Saturday, 17 December 2011 07:20
These instructions were perfomed on an Ubuntu 11.10 machine via SSH.
So, I was messing around with phpMyAdmin and noticed the directory
/usr/share/phpmyadmin/setup. I browse to
http://mydomainname.com/
and it immediately asks for credentials to login. First, phpMyAdmin
has already been setup...why leave the setup directory on the server
when it's not needed?
I then delete the setup folder from /usr/share/phpmyadmin/setup
sudo rm -rf /usr/share/phpmyadmin/setup
Now, by default you can simply just access the web interface of
phpMyAdmin by browsing to http://mydomainname.com/
I want this directory on my server to have an extra layer of
protection. I know that you have to login to the phpMyAdmin interface
first, but I'm a security conscience guy. Why not have more security
added when you can?
We will take a look at the phpMyAdmin default Apache configuration file.
I browse to the directory /etc/phpmyadmin and take a look at the file
apache.conf
Here is the output of apache.conf:
# phpMyAdmin default Apache configuration
Alias /phpmyadmin /usr/share/phpmyadmin
Options FollowSymLinks
DirectoryIndex index.php
AddType application/x-httpd-php .php
php_flag magic_quotes_gpc Off
php_flag track_vars On
php_flag register_globals Off
php_admin_flag allow_url_fopen Off
php_value include_path .
php_admin_value upload_tmp_dir /var/lib/phpmyadmin/tmp
php_admin_value open_basedir
/usr/share/phpmyadmin/:/etc/
# Authorize for setup
AuthType Basic
AuthName "phpMyAdmin Setup"
AuthUserFile /etc/phpmyadmin/htpasswd.setup
Require valid-user
# Disallow web access to directories that don't need it
Order Deny,Allow
Deny from All
Order Deny,Allow
Deny from All
Ok, so what I'm going to try and accomplish here is load the module
"mod_authn_file.c" (this is like adding a .htacess file into the
/usr/share/phpmyadmin directory)
Here is my edited /etc/phpmyadmin/apache.conf file:
Note: If you notice I have added lines starting below "DirectoryIndex index.php"
In the line "AuthUserFile /data/user-access/.htpasswd" this is where
my default .htpasswd file is for my .htaccess files. If you want to
see how this works and is setup check out the article here:
https://codersresource.com/linux/web-server/controlling-directory-access-with-an-htaccess-file
I also commented out all the lines under the "Authorize setup" section
(no need for it)
# phpMyAdmin default Apache configuration
Alias /phpmyadmin /usr/share/phpmyadmin
Options FollowSymLinks
DirectoryIndex index.php
AuthType Basic
AuthName "Restricted Access!"
AuthUserFile /data/user-access/.htpasswd
Require valid-user
AddType application/x-httpd-php .php
php_flag magic_quotes_gpc Off
php_flag track_vars On
php_flag register_globals Off
php_admin_flag allow_url_fopen Off
php_value include_path .
php_admin_value upload_tmp_dir /var/lib/phpmyadmin/tmp
php_admin_value open_basedir
/usr/share/phpmyadmin/:/etc/
# Authorize for setup
#
#
# AuthType Basic
# AuthName "phpMyAdmin Setup"
# AuthUserFile /etc/phpmyadmin/htpasswd.setup
#
# Require valid-user
#
# Disallow web access to directories that don't need it
Order Deny,Allow
Deny from All
Order Deny,Allow
Deny from All
After you have made the changes above, save the file. Then restart Apache:
sudo /etc/init.d/apache2 restartf
Now if you browse to http://mydomainname.com/
prompt you for a username and password...just an extra layer of
security ;)