewriteEngine On RewriteCond %{HTTP_COOKIE} !YourCookieName=YourSecret123456 [NC] RewriteRule .* https://admin.YourPanelURL.tld [L] </Location> <Location /tools/filemanager> RewriteEngine On RewriteCond %{HTTP_COOKIE} !YourCookieName=YourSecret123456 [NC] RewriteRule .* https://admin.YourPanelURL.tld [L] </Location>


    Code
    1. nano /etc/apache2/sites-available/00_master_ssl.confbelow <LocationMatch ^/.*/themes/.*/assets/.*$> Allow from all </LocationMatch>add: <LocationMatch /client> Header set Set-Cookie: "YourCookieName=YourSecret123456; path=/;" </LocationMatch> <LocationMatch /admin> Header set Set-Cookie: "YourCookieName=YourSecret123456; path=/;" </LocationMatch> <Location /pma> RewriteEngine On RewriteCond %{HTTP_COOKIE} !YourCookieName=YourSecret123456 [NC] RewriteRule .* https://admin.YourPanelURL.tld [L] </Location> <Location /filemanager> RewriteEngine On RewriteCond %{HTTP_COOKIE} !YourCookieName=YourSecret123456 [NC] RewriteRule .* https://admin.YourPanelURL.tld [L] </Location> <Location /tools/pma> RewriteEngine On RewriteCond %{HTTP_COOKIE} !YourCookieName=YourSecret123456 [NC] RewriteRule .* https://admin.YourPanelURL.tld [L] </Location> <Location /tools/filemanager> RewriteEngine On RewriteCond %{HTTP_COOKIE} !YourCookieName=YourSecret123456 [NC] RewriteRule .* https://admin.YourPanelURL.tld [L] </Location>


    service apache2 restart


    Code
    1. nano /var/www/imscp/gui/themes/default/client/sql_manage.tplchange:pma_auth.php?id={USER_ID}to:{PMA_PATH}


    also as administrator you have to log into the panel before you can use PMA, therefore we will create a custom menu entry in the Admin Panel:

    Code
    1. Login your ControlPanel as Administrator
    2. create a custom menu for PMA
    3. https://admin.YourPanelURL.tld/pma

    Hu ?


    Please, further explanation about what is achieved here and how. Thanks.


    Also, you mention the template editor plugin which is not yet released and which is not usable at this moment...


    Anyway, thanks for your contribution. Maybe we can include this changes in next release but I'm waiting more explanations. As I understand at first reading, you are using i-MSCP cookie data as authentication layer for tools such as filemanager and PMA, isn't it? This mean that the customers have to authenticate in i-MSCP panel to access to those tools, isn't it?


    To resume, more explanation please.


    BTW: You can normally create custom menu through the panel interface without having to edit the nagivation.xml file

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

    SSH key for online support

    Hello Nuxwin,
    the modification will generate a new (personal) cookie if the location is /admin or /client:

    Code
    1. Header set Set-Cookie: "YourCookieName=YourSecret123456; path=/;"


    if you try to call /pma or /tools/pma you will be redirected to the ControlPanel

    Code
    1. <Location /tools/pma> RewriteEngine On RewriteCond %{HTTP_COOKIE} !YourCookieName=YourSecret123456 [NC] RewriteRule .* https://admin.YourPanelURL.tld [L] </Location>


    I know this is a simple cookie protection only but it will be more comfortable for the User as htaccess password Protection ... and if a User gives a htaccess password to others everyone can access htaccess protected areas ...


    It would be better to use a random value for the cookie but this can be done only in the PHP sources (I dont want to touch or change it) ...


    the auto PMA login from sql_manage.tpl will not work because of the header location from pma_auth.php ... and so I changed the PMA URLs to:

    Code
    1. nano /var/www/imscp/gui/themes/default/client/sql_manage.tpl
    4. change:
    5. pma_auth.php?id={USER_ID}
    8. to:
    9. {PMA_PATH}