.htpasswd protecting your phpMyAdmin installation (Debian)
Posted by lhe | Posted in Databases, General, Linux (Ubuntu), MySQL, PHP | Posted on 16-03-2010
3
So you got yourself a LAMP webserver and started hosting some sites on it. Now, for easy access to your databases, you opt to chose phpMyAdmin.
When installing phpMyAdmin on a Debian system via the synaptic manager (apt-get install phpmyadmin), the installation will be done in this folder
/usr/share/phpmyadmin
You will be able to access your phpMyAdmin via
http://www.mydomain.com/phpmyadmin
You will notice that you are asked for a username and password. This is great! It means that your database is protected…. but what if i want to protect it even more?
What if i would like to add some extra folder protection by using the good old .htpasswd technique?
Well, I looked around for a while but did not find any satisfying solutions. This meant I had to mess around a bit myself and after not too long, success! I had a phpMyAdmin installation where it would first use the .htpasswd protection before bringing me to the phpMyAdmin login page.
How did we do this?
1) create a .htpasswd file in the installation directory (cfr. supra). You can use handy .htpasswd generators like this one: http://www.htaccesstools.com/htpasswd-generator/
2) find and edit the phpMyAdmin apache2 config file:
/etc/apache2/conf.d/phpmyadmin.conf
3) add the necessary lines in the conf file to tell Apache2 it should use the .htpasswd file. Below you will find the before and after of the code.
Before:
# phpMyAdmin default Apache configuration Alias /phpmyadmin /usr/share/phpmyadmin AllowOverride All Options Indexes FollowSymLinks DirectoryIndex index.php # Authorize for setup
After:
# phpMyAdmin default Apache configuration
Alias /phpmyadmin /usr/share/phpmyadmin
AllowOverride All
Options Indexes FollowSymLinks
DirectoryIndex index.php
AuthType Basic
AuthName "HaLe MySQL"
AuthUserFile /usr/share/phpmyadmin/.htpasswd
Require valid-user
# Authorize for setup4) reload your Apache2
sudo /etc/init.d/apache2 reload
5) your phpMyAdmin is now .htpasswd protected!
Cheers
Lajfi
Cool! Thanks for posting this. It’s not much in the way of ‘security’; but I also changed:
Alias /phpmyadmin /usr/share/phpmyadmin
To:
Alias /random-made-up-stuff /usr/share/phpmyadmin
A little obfuscation doesn’t hurt, either. Of course, if this is intended for multiple users, or frequent use, the inconvenience of remembering http://mywebsite.com/random-made-up-stuff may not be worhtwhile.
Hey Troy
indeed. Obfuscation might not be a bad idea. In our case, the phpmyadmin is used by several people including external ones.
That is why we did not create an alias, but good idea anyway!
thx
Leiv
[...] Quick one – steps to password protect your phpmyadmin on Debian. [...]