From 1f3d5afe6a1b949af000958b5c051da2847a9803 Mon Sep 17 00:00:00 2001 From: Master3395 Date: Mon, 15 Sep 2025 01:39:21 +0200 Subject: [PATCH] Add PhpMyAdmin access middleware and session check for user authentication - Updated settings.py to include PhpMyAdminAccessMiddleware for enhanced access control. - Modified phpmyadminsignin.php to check user session and redirect to the login page if not authenticated. --- CyberCP/phpmyadminMiddleware.py | 32 ++++++ CyberCP/settings.py | 3 +- deploy_phpmyadmin_redirect.sh | 54 +++++++++ phpmyadmin_htaccess | 25 +++++ phpmyadmin_index_redirect.php | 22 ++++ plogical/phpmyadminsignin.php | 7 ++ rollback_phpmyadmin_redirect.sh | 49 ++++++++ to-do/SECURITY_INSTALLATION.md | 192 -------------------------------- 8 files changed, 191 insertions(+), 193 deletions(-) create mode 100644 CyberCP/phpmyadminMiddleware.py create mode 100644 deploy_phpmyadmin_redirect.sh create mode 100644 phpmyadmin_htaccess create mode 100644 phpmyadmin_index_redirect.php create mode 100644 rollback_phpmyadmin_redirect.sh delete mode 100644 to-do/SECURITY_INSTALLATION.md diff --git a/CyberCP/phpmyadminMiddleware.py b/CyberCP/phpmyadminMiddleware.py new file mode 100644 index 000000000..0b218f67c --- /dev/null +++ b/CyberCP/phpmyadminMiddleware.py @@ -0,0 +1,32 @@ +# -*- coding: utf-8 -*- +""" +phpMyAdmin Access Control Middleware + +This middleware checks if users are trying to access phpMyAdmin directly +without being logged into CyberPanel and redirects them to the login page. +""" + +from django.shortcuts import redirect +from django.http import HttpResponseRedirect +from django.urls import reverse + + +class PhpMyAdminAccessMiddleware: + """ + Middleware to control phpMyAdmin access and redirect unauthenticated users to login page. + """ + + def __init__(self, get_response): + self.get_response = get_response + + def __call__(self, request): + # Check if the request is for phpMyAdmin + if request.path.startswith('/phpmyadmin/'): + # Check if user is authenticated (has session) + if 'userID' not in request.session: + # Redirect to CyberPanel login page + login_url = '/base/' + return HttpResponseRedirect(login_url) + + response = self.get_response(request) + return response diff --git a/CyberCP/settings.py b/CyberCP/settings.py index 242636410..ad059c6a7 100644 --- a/CyberCP/settings.py +++ b/CyberCP/settings.py @@ -87,7 +87,8 @@ MIDDLEWARE = [ 'django.contrib.auth.middleware.AuthenticationMiddleware', 'django.contrib.messages.middleware.MessageMiddleware', 'django.middleware.clickjacking.XFrameOptionsMiddleware', - 'CyberCP.secMiddleware.secMiddleware' + 'CyberCP.secMiddleware.secMiddleware', + 'CyberCP.phpmyadminMiddleware.PhpMyAdminAccessMiddleware' ] ROOT_URLCONF = 'CyberCP.urls' diff --git a/deploy_phpmyadmin_redirect.sh b/deploy_phpmyadmin_redirect.sh new file mode 100644 index 000000000..203971f78 --- /dev/null +++ b/deploy_phpmyadmin_redirect.sh @@ -0,0 +1,54 @@ +#!/bin/bash + +# CyberPanel phpMyAdmin Access Control Deployment Script +# This script implements redirect functionality for unauthenticated phpMyAdmin access + +echo "=== CyberPanel phpMyAdmin Access Control Deployment ===" + +# Check if running as root +if [ "$EUID" -ne 0 ]; then + echo "Please run this script as root" + exit 1 +fi + +# Backup original phpMyAdmin index.php if it exists +if [ -f "/usr/local/CyberCP/public/phpmyadmin/index.php" ]; then + echo "Backing up original phpMyAdmin index.php..." + cp /usr/local/CyberCP/public/phpmyadmin/index.php /usr/local/CyberCP/public/phpmyadmin/index.php.backup.$(date +%Y%m%d_%H%M%S) +fi + +# Deploy the redirect index.php +echo "Deploying phpMyAdmin access control..." +cp /usr/local/CyberCP/phpmyadmin_index_redirect.php /usr/local/CyberCP/public/phpmyadmin/index.php + +# Deploy .htaccess for additional protection +echo "Deploying .htaccess protection..." +cp /usr/local/CyberCP/phpmyadmin_htaccess /usr/local/CyberCP/public/phpmyadmin/.htaccess + +# Set proper permissions +echo "Setting permissions..." +chown lscpd:lscpd /usr/local/CyberCP/public/phpmyadmin/index.php +chmod 644 /usr/local/CyberCP/public/phpmyadmin/index.php +chown lscpd:lscpd /usr/local/CyberCP/public/phpmyadmin/.htaccess +chmod 644 /usr/local/CyberCP/public/phpmyadmin/.htaccess + +# Restart LiteSpeed to ensure changes take effect +echo "Restarting LiteSpeed..." +systemctl restart lscpd + +echo "=== Deployment Complete ===" +echo "" +echo "phpMyAdmin access control has been deployed successfully!" +echo "" +echo "What this does:" +echo "- Users trying to access phpMyAdmin directly without being logged into CyberPanel" +echo " will now be redirected to the CyberPanel login page (/base/)" +echo "- Authenticated users will continue to access phpMyAdmin normally" +echo "" +echo "To revert changes, restore the backup:" +echo "cp /usr/local/CyberCP/public/phpmyadmin/index.php.backup.* /usr/local/CyberCP/public/phpmyadmin/index.php" +echo "" +echo "Test the implementation by:" +echo "1. Opening an incognito/private browser window" +echo "2. Going to https://your-server:2087/phpmyadmin/" +echo "3. You should be redirected to the CyberPanel login page" diff --git a/phpmyadmin_htaccess b/phpmyadmin_htaccess new file mode 100644 index 000000000..e316d5b8c --- /dev/null +++ b/phpmyadmin_htaccess @@ -0,0 +1,25 @@ +# CyberPanel phpMyAdmin Access Control +# Place this file as /usr/local/CyberCP/public/phpmyadmin/.htaccess + +# Enable rewrite engine +RewriteEngine On + +# Check if user is not authenticated and redirect to login +RewriteCond %{HTTP_COOKIE} !sessionid= +RewriteRule ^(.*)$ /base/ [R=302,L] + +# Additional security headers +Header always set X-Frame-Options DENY +Header always set X-Content-Type-Options nosniff +Header always set X-XSS-Protection "1; mode=block" + +# Prevent direct access to sensitive files + + Order Allow,Deny + Deny from all + + + + Order Allow,Deny + Deny from all + diff --git a/phpmyadmin_index_redirect.php b/phpmyadmin_index_redirect.php new file mode 100644 index 000000000..a6c8a0fa2 --- /dev/null +++ b/phpmyadmin_index_redirect.php @@ -0,0 +1,22 @@ + diff --git a/plogical/phpmyadminsignin.php b/plogical/phpmyadminsignin.php index 3b2f92d44..7076a8758 100644 --- a/plogical/phpmyadminsignin.php +++ b/plogical/phpmyadminsignin.php @@ -1,5 +1,12 @@ /dev/null | head -n1) + +if [ -z "$LATEST_BACKUP" ]; then + echo "No backup found. Cannot rollback changes." + echo "You may need to reinstall phpMyAdmin or restore from your own backup." + exit 1 +fi + +echo "Found backup: $LATEST_BACKUP" +echo "Restoring original phpMyAdmin index.php..." + +# Restore the original index.php +cp "$LATEST_BACKUP" /usr/local/CyberCP/public/phpmyadmin/index.php + +# Remove the .htaccess file if it exists +if [ -f "/usr/local/CyberCP/public/phpmyadmin/.htaccess" ]; then + echo "Removing .htaccess file..." + rm /usr/local/CyberCP/public/phpmyadmin/.htaccess +fi + +# Set proper permissions +echo "Setting permissions..." +chown lscpd:lscpd /usr/local/CyberCP/public/phpmyadmin/index.php +chmod 644 /usr/local/CyberCP/public/phpmyadmin/index.php + +# Restart LiteSpeed to ensure changes take effect +echo "Restarting LiteSpeed..." +systemctl restart lscpd + +echo "=== Rollback Complete ===" +echo "" +echo "phpMyAdmin access control has been reverted!" +echo "phpMyAdmin should now work as it did before the changes." +echo "" +echo "Backup file used: $LATEST_BACKUP" diff --git a/to-do/SECURITY_INSTALLATION.md b/to-do/SECURITY_INSTALLATION.md deleted file mode 100644 index dd72886fa..000000000 --- a/to-do/SECURITY_INSTALLATION.md +++ /dev/null @@ -1,192 +0,0 @@ -# CyberPanel Secure Installation Guide - -## Overview - -This document describes the secure installation process for CyberPanel that eliminates hardcoded passwords and implements environment-based configuration. - -## Security Improvements - -### ✅ **Fixed Security Vulnerabilities** - -1. **Hardcoded Database Passwords** - Now generated securely during installation -2. **Hardcoded Django Secret Key** - Now generated using cryptographically secure random generation -3. **Environment Variables** - All sensitive configuration moved to `.env` file -4. **File Permissions** - `.env` file set to 600 (owner read/write only) - -### 🔐 **Security Features** - -- **Cryptographically Secure Passwords**: Uses Python's `secrets` module for password generation -- **Environment-based Configuration**: Sensitive data stored in `.env` file, not in code -- **Secure File Permissions**: Environment files protected with 600 permissions -- **Credential Backup**: Automatic backup of credentials for recovery -- **Fallback Security**: Maintains backward compatibility with fallback method - -## Installation Process - -### 1. **Automatic Secure Installation** - -The installation script now automatically: - -1. Generates secure random passwords for: - - MySQL root user - - CyberPanel database user - - Django secret key - -2. Creates `.env` file with secure configuration: - ```bash - # Generated during installation - SECRET_KEY=your_64_character_secure_key - DB_PASSWORD=your_24_character_secure_password - ROOT_DB_PASSWORD=your_24_character_secure_password - ``` - -3. Creates `.env.backup` file for credential recovery -4. Sets secure file permissions (600) on all environment files - -### 2. **Manual Installation** (if needed) - -If you need to manually generate environment configuration: - -```bash -cd /usr/local/CyberCP -python install/env_generator.py /usr/local/CyberCP -``` - -## File Structure - -``` -/usr/local/CyberCP/ -├── .env # Main environment configuration (600 permissions) -├── .env.backup # Credential backup (600 permissions) -├── .env.template # Template for manual configuration -├── .gitignore # Prevents .env files from being committed -└── CyberCP/ - └── settings.py # Updated to use environment variables -``` - -## Security Best Practices - -### ✅ **Do's** - -- Keep `.env` and `.env.backup` files secure -- Record credentials from `.env.backup` and delete the file after installation -- Use strong, unique passwords for production deployments -- Regularly rotate database passwords -- Monitor access to environment files - -### ❌ **Don'ts** - -- Never commit `.env` files to version control -- Don't share `.env` files via insecure channels -- Don't use default passwords in production -- Don't leave `.env.backup` files on the system after recording credentials - -## Recovery - -### **Lost Credentials** - -If you lose your database credentials: - -1. Check if `.env.backup` file exists: - ```bash - sudo cat /usr/local/CyberCP/.env.backup - ``` - -2. If backup doesn't exist, you'll need to reset MySQL passwords using MySQL recovery procedures - -### **Regenerate Environment** - -To regenerate environment configuration: - -```bash -cd /usr/local/CyberCP -sudo python install/env_generator.py /usr/local/CyberCP -``` - -## Configuration Options - -### **Environment Variables** - -| Variable | Description | Default | -|----------|-------------|---------| -| `SECRET_KEY` | Django secret key | Generated (64 chars) | -| `DB_PASSWORD` | CyberPanel DB password | Generated (24 chars) | -| `ROOT_DB_PASSWORD` | MySQL root password | Generated (24 chars) | -| `DEBUG` | Debug mode | False | -| `ALLOWED_HOSTS` | Allowed hosts | localhost,127.0.0.1,hostname | - -### **Custom Configuration** - -To use custom passwords during installation: - -```bash -python install/env_generator.py /usr/local/CyberCP "your_root_password" "your_db_password" -``` - -## Troubleshooting - -### **Installation Fails** - -If the new secure installation fails: - -1. Check installation logs for error messages -2. The system will automatically fallback to the original installation method -3. Verify Python dependencies are installed: - ```bash - pip install python-dotenv - ``` - -### **Environment Loading Issues** - -If Django can't load environment variables: - -1. Ensure `.env` file exists and has correct permissions: - ```bash - ls -la /usr/local/CyberCP/.env - # Should show: -rw------- 1 root root - ``` - -2. Install python-dotenv if missing: - ```bash - pip install python-dotenv - ``` - -## Migration from Old Installation - -### **Existing Installations** - -For existing CyberPanel installations with hardcoded passwords: - -1. **Backup current configuration**: - ```bash - cp /usr/local/CyberCP/CyberCP/settings.py /usr/local/CyberCP/CyberCP/settings.py.backup - ``` - -2. **Generate new environment configuration**: - ```bash - cd /usr/local/CyberCP - python install/env_generator.py /usr/local/CyberCP - ``` - -3. **Update settings.py** (already done in new installations): - - The settings.py file now supports environment variables - - It will fallback to hardcoded values if .env is not available - -4. **Test the configuration**: - ```bash - cd /usr/local/CyberCP - python manage.py check - ``` - -## Support - -For issues with the secure installation: - -1. Check the installation logs -2. Verify file permissions -3. Ensure all dependencies are installed -4. Review the fallback installation method if needed - ---- - -**Security Notice**: This installation method significantly improves security by eliminating hardcoded credentials. Always ensure proper file permissions and secure handling of environment files.