- Get link
- Other Apps
phpMyAdmin is a free software which help us for managing MySQL database instead of using CLI (Command Line Interface). To access phpMyAdmin, usually we use HTTP by default and HTTP connection isn't secure as a protocol to exchange username and password between client and server. Because it's too open for hackers and easily to be sniffed by them. if they get your username and password of your phpMyAdmin account, just say goodbye with your database. :P
This below picture as a proof that HTTP protocol has a big vulnerability:
The nearest solution is we can use HTTPS/SSL connection to access phpMyAdmin. As we know HTTPS is like HTTP, but it is just encrypted data connection between client and server.
As a first security layer, we have to give the authentification step before user can see phpMyAdmin login page. This username and password are different than MySQL account.
Open the saved file in /etc/phpmyadmin/apache2.conf and find the text "DirectoryIndex index.php". Then, add this code right below it :
Next, create file .htaccess in /usr/share/phpmyadmin/ and add this code :
This username and password will be saved at /etc/phpmyadmin/.htpasswd. So, we have to create it with this code :
When we hit the ENTER button, we will be guided to create the password. After that, execute this below code to restart apache web server :
Then, type your phpMyAdmin URL address e.g. http://localhost/phpmyadmin and you should get this screen like this :
Next step, we will make a HTTPS configuration for phpMyAdmin in order to make sure exhange data can not be sniffed. Open terminal and type this code :
Create a directory to save and create SSL certificate with this code :
Just follow the instruction after hit ENTER button and above command will create a file certificate valid for 365 days or 1 year with 2048 bit encryption. Then both files will be stored in the folder /etc/ apache2/ssl.
After creating the certificate and key files, we add NameVirtualHost: 443 in /etc/apache2/ports.conf file. Next, configure the default-ssl site files in the folder /etc/apache2/default-ssl. Enter location apache.key and apache.cert that we created earlier. Find the line and change the right path correctly.
Open /etc/phpmyadmin/config.inc.php and add this code at the lowest line :
Last, activate the SSL mode and restart apache :
If you have a security warning like this below, just ignore it and add as exception if you are using Mozilla Firefox.
And ta da.. your phpMyAdmin is more secure than before :
This below picture as a proof that HTTP protocol has a big vulnerability:
The nearest solution is we can use HTTPS/SSL connection to access phpMyAdmin. As we know HTTPS is like HTTP, but it is just encrypted data connection between client and server.
As a first security layer, we have to give the authentification step before user can see phpMyAdmin login page. This username and password are different than MySQL account.
Open the saved file in /etc/phpmyadmin/apache2.conf and find the text "DirectoryIndex index.php". Then, add this code right below it :
"AllowOverride All".
<Directory /usr/share/phpmyadmin>
Options FollowSymLinks
DirectoryIndex index.php
AllowOverride All
. . .
Next, create file .htaccess in /usr/share/phpmyadmin/ and add this code :
AuthType Basic
AuthName "Restricted Files"
AuthUserFile /etc/phpmyadmin/.htpasswd
Require valid-user
This username and password will be saved at /etc/phpmyadmin/.htpasswd. So, we have to create it with this code :
sudo htpasswd -c /etc/phpmyadmin/.htpasswd user_name
When we hit the ENTER button, we will be guided to create the password. After that, execute this below code to restart apache web server :
sudo service apache2 restart
Then, type your phpMyAdmin URL address e.g. http://localhost/phpmyadmin and you should get this screen like this :
Next step, we will make a HTTPS configuration for phpMyAdmin in order to make sure exhange data can not be sniffed. Open terminal and type this code :
sudo a2enmod ssl
sudo service apache2 restart
Create a directory to save and create SSL certificate with this code :
sudo mkdir /etc/apache2/ssl
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt
Just follow the instruction after hit ENTER button and above command will create a file certificate valid for 365 days or 1 year with 2048 bit encryption. Then both files will be stored in the folder /etc/ apache2/ssl.
After creating the certificate and key files, we add NameVirtualHost: 443 in /etc/apache2/ports.conf file. Next, configure the default-ssl site files in the folder /etc/apache2/default-ssl. Enter location apache.key and apache.cert that we created earlier. Find the line and change the right path correctly.
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
Open /etc/phpmyadmin/config.inc.php and add this code at the lowest line :
$cfg['ForceSSL'] = true;
Last, activate the SSL mode and restart apache :
sudo a2ensite default-ssl
sudo service apache2 restart
If you have a security warning like this below, just ignore it and add as exception if you are using Mozilla Firefox.
And ta da.. your phpMyAdmin is more secure than before :
Comments
Post a Comment
Please leave your comment politely and do not write a spam message.
Thank you. :)