How to Secure phpMyAdmin? Tunneling?
The awesome people in irc told me to use SSL. I tried that and was able to get SSL running, but I couldn't seem to find any directions / tutorials that went from start to finish with configuring it to work specifically with phpMyAdmin only (it required https for all sites).
I came across a lot of people suggesting SSH tunneling. Unfortunately all google results for phpMyAdmin and ssh tunneling didn't seem to work. Either files weren't where they said they were, or the commands didn't seem to work.
Tunneling seems like to way to go… but I can't find documentation that works. I'm a noob, so it has to be step-by-step. Any ideas?
Edit: Would it be an option to install phpMyAdmin, add the database and user privileges I need, then remove phpMyAdmin. I tried that, and it seems to work… but obviously this isn't a "good" fix.
– Make Apache listen on 127.0.0.1:80 (or any other port)
-- Add a virtualhost to 127.0.0.1:80, put phpmyadmin on it
-- In SSH/PuTTY, forward local port 8080 (or any other port) to remote port 80 (ssh -L 8080:localhost:80)
-- Log in to the server
-- While logged in, point your web browser at
-- Enjoy your secure connection
2) Quick fix without any fancy stuff
-- Create an .htaccess file in your phpmyadmin directory with the following content:
allow from 22.214.171.124
deny from all
(Replace 126.96.36.199 with your IP address)
> I couldn't seem to find any directions / tutorials that went from start to finish with configuring it to work specifically with phpMyAdmin only (it required https for all sites).
I don't have specifics for you - especially since I don't use Apache2 - but this is doable. Set up your website as normal, with say a DocumentRoot of /var/www. Then set up a folder outside of this root, say /var/www-ssl, and installed phpMyAdmin to there. In your Apache config, around where you define the SSL listener (something like 207.xxx.yyy.zzz:443 iirc), point it at the different DocumentRoot there. Then, only phpma will be accessible over https, and everything else will be accessible over http. (You can create symlinks from /var/www-ssl/foo to /var/www/foo if you want some things to be accessible over both).
Alias /pma/ "/usr/share/phpmyadmin/" <directory "="" usr="" share="" phpmyadmin="">Options Indexes MultiViews FollowSymLinks AllowOverride None Order allow,deny # Only allow access to phpMyAdmin from localhost Allow from 127.0.0.1</directory>
This only allows access to
Edit: another limitation is that if you are using virtual hosts, this only works for the first (default) one. That is, the one you would reach if you surfed to the machine's IP address (e.g.,
<virtualhost yourip:443="">ServerName yourdomain.com DocumentRoot /var/www/ ... ### Hide phpmyadmin Alias /phpmyadmin /var/www/ Alias /atopsecretfoldername /var/www/phpmyadmin/ ... SSLSTUFF...</virtualhost>
It's weak; but watch your logs, I bet no one ever looks for any files in atopsecretfoldername. It's bullet-proof right?
It's the easiest thing I came up with and I've yet to get any hits in it except me. You can log in from any computer, no extra username/passwords to enter.
Hope it helps.
My site has its administrative interface running over SSL, and mod-auth-shadow. This allows passwords to not be passed in clear text, and me to control access based on local system accounts.