Tutorial

How To Install and Secure phpMyAdmin with Apache on a CentOS 7 Server

Published on August 7, 2014
How To Install and Secure phpMyAdmin with Apache on a CentOS 7 Server
Not using CentOS 7?Choose a different version or distribution.
CentOS 7

Introduction

Relational database management systems like MySQL and MariaDB are needed for a significant portion of web sites and applications. However, not all users feel comfortable administering their data from the command line.

To solve this problem, a project called phpMyAdmin was created in order to offer an alternative in the form of a web-based management interface. In this guide, we will demonstrate how to install and secure a phpMyAdmin configuration on a CentOS 7 server. We will build this setup on top of the Apache web server, the most popular web server in the world.

Prerequisites

Before we begin, there are a few requirements that need to be settled.

To ensure that you have a solid base to build this system upon, you should run through our initial server setup guide for CentOS 7. Among other things, this will walk you through setting up a non-root user with sudo access for administrative commands.

The second prerequisite that must be fulfilled in order to start on this guide is to install a LAMP (Linux, Apache, MariaDB, and PHP) stack on your CentOS 7 server. This is the platform that we will use to serve our phpMyAdmin interface (MariaDB is also the database management software that we are wishing to manage). If you do not yet have a LAMP installation on your server, follow our tutorial on installing LAMP on CentOS 7.

When your server is in a properly functioning state after following these guides, you can continue on with the rest of this page.

Step One — Install phpMyAdmin

With our LAMP platform already in place, we can begin right away with installing the phpMyAdmin software. Unfortunately, phpMyAdmin is not available in CentOS 7’s default repository.

To get the packages we need, we’ll have to add an additional repo to our system. The EPEL repo (Extra Packages for Enterprise Linux) contains many additional packages, including the phpMyAdmin package we are looking for.

The EPEL repository can be made available to your server by installing a special package called epel-release. This will reconfigure your repository list and give you access to the EPEL packages.

To install, just type:

sudo yum install epel-release

Now that the EPEL repo is configured, you can install the phpMyAdmin package using the yum packaging system by typing:

sudo yum install phpmyadmin

The installation will now complete. The installation included an Apache configuration file that has already been put into place. We will need to modify this a bit to get it to work correctly for our installation.

Open the file in your text editor now so that we can make a few changes:

sudo nano /etc/httpd/conf.d/phpMyAdmin.conf

Inside, we see some directory blocks with some conditional logic to explain the access policy for our directory. There are two distinct directories that are defined, and within these, configurations that will be valid for both Apache 2.2 and Apache 2.4 (which we are running).

Currently, this setup is configured to deny access to any connection not being made from the server itself. Since we are working on our server remotely, we need to modify some lines to specify the IP address of your home connection.

Change any lines that read Require ip 127.0.0.1 or Allow from 127.0.0.1 to refer to your home connection’s IP address. If you need help finding the IP address of your home connection, check out the next section. There should be four locations in the file that must be changed:

. . .
Require ip your_workstation_IP_address
. . .
Allow from your_workstation_IP_address
. . .
Require ip your_workstation_IP_address
. . .
Allow from your_workstation_IP_address
. . .

When you are finished, restart the Apache web server to implement your modifications by typing:

sudo systemctl restart httpd.service

With that, our phpMyAdmin installation is now operational. To access the interface, go to your server’s domain name or public IP address followed by /phpMyAdmin, in your web browser:

http://server_domain_or_IP/phpMyAdmin

phpMyAdmin login screen

To sign in, use a username/password pair of a valid MariaDB user. The root user and the MariaDB administrative password is a good choice to get started. You will then be able to access the administrative interface:

phpMyAdmin admin interface

Find Your IP Address

You will need to know the IP address of the computer you are using to access your databases in order to complete the step above. This is a security precaution so that unauthorized people cannot connect to your server.

Note: This is not the IP address of your VPS, it is the IP address of your home or work computer.

You can find out how the greater web sees your IP address by visiting one of these sites in your web browser:

Compare a few different sites and make sure they all give you the same value. Use this value in the configuration file above.

Step Two — Secure your phpMyAdmin Instance

The phpMyAdmin instance installed on our server should be completely usable at this point. However, by installing a web interface, we have exposed our MySQL system to the outside world.

Even with the included authentication screen, this is quite a problem. Because of phpMyAdmin’s popularity combined with the large amount of data it provides access to, installations like these are common targets for attackers.

We will implement two simple strategies to lessen the chances of our installation being targeted and compromised. We will change the location of the interface from /phpMyAdmin to something else to sidestep some of the automated bot brute-force attempts. We will also create an additional, web server-level authentication gateway that must be passed before even getting to the phpMyAdmin login screen.

Changing the Application’s Access Location

In order for our Apache web server to work with phpMyAdmin, our phpMyAdmin Apache configuration file uses an alias to point to the directory location of the files.

To change the URL where our phpMyAdmin interface can be accessed, we simply need to rename the alias. Open the phpMyAdmin Apache configuration file now:

sudo nano /etc/httpd/conf.d/phpMyAdmin.conf

Toward the top of the file, you will see two lines that look like this:

Alias /phpMyAdmin /usr/share/phpMyAdmin
Alias /phpmyadmin /usr/share/phpMyAdmin

These two lines are our aliases, which means that if we access our site’s domain name or IP address, followed by either /phpMyAdmin or /phpmyadmin, we will be served the content at /usr/share/phpMyAdmin.

We want to disable these specific aliases since they are heavily targeted by bots and malicious users. Instead, we should decide on our own alias. It should be easy to remember, but not easy to guess. It shouldn’t indicate the purpose of the URL location. In our case, we’ll go with /nothingtosee.

To apply our intended changes, we should remove or comment out the existing lines and add our own:

# Alias /phpMyAdmin /usr/share/phpMyAdmin
# Alias /phpmyadmin /usr/share/phpMyAdmin
Alias /nothingtosee /usr/share/phpMyAdmin

When you are finished, save and close the file.

To implement the changes, restart the web service:

sudo systemctl restart httpd.service

Now, if you go to the previous location of your phpMyAdmin installation, you will get a 404 error:

http://server_domain_or_IP/phpMyAdmin

phpMyAdmin 404 error

However, your phpMyAdmin interface will be available at the new location we selected:

http://server_domain_or_IP/nothingtosee

phpMyAdmin login screen

Setting up a Web Server Authentication Gate

The next feature we wanted for our installation was an authentication prompt that a user would be required to pass before ever seeing the phpMyAdmin login screen.

Fortunately, most web servers, including Apache, provide this capability natively. We will just need to modify our Apache configuration file to use an authorization file.

Open the phpMyAdmin Apache configuration file in your text editor again:

sudo nano /etc/httpd/conf.d/phpMyAdmin.conf

Within the /usr/share/phpMyAdmin directory block, but outside of any of the blocks inside, we need to add an override directive. It will look like this:

. . .
<Directory /usr/share/phpMyAdmin/>
   AllowOverride All
   <IfModule mod_authz_core.c>
   . . .
</Directory>
. . .

This will allow us to specify additional configuration details in a file called .htaccess located within the phpMyAdmin directory itself. We will use this file to set up our password authentication.

Save and close the file when you are finished.

Restart the web service to implement this change:

sudo systemctl restart httpd.service

Create an .htaccess File

Now that we have the override directive in our configuration, Apache will look for a file called .htaccess within the /usr/share/phpMyAdmin directory. If it finds one, it will use the directives contained within to supplement its previous configuration data.

Our next step is to create the .htaccess file within that directory. Use your text editor to do so now:

sudo nano /usr/share/phpMyAdmin/.htaccess

Within this file, we need to enter the following information:

AuthType Basic
AuthName "Admin Login"
AuthUserFile /etc/httpd/pma_pass
Require valid-user

Let’s go over what each of these lines mean:

  • AuthType Basic: This line specifies the authentication type that we are implementing. This type will implement password authentication using a password file.
  • AuthName: This sets the message for the authentication dialog box. You should keep this generic so that unauthorized users won’t gain knowledge about what is being protected.
  • AuthUserFile: This sets the location of the actual password file that will be used for authentication. This should be outside of the directories that are being served. We will create this file in a moment.
  • Require valid-user: This specifies that only authenticated users should be given access to this resource. This is what actually stops unauthorized users from entering.

When you are finished entering this information, save and close the file.

Create the Password File for Authentication

Now that we have specified the location for our password file through the use of the AuthUserFile directive in our .htaccess file, we need to create and populate the password file.

This can be accomplished through the use of an Apache utility called htpasswd. We invoke the command by passing it the location where we would like to create the file and the username we would like to enter authentication details for:

sudo htpasswd -c /etc/httpd/pma_pass username

The -c flag indicates that this will create an initial file. The directory location is the path and filename that will be used for the file. The username is the first user we would like to add. You will be prompted to enter and confirm a password for the user.

If you want to add additional users to authenticate, you can call the same command again without the -c flag, and with a new username:

sudo htpasswd /etc/httpd/pma_pass seconduser

With our password file created, an authentication gateway has been implemented and we should now see a password prompt the next time we visit our site:

http://server_domain_or_IP/nothingtosee

Apache authentication page

Once you enter your credentials, you will be taken to the normal phpMyAdmin login page. This added layer of protection will help keep your MySQL logs clean of authentication attempts in addition to the added security benefit.

Conclusion

You can now manage your MySQL databases from a reasonably secure web interface. This UI exposes most of the functionality that is available from the MySQL command prompt. You can view databases and schema, execute queries, and create new data sets and structures.

Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.

Learn more about our products

About the authors

Still looking for an answer?

Ask a questionSearch for more help

Was this helpful?
 
10 Comments


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

fyi - ran this

yum clean all

and was able to install php-tidy

The problem is php 5.5, you should downgrade to php 5.4 and then it will work

I’m getting errors, do you have any ideas what I can do?

Error: Package: php-tcpdf-6.0.089-1.el6.noarch (epel)
          Requires: php-tidy
Error: Package: php-mbstring-5.4.16-23.el7_0.x86_64 (updates)
          Requires: php-common(x86-64) = 5.4.16-23.el7_0
          Installed: php-common-5.5.15-1.el7.remi.x86_64 (@remi-php55)
              php-common(x86-64) = 5.5.15-1.el7.remi
          Available: php-common-5.4.16-21.el7.x86_64 (base)
              php-common(x86-64) = 5.4.16-21.el7
          Available: php-common-5.4.16-23.el7_0.x86_64 (updates)
              php-common(x86-64) = 5.4.16-23.el7_0
Error: Package: php-mcrypt-5.3.3-3.el6.x86_64 (epel)
          Requires: php(api) = 20090626
          Installed: php-common-5.5.15-1.el7.remi.x86_64 (@remi-php55)
              php(api) = 20121113-64
          Available: php-common-5.4.16-21.el7.x86_64 (base)
              php(api) = 20100412-64
          Available: php-common-5.4.16-23.el7_0.x86_64 (updates)
              php(api) = 20100412-64
Error: Package: php-bcmath-5.4.16-23.el7_0.x86_64 (updates)
          Requires: php-common(x86-64) = 5.4.16-23.el7_0
          Installed: php-common-5.5.15-1.el7.remi.x86_64 (@remi-php55)
              php-common(x86-64) = 5.5.15-1.el7.remi
          Available: php-common-5.4.16-21.el7.x86_64 (base)
              php-common(x86-64) = 5.4.16-21.el7
          Available: php-common-5.4.16-23.el7_0.x86_64 (updates)
              php-common(x86-64) = 5.4.16-23.el7_0
Error: Package: php-pdo-5.4.16-23.el7_0.x86_64 (updates)
          Requires: php-common(x86-64) = 5.4.16-23.el7_0
          Installed: php-common-5.5.15-1.el7.remi.x86_64 (@remi-php55)
              php-common(x86-64) = 5.5.15-1.el7.remi
          Available: php-common-5.4.16-21.el7.x86_64 (base)
              php-common(x86-64) = 5.4.16-21.el7
          Available: php-common-5.4.16-23.el7_0.x86_64 (updates)
              php-common(x86-64) = 5.4.16-23.el7_0
Error: Package: php-mcrypt-5.3.3-3.el6.x86_64 (epel)
          Requires: php(zend-abi) = 20090626
          Installed: php-common-5.5.15-1.el7.remi.x86_64 (@remi-php55)
              php(zend-abi) = 20121212-64
          Available: php-common-5.4.16-21.el7.x86_64 (base)
              php(zend-abi) = 20100525-64
          Available: php-common-5.4.16-23.el7_0.x86_64 (updates)
              php(zend-abi) = 20100525-64
Error: Package: php-gd-5.4.16-23.el7_0.x86_64 (updates)
          Requires: php-common(x86-64) = 5.4.16-23.el7_0
          Installed: php-common-5.5.15-1.el7.remi.x86_64 (@remi-php55)
              php-common(x86-64) = 5.5.15-1.el7.remi
          Available: php-common-5.4.16-21.el7.x86_64 (base)
              php-common(x86-64) = 5.4.16-21.el7
          Available: php-common-5.4.16-23.el7_0.x86_64 (updates)
              php-common(x86-64) = 5.4.16-23.el7_0

Thanks for sharing. But I check my Public IP Address on What is my IP

Very good tutorial! Explanations really much appreciated! Thx!

My system details are CentOS Linux release 7.3.1611 PHP 5.4.16 (cli) (built: Nov 6 2016 00:29:02)

After installing phpMyAdmin, I see php code whenever I try to open the http://MY_IP/phpMyAdmin. After looking at /usr/share/phpMyAdmin/index.php, I found that the code shown in browser is after first occurrence of ‘->’ inside index.php file.

How to fix errors: 1 “/etc/httpd/conf.d/phpmyadmin.conf” blank file 2 How to install nano that was not taught in the tutorial 3 Error 403 when accessing: xxx.xxx.xx / phpmyadmin

Resolution:

  1. If you do not want to get your hands dirty recommend reinstalling the program or even recover the vps image before installation and do the procedure below that will work.

After hours of searching, that what worked for me: Edit the file: // phpMyAdmin.conf But before install nano!

sudo nano /etc/httpd/conf.d/phpMyAdmin.conf

the two parts of the top of the file:

<Directory /usr/share/phpMyAdmin/> AddDefaultCharset UTF-8

<IfModule mod_authz_core.c> # Apache 2.4 <RequireAny> #Require ip 127.0.0.1 #Require ip ::1 Require all granted </RequireAny> </IfModule> <IfModule !mod_authz_core.c> # Apache 2.2 Order Deny,Allow Deny from All Allow from 127.0.0.1 Allow from ::1 </IfModule> </Directory>

Now presione Ctrl + x, click “y” and hit enter. Already can access normally but is not pos insurance is consedido public aecsso then recommend taking the code “Require all Granted”

  1. Do not try to open the file using the programe vi, make sure to open with the nano. Otherwise the file will be reset and it will be nothing inside.

To install use: sudo yum install nano

  1. When editing the file from step 1 will be possible to access the phpmyadmin

sorry I speak Portuguese, so my English was translated!

I’m sure it took sometime to do this tutorial but I receive a bunch of garbled code instead of the phpMyAdmin login screen and when I add this to the conf file:

<Directory /usr/share/phpMyAdmin/> AllowOverride All <IfModule mod_authz_core.c> . . . </Directory>

I get an apache error.

How to do this on CentOS 7 with OpenLiteSpeed and MariaDB?

Excellent tutorial, easy to follow. Thank you.

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Join the Tech Talk
Success! Thank you! Please check your email for further details.

Please complete your information!

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Resources for startups and SMBs

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.