jessuppi
commented
1 year ago Closed NathanAdhitya closed 3 months ago
jessuppi
commented
1 year ago jessuppi
commented
1 year ago Perhaps this is another feature that could be moved to our new Nginx includes approach, like:
/var/www/sites/includes/adminer.confIf we end up doing something like:
https://wordpress.org/plugins/db-access-adminer/
Where it requires WP Admin authentication, the entire issue might be moot.
jessuppi
commented
1 year ago jessuppi
commented
1 year ago These patches (above) are temporary, because they delete the adminer.php file in case SS_ADMINER_PUBLIC is set to false in your ss-config. Later on, we should consider a separate Nginx file for Adminer too.
jessuppi
commented
4 months ago New sub-module in progress:
https://github.com/littlebizzy/slickstack/blob/master/modules/nginx/includes/adminer-conf.txt
jessuppi
commented
4 months ago We could probably also hide the Database tab in the SlickStack WP Admin Dashboard if this is set to false, that's something that a few developers had asked about.
jessuppi
commented
3 months ago Update: this option in ss-config is now called ADMINER_PUBLIC
jessuppi
commented
3 months ago Okay, Adminer is now officially a submodule for Nginx for SlickStack purposes... if ADMINER_PUBLIC="true" in your ss-config then the file adminer.conf will be installed to /var/www/sites/includes going forward, otherwise that file will be deleted if set to false for that option.
New script: https://github.com/littlebizzy/slickstack/blob/master/bash/ss-install-nginx-adminer.txt
I've also removed the temporary fix in ss-clean-files which deleted /var/www/meta/adminer.php if ADMINER_PUBLIC was set to false... so that is no longer going to happen going forward.
Notes:
We could make this even stronger by adding a 403 denied or something to the Adminer URL, however, now that the URL is a randomized string it's probably not a concern.
Issue
On version APR2023K, SS_ADMINER_PUBLIC set to "false" still exposes Adminer to the public web.