Phpmyadmin SSL
I've installed phpmyadmin by using linode's tutorial and worked fine. But there's one step I can't figure out:
Force SSL
By adding $cfg['ForceSSL'] = 'true'; in /etc/phpmyadmin/config.inc.php
Once I do this I can't access mydomain.com/phpmyadmin anymore. The article refers to
My question: Should I add this line $cfg['ForceSSL'] = 'true'; for security? If so how can I make SSL work?
Many Thanks
Rob
4 Replies
It's a popular attack vector, and there are better client side tools that are better, have minimal resource impact, and is way more secure.
@vonskippy:
Search on "phpmyadmin" on this forum and you will find many many many posts advising you NOT to use phpmyadmin.
It's a popular attack vector, and there are better client side tools that are better, have minimal resource impact, and is way more secure.
I think I disabled it now by using command chmod 000 /usr/share/phpmyadmin Is that secure enough to disable phpmyadmin this way?
I used it to manage users more easily, got a bit lost with commands.
Thanks
Preparing Your Apache Configuration
Unlike some, I don't consider phpmyadmin to be the devil, but would not recommend exposing it to the whole world either. The Linode guide covers this in .htaccess File
Order allow,deny
Allow from 127.0.0.0/8 ::1
If you're using Apache 2.4 (as on Ubuntu 14.04), use the new configuration syntax instead:
Require local
This will only permit connections to phpmyadmin from your Linode. (You should verify this by trying to connect from your home machine; you should receive a 403 Forbidden error.)
So how do you connect from your Linode? You connect from home to your Linode via ssh, and set up port forwarding. For example, connect using:
ssh -L 8080:localhost:80 user@your.linode
Then you can visit symbolic link you set up
Because the ssh traffic is encrypted, there is no need to set up SSL for this or set ForceSSL, although you can certainly do so.
Note that in this scenario, anyone who can get a shell on your machine can access phpmyadmin (although they will still need a MySQL username and password to access databases). Of course, those people could just run the mysql client from the command line too. The linchpin of security in this configuration is the restriction in the .htaccess file, so you must get it correct and verify it is working as intended.
You could also use a local client like MySQL Workbench, but these require you to either expose MySQL to the internet (about as bad an idea as making phpmyadmin visible to the world) or set up port forwarding over ssh (supposedly MySQL Workbench will do this for you; don't know about other clients).
@Vance:
You could also use a local client like MySQL Workbench, but these require you to either expose MySQL to the internet (about as bad an idea as making phpmyadmin visible to the world) or set up port forwarding over ssh (supposedly MySQL Workbench will do this for you; don't know about other clients).
I used to use phpMyAdmin all the time and it was exposed to the world. It did make me nervous so I started looking at MySQL Workbench. I found it to be a great tool. You don't need to expose MySQL to the world for it to work. When you create a connection in Workbench you can specify all of your SSH connection information along with your MySQL username and password and it will connect via SSH and setup everything for you. You can use both password and key based authentication (obviously key is preferred).
phpMyAdmin is a nice tool and it is easy to use. I have to give the developers credit but I did switch to Workbench in the end. Any of my other clients that wish to use MySQL are required to do the same.