We have web server (debian lenny, standard LAMP). We have few tools useful for server monitoring/administration with web interface (phpMyAdmin,APC opcache monitor,serverstats,phpinfo...) and we would like limit access to them only for server admins. So I created apache virtual which has allowed access from localhost only. Server admins then make SSH tunnel to server. Virtual host:
<Directory /var/www/localhost/www/>
order deny,allow
deny from all
allow from 127.0.0.1
</Directory>
<VirtualHost 127.0.0.1:80>
ServerName localhost
DocumentRoot /var/www/localhost/www
DirectoryIndex index.html index.htm index.php
</VirtualHost>
My question is - is this reasonably safe? We do not use iptables/firewall. I know I can use SSL + http authentication also/instead.
I think this is reasonably secure. I think in this case you don't need a firewall for this. But you should still be sure you're properly securing SSH.
Yes, seems safe to me, but you should use your firewall to be really sure. It's his dedicated job to accept or refuse connections depending on their original address.
I usually close every port except SSH and then install NXserver. You can even generate a specific client certificate to make sure only allowed clients who are in possession of this certificate and of a valid account on the server can login (you can also just use the SSH authentication). Of course you can do this directly with SSH but I find it easier with NX. This also speeds up the X display since NX is globally an optimized X client library.
NX and debian