View All Products
Compute
Storage
Databases
Networking
Developer Tools
Delivery
Security
Services
Industries
Pricing
Community
Engage With Us
Community Questions phpMyAdmin and VirtualHosts - 403 Forbidden
Log in to Ask a Question

phpMyAdmin and VirtualHosts - 403 Forbidden

403 virtual-hosts phpmyadmin forbidden

I'm mostly coming from a FreeBSD background. After plenty of research, I chose Debian Lenny as my base when signing up for Linode a week or so ago. I've got Apache, php5 (fcgid), mysql, postfix and dovecot all set up and working great.

I've set up some VirtualHosts for a few domains I own. These are all working in Apache as well as Postfix and Dovecot. The only part that I am having trouble with is phpMyAdmin. For the life of me, I can't get this to work and I don't want to hack around at it to the point where I could be compromising my node…so thought I might ask here.

All of my virtual hosts are located under /srv/www. My phpmyadmin is located in the default /usr/share/phpmyadmin. I've tried adding Aliases to VirtualHost directives, symbolic links from virtual host directories, chowning the phpmyadmin directory to several users (including www-data), chmoding the phpmyadmin with 777, etc…all with no luck. When I load up http://www.mynewdomain.com/phpmyadmin - 403 Forbidden "You do not have permission to access /phpmyadmin/index.

php on this server". Every time. :? PHP (mod_fcgid) works great in all of my virtual hosts so I'm pretty sure PHP isn't the problem. I've tried restarting Apache as well as rebooting my server after each change. /etc/hosts is fine. Grrrrrr!

Anyone else experiencing this problem? A workaround or fix would be great…I am stumped and this is one of my last hurdles before I can fully switch to Linode from another host.

Thank you for any help you can provide!

7 Replies

Do you have FollowSymlinks enabled for your vhosts?

You may want to look into the Order, Allow, and Deny directives in your Apache site config. The following works for me:

    Alias /pma/ "/usr/share/phpmyadmin/"
    <directory "="" usr="" share="" phpmyadmin="">Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order allow,deny
# Only allow access to phpMyAdmin from localhost
        Allow from 127.0.0.1</directory>

(Note that I only allow connections from localhost; when I want to use phpMyAdmin I do so via an ssh tunnel. You may desire a different setup.)

I don't think anything other than read and execute permission is needed on the directory containing the phpmyadmin files (Apache runs as user www-data):

drwxr-xr-x 8 root root 12288 Jul 19 03:02 /usr/share/phpmyadmin

@freedomischaos:

Do you have FollowSymlinks enabled for your vhosts?

Yes, I've tried that at both the apache2.conf, the "default" site config and vhost config file levels as well as in directives at all levels. FollowSymLinks seems to be a common fix for this but I'm fairly certain I've eliminated that as a possibility. And on Debian at least, the phpmyadmin.conf written to /etc/apache2/conf.d seems to have anticipated this and added a correction for it out-of-the-box.

I have the feeling this has something to do with permissions but I'm unsure of what to fix. Something with mod_fcgid? But the mode on /usr/share/phpmyadmin is 444 which should be sufficient for any process (?).

I'm stumped. Thank you for the suggestion! Any other ideas?

@Vance:

You may want to look into the Order, Allow, and Deny directives in your Apache site config. The following works for me:

    Alias /pma/ "/usr/share/phpmyadmin/"
    <directory "="" usr="" share="" phpmyadmin="">Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order allow,deny
# Only allow access to phpMyAdmin from localhost
        Allow from 127.0.0.1</directory>

(Note that I only allow connections from localhost; when I want to use phpMyAdmin I do so via an ssh tunnel. You may desire a different setup.)

I don't think anything other than read and execute permission is needed on the directory containing the phpmyadmin files (Apache runs as user www-data):

drwxr-xr-x 8 root root 12288 Jul 19 03:02 /usr/share/phpmyadmin

I did try adding the above to /etc/apache2/conf.d/phpmyadmin.conf (which is included from /etc/apache2/apache2.conf) but it still wants to 403 on me.

For the 777 on /usr/share/phpmyadmin, yes I did remove that after it didn't make a difference…just a test. It's 444 and root:root as it was after initial install.

For the directives above…can you tell me where you added those? Perhaps I haven't tried those in the right place? I've tried them in my "default" site, the virtual host site configs and the phpmyadmin.conf so far.

@pjh:

@Vance:

You may want to look into the Order, Allow, and Deny directives in your Apache site config. The following works for me:

    Alias /pma/ "/usr/share/phpmyadmin/"
    <directory "="" usr="" share="" phpmyadmin="">Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order allow,deny
# Only allow access to phpMyAdmin from localhost
        Allow from 127.0.0.1</directory>

(Note that I only allow connections from localhost; when I want to use phpMyAdmin I do so via an ssh tunnel. You may desire a different setup.)

I don't think anything other than read and execute permission is needed on the directory containing the phpmyadmin files (Apache runs as user www-data):

drwxr-xr-x 8 root root 12288 Jul 19 03:02 /usr/share/phpmyadmin

I did try adding the above to /etc/apache2/conf.d/phpmyadmin.conf (which is included from /etc/apache2/apache2.conf) but it still wants to 403 on me.

For the 777 on /usr/share/phpmyadmin, yes I did remove that after it didn't make a difference…just a test. It's 444 and root:root as it was after initial install.

For the directives above…can you tell me where you added those? Perhaps I haven't tried those in the right place? I've tried them in my "default" site, the virtual host site configs and the phpmyadmin.conf so far.

Vance: I noted the trailing "/" in the line "Alias /pma/ […]" from your post. My phpmyadmin.conf file (installed by the phpmyadmin package) did not have this trailing slash, it just had "Alias /phpmyadmin […]". When I added that trailing slash, it now gives me a directory listing of /usr/share/phpmyadmin (no 403). If I add "index.php" on the end, now it gives me a 404.

So it's not permissions…? Perhaps a path problem??

What I posted is within a VirtualHost directive in a file included by the main Apache conf. (On Ubuntu, which I'm using, the main conf is /etc/apache2/apache2.conf which includes everything in /etc/apache2/sites-enabled/, which in turn are symlinks to files in /etc/apache2/sites-available/.)

Sounds like you've implemented this properly and got the permissions problem licked, but for some reason it's not picking up index.php. Not sure what the cause might be, it just worked for me (I'm using php5_module, not any CGI method).

Hmm, looks like the DirectoryIndex directive may be one to look for. The following appears in /etc/apache2/mods-enabled/dir.conf (included by the main conf in a way similar to the description above) on my Linode:

 <ifmodule mod_dir.c="">DirectoryIndex index.html index.cgi index.pl index.php index.xhtml index.htm</ifmodule>

Finally got this figured out. The Alias /phpmyadmin/ /usr/share/phpmyadmin/ in /etc/apache2/conf.d/phpmyadmin.conf is more or less meaningless. I'm not sure if that is a product of filesystem security or virtual path collisions or a combination of both. However, adding a symbolic link of ln -s /usr/share/phpmyadmin /srv/www//html (which is my virtual host directory structure) works. I'd tried this before but perhaps was too impatient as it seems it took an apache2 restart (for a file system change??) and several browser refreshes for this to "take effect" (and, yep, I've always had "FollowSymLinks" in my configs). Lord. So now it works. Any vhost with this link can use the phpmyadmin.

If anyone is curious or has this problem, here is how I set up my Apache topology (Debian Lenny) with Virtual Hosts, PHP5, fcgid and phpMyAdmin (assuming you have already installed mysql-server successfully):

Software installation:

apt-get install apache2 libapache2-mod-fcgid php5-cgi php5-common php5-gd php5-mysql phpmyadmin

Post-install Virtual Hosts setup:

Create filesystem topology

mkdir -p /srv/www/default/html
mkdir -p /srv/www/default/logs
mkdir -p /srv/www/<domain_name1>/html
mkdir -p /srv/www/<domain_name1>/logs
mkdir -p /srv/www/<domain_name2>/html
mkdir -p /srv/www/<domain_name2>/logs</domain_name2></domain_name2></domain_name1></domain_name1>

etc…for each domain you want to host as a virtual host

fcgid setup:

Configure fcgid (a faster alternative to mod_php5)

rm /etc/apache2/mods-available/fcgid.conf
vi /etc/apache2/mods-available/fcgid.conf

 <ifmodule mod_fcgid.c="">MaxRequestsPerProcess 500
    AddHandler fcgid-script .php .fcgi
    AddHandler cgi-script .cgi .pl
    FCGIWrapper "/usr/bin/php-cgi" .php</ifmodule>

Virtual Hosts configuration setup:

Configure the "default" Virtual Host (http://)

rm /etc/apache2/sites-available/default
vi /etc/apache2/sites-availabe/default

 <virtualhost *:80="">ServerAdmin <you>@ <yourdomain.tld>DocumentRoot /srv/www/default/html/
        <directory>Options Indexes FollowSymLinks ExecCGI
                AllowOverride None</directory> 

        ErrorLog /srv/www/default/logs/error.log
        LogLevel warn
        CustomLog /srv/www/default/logs/access.log combined</yourdomain.tld></you></virtualhost>

Configure other Virtual Hosts (http://www.) - add one of these for each domain you want to host; I will put both and here for illustrative purposes as they are referenced above.

vi /etc/apache2/sites-availabe/ <domain_name1><virtualhost *:80="">ServerAdmin <you>@ <yourdomain>ServerName <domain_name1>ServerAlias www. <domain_name1>DocumentRoot /srv/www/<domain_name1>/html/
        <directory>Options Indexes FollowSymLinks ExecCGI
                AllowOverride None</directory> 

        ErrorLog /srv/www/<domain_name1>/logs/error.log
        LogLevel warn
        CustomLog /srv/www/<domain_name1>/logs/access.log combined</domain_name1></domain_name1></domain_name1></domain_name1></domain_name1></yourdomain></you></virtualhost> 

a2ensite <domain_name1></domain_name1></domain_name1> 

vi /etc/apache2/sites-availabe/ <domain_name2><virtualhost *:80="">ServerAdmin <you>@ <yourdomain>ServerName <domain_name2>ServerAlias www. <domain_name2>DocumentRoot /srv/www/<domain_name2>/html/
        <directory>Options Indexes FollowSymLinks ExecCGI
                AllowOverride None</directory> 

        ErrorLog /srv/www/<domain_name2>/logs/error.log
        LogLevel warn
        CustomLog /srv/www/<domain_name2>/logs/access.log combined</domain_name2></domain_name2></domain_name2></domain_name2></domain_name2></yourdomain></you></virtualhost> 

a2ensite <domain_name2></domain_name2></domain_name2>

phpMyAdmin post-configure setup:

ln -s /usr/share/phpmyadmin /srv/www/default/html

(I set up my default as the only site with access to phpMyAdmin)

Restart Apache:

/etc/init.d/apache2 restart

I'm glad this is fixed and hope this helps others.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct