PHPmyadmin security issue using CloudFlare/ 403 forbidden

#1

Hi there,

I’m hosting a website trough CloudFlare, everything is working fine but I have some issues with the security settings for phpmyadmin. The best and recommended settings for phpmyadmin is to only allow the IP address from your client your working from. For example:

<IfModule mod_authz_core.c>
         # Apache 2.4
         <RequireAny>
           Require ip 127.0.0.1
           Require ip ::1
           Require ip [my public ip]
         </RequireAny>

With these settings, only the listed ip’s have access to /phpmyadmin/ Everyone else will get a 403 forbidden error.

But when using CloudFlare, this does not work. Traffic between CloudFlare and the webserver is using a source ip from CloudFlare. Meaning that I can’t access /phpmyadmin/ from my client with above settings. It will give me a 403 forbidden error.

Now I could solve this in two ways:

  • Adding “Require all granted” to the phpmyadmin config
  • Adding CloudFlare ip ranges to the phpmyadmin config

But both are very bad security settings because it bassically means that everybody can access /phpmyadmin/

How can I configure CloudFlare (or phpmyadmin) to only allow access from my client ip and still using CloudFlare for security?

To clarify, /phpmyadmin/ works fine when I disable CloudFlare. But when I enable CloudFlare, the source ip of the traffic changes and thus the client ip settings in PHPmyadmin do not work and give me a 403 forbidden response.

I could not find any topic related to this on the internet. But I assume there are more users having this problem. Although many users use “require all granted” in their phpmyadmin config. But this is very bad practise.

Thank you!
Johan

#2

Wouldn’t mod_cloudflare stop this from happening?

A possible alternate solution is to look for one of the headers that show the visitor IP address:
“CF-Connecting-IP: A.B.C.D”
“X-Forwarded-For: A.B.C.D”

If I were to attempt the above header check, I’d start with something like:
RewriteEngine On
RewriteCond %{HTTP:CF-Connecting-IP} !^(1.2.3.4)$
RewriteRule ^ - [F,L]

I don’t even know if the syntax is correct, but I did something similar for a more basic header check.

#3

I found a better way. There is already a existing apache module that can do the same thing as mod_cloudflare.

Add the following to the apache config file:

<IfModule !mod_remoteip.c>
	LoadModule remoteip_module modules/mod_remoteip.so
</IfModule>

<IfModule mod_remoteip.c>
	# CloudFlare Header
	RemoteIPHeader CF-Connecting-IP
	
	# Trusted Proxy List
	# note - using RemoteIPTrustedProxy instead of RemoteIPInternalProxy
	# note - RemoteIPTrustedProxy does NOT trust Header provided private intranet addresses (local and LAN addresses)
	# note - RemoteIPInternalProxy is a security risk when using an external Proxy
	
	# CloudFlare IPv4 Address Ranges
	RemoteIPTrustedProxy 103.21.244.0/22
	RemoteIPTrustedProxy 103.22.200.0/22
	RemoteIPTrustedProxy 103.31.4.0/22
	RemoteIPTrustedProxy 104.16.0.0/12
	RemoteIPTrustedProxy 108.162.192.0/18
	RemoteIPTrustedProxy 141.101.64.0/18
	RemoteIPTrustedProxy 162.158.0.0/15
	RemoteIPTrustedProxy 172.64.0.0/13
	RemoteIPTrustedProxy 173.245.48.0/20
	RemoteIPTrustedProxy 188.114.96.0/20
	RemoteIPTrustedProxy 190.93.240.0/20
	RemoteIPTrustedProxy 197.234.240.0/22
	RemoteIPTrustedProxy 198.41.128.0/17
	RemoteIPTrustedProxy 199.27.128.0/21
	
	# CloudFlare IPv6 Address Ranges
	RemoteIPTrustedProxy 2400:cb00::/32
	RemoteIPTrustedProxy 2405:8100::/32
	RemoteIPTrustedProxy 2405:b500::/32
	RemoteIPTrustedProxy 2606:4700::/32
	RemoteIPTrustedProxy 2803:f800::/32
</IfModule>

This way the source ip is visible when running CloudFlare. After adding this to the apache config I’m able to access /phpmyadmin/ with full CloudFlare security :slight_smile:

Also, make sure you are using the Full (strict) SSL setting in CloudFlare. This means your webserver also need a valid SSL certificate. If you are using SSL Flexible then all traffic between cloudflare and your webserver is not secure. Although this has nothing to do with the above problem, I wanted to mention it if you (readers of this topic) care about security :slight_smile:

Thanks Sdayman!