Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docker fpm-alpine image with apache reverse proxy #350

Open
d3xt3r01 opened this issue Dec 21, 2021 · 7 comments
Open

docker fpm-alpine image with apache reverse proxy #350

d3xt3r01 opened this issue Dec 21, 2021 · 7 comments

Comments

@d3xt3r01
Copy link

d3xt3r01 commented Dec 21, 2021
edited
Loading

Describe the bug

The default security.limit_extensions in php-fpm.d/www.conf doesn't allow the php-fpm to serve the other files.

To Reproduce

Use this docker-compose

# cat docker-compose.yml
version: "3.8"
services:
  mariadb:
    image: 'mariadb:10.5.13'
    restart: always
    hostname: 'mariadb'
    environment:
      MYSQL_ROOT_PASSWORD: 1234
    volumes:
      - './volumes/mariadb/varlibmysql:/var/lib/mysql'
    ports:
      - 192.168.1.2:3307:3306
    networks:
      mariadb:
  phpmyadmin:
    image: 'phpmyadmin:5.1.1-fpm-alpine'
    restart: always
    hostname: 'phpmyadmin'
    ports:
      - 127.0.0.1:9180:9000
    environment:
      - HIDE_PHP_VERSION=true
      - PMA_ABSOLUTE_URI=http://phpmyadmin.local.lan/
    networks:
      mariadb:

networks:
  mariadb:
    driver_opts:
      com.docker.network.bridge.name: br-mariadb
# cat local.lan.conf
        <VirtualHost 192.168.1.2:80>
                ServerName phpmyadmin.local.lan
                DirectoryIndex index.php
                ProxyPass / fcgi://127.0.0.1:9180/var/www/html/
                ProxyPassReverse / fcgi://127.0.0.1:9180/var/www/html/
        </VirtualHost>

Expected behavior

The UI to appear

Screenshots

The text "File not found."

Docker Logs

NOTICE: Access to the script '/var/www/html/themes/pmahomme/jquery/jquery-ui.css' has been denied (see security.limit_extensions)
192.168.128.1 -  21/Dec/2021:17:51:20 +0000 "GET /themes/pmahomme/jquery/jquery-ui.css" 403
NOTICE: Access to the script '/var/www/html/js/vendor/codemirror/lib/codemirror.css' has been denied (see security.limit_extensions)
192.168.128.1 -  21/Dec/2021:17:51:20 +0000 "GET /js/vendor/codemirror/lib/codemirror.css" 403
NOTICE: Access to the script '/var/www/html/js/vendor/codemirror/addon/hint/show-hint.css' has been denied (see security.limit_extensions)
....

Server configuration

  • Operating system: gentoo
  • Web server: apache reverse proxy
  • Database version: mariadb-10.5.13
  • PHP version: 7.4.27
  • phpMyAdmin version: 5.1.1

Client configuration

any ... cli/UI

Additional context

The documentation doesn't say anything about the apache reverse proxy so... I think we also need an example for apache. For example the /var/www/html is needed to be appended to the proxypass took me a little bit to figure out.
Maybe also something to redirect / to index.php? in my solution / still says File not found.
Chrome refuses to show everything probably because of X-Content-Type-Options which if forcely removed will still cause it to render weirdly.
@williamdes williamdes transferred this issue from phpmyadmin/phpmyadmin Dec 21, 2021
@williamdes
Copy link
Member

Hi @d3xt3r01

I transferred this issue here. I am not sure about where is the mistake but #253 (comment) may help you
And all the thread #253 is filled with examples that could help too
let me know

@d3xt3r01
Copy link
Author

d3xt3r01 commented Dec 21, 2021
edited
Loading

I've looked at it all day long...nothing there for apache... I still don't understand what I'm missing...
I've also tried the same thing with the '-fpm' non-alpine image... Same issues with the security.limit_extensions errors.
I thought maybe my apache is messed up somehow... so I added these to the services list in docker-compose.yml

  httpd:
    image: 'httpd:2.4.52-alpine'
    restart: always
    ports:
      - 192.168.1.2:9183:80
    networks:
      mariadb:

After which I modified httpd's config a bit

docker exec -it docker-mariadb_httpd_1 sh

echo 'Include conf/extra/phpmyadmin.local.lan.conf' >>/usr/local/apache2/conf/httpd.conf

cat >/usr/local/apache2/conf/extra/phpmyadmin.local.lan.conf <<'EOF'
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
<VirtualHost 0.0.0.0:80>
ServerName phpmyadmin.local.lan
ProxyPass / "fcgi://phpmyadmin:9000/var/www/html/"
ProxyPassReverse / "fcgi://phpmyadmin:9000/var/www/html/"
</VirtualHost>
EOF

httpd -t
kill -USR1 1

@d3xt3r01
Copy link
Author

d3xt3r01 commented Dec 21, 2021
edited
Loading

Further testing resulted in this fix... not sure if it's the right way of doing it...

# cat ./volumes/phpmyadmin/disablesecurity.conf
[www]
security.limit_extensions = 

# the service looks like this now
  phpmyadmin:
    image: 'phpmyadmin:5.1.1-fpm-alpine'
    restart: always
    hostname: 'phpmyadmin'
    ports:
      - 127.0.0.1:9180:9000
    volumes:
      - './volumes/phpmyadmin/disablesecurity.conf:/usr/local/etc/php-fpm.d/disablesecurity.conf'
    environment:
      HIDE_PHP_VERSION: "true"
      PMA_ARBITRARY: 1
      PMA_ABSOLUTE_URI: http://phpmyadmin.local.lan/
    networks:
      mariadb:

# the vhost definition in apache looks like this now
        <VirtualHost 192.168.1.2:80>
                ServerName phpmyadmin.local.lan
                ProxyPreserveHost on
                RewriteEngine on
                RewriteRule ^/$ /index.php [P,QSA,L]
                ProxyPass / "fcgi://127.0.0.1:9180/var/www/html/"
                ProxyPassReverse / "fcgi://127.0.0.1:9180/var/www/html/"
                <LocationMatch "^/.*\.css">
                        Header set Content-type "text/css"
                </LocationMatch>
                <LocationMatch "^/.*\.js">
                        Header set Content-type "text/javascript"
                </LocationMatch>
        </VirtualHost>

@aszabonorbert
Copy link

First of all, thank you all of your effort to make these docker images possible. And sorry, if my text disturbs you, but after one day of searching solutions for the alpine-fpm version of phpmyadmin to work, I have to say, it is almost useless. And why I'm upset, is the lack of documentation. If I could read, how it is working exactly (btw. I think only one solution exists), I don't spend my all day to find out, that is not I want. My scenario are a non-dockerized apche2 reverse proxy and a dockerized alpine-fpm-phpmyadmin. Actually it is not working in this scenario. Why? Becasuse the php in the fpm docker is set to work with a few extensions (php(*), htm, etc.), so when you try to browse the pma directory, you are gonna face with the security.limit_extensions config option. In my oppinion, the weakening of the php security with an empty security.limit_extensions line is not an acceptable solution! You can try to share the pma docroot with a non-dockerized apache for serving the non-php files (like js), but it is impossible, because the docker bind mount actually removes every files in the pma docroot in this case, the docker volume is working actually (/var/lib/docker/volumes), but the path is inaccessable for the non-dockerized apache. I know, I can set the directory permission, but from the point of security is just not acceptable. I don't wanna only complain, so for those who wants to use this version of pma (fpm-alpine without webserver), I can tell, the only solution is a dockerized webserver beside the dockerized fpm-pma, and you can share the pma docroot between them with a docker volume (pma_web:/var/www/html). After that you can serve the rest of the non-php-files by this webserver. Unfortunately this scenario is not a soultion for me. I hope this can help for those who are like me, find the working solution, but don't understand why is it not working. Peace.

@shakaran
Copy link

Content-type "text/css"

For nginx:

location ~ \.css {
    add_header  Content-Type    text/css;
}
location ~ \.js {
    add_header  Content-Type    application/x-javascript;
}

@rodriciru
Copy link

rodriciru commented Aug 2, 2022
edited by williamdes
Loading

HI. I think I got it.
Docker-compose.yml:

version: '3.8'
volumes:
    phpmyadmin:
services:
  www:
    image: httpd:alpine
    volumes:
      - "./www:/usr/local/apache2/htdocs"
      - "./conf/httpd/httpd.conf:/usr/local/apache2/conf/httpd.conf"
      - "./conf/httpd/vhosts:/usr/local/apache2/conf.d/vhosts"
      - phpmyadmin:/var/www/html/phpmyadmin #THIS LINE IS KEY
    environment:
      TZ: "${TZ}" 
    networks:
      - default
    restart: always

  phpmyadminfpm:
    Image: phpmyadmin:5-fpm-alpine
    environment:
      PMA_HOST: ${MYSQL_HOST}
      TZ: ${TZ}
    restart: always
    volumes:
      - phpmyadmin:/var/www/html #THIS LINE IS KEY

phpmyadmin.conf:

<VirtualHost *:80>
    ServerName phfpm.localhost
    RewriteEngine on
    RewriteRule ^/?$ "http://%{SERVER_NAME}/index.php" [P,QSA,L]
    ProxyPassMatch "^/(.*\.php)$" "fcgi://phpmyadminfpm:9000/var/www/html/" #THIS LINE IS KEY
    ProxyPassReverse "^/(.*\.php)$" "fcgi://phpmyadminfpm:9000/var/www/html/" #THIS LINE IS KEY
    DocumentRoot "/var/www/html/phpmyadmin" #THIS LINE IS KEY
     <Directory "/var/www/html/phpmyadmin">
        AllowOverride All
        Require all granted
    </Directory>
</VirtualHost>

There's no need for security.limit_extensions override or nothing
The thing here is that Apache serves static content from PhpMyAdmin and only .php files are parsed by PhpMyAdmin FPM process.
For that you need to share the files in PhpMyAdmin, so that's why you need the volumes in Apache container and share the PhpMyAdmin files as a volume

Please test it and tell me!

@beeyev
Copy link

beeyev commented Dec 15, 2022

This custom image might save the problems.
https://hub.docker.com/r/beeyev/phpmyadmin-lightweight

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@shakaran @beeyev @d3xt3r01 @aszabonorbert @williamdes @rodriciru