cloudnine
By:
cloudnine

Securing phpmyadmin with LetsEncrypt SSL?

February 7, 2018 137 views
Apache Security Ubuntu 16.04

This old article on securing phpmyadmin with SSL still does the trick on Ubuntu 14.04 LTS and above.

However, the method in the article has two problems I would like to avoid:

  1. On first access to the SSL protected phpmyadmin url, it throws an SSL warning due to the self-generated cert
  2. 000-default.conf is modified to listen to Port 443 rather than Port 80, so loading the IP address of a droplet redirects to the home page of the first web site hosted on the server (if multiple sites are hosted) or to the only only web site hosted on the server, as the case may be.

I would like to resolve these issues by finding a way to use a LetsEncrypt cert rather than a self-generated one for the phpmyadmin url. I know that LetsEncrypt certs are tied to Apache virtual hosts, but it's not clear to me which is the domain for which I should get a LetsEncrypt cert to have an SSL protected phpmyadmin url.

I suppose I could create a vhost for the FQDN of the server and then try to get a LetsEncrypt SSL for that fqdn. But it's not clear to me what is the document root to specify for phpmyadmin within the vhost. Nor is it clear to me what the alias address should be modified to at /etc/phpmyadmin/apache.conf to work with this setup.

Does anyone here have any suggestions?

1 Answer

PHPMyAdmin is a PHP application that usually runs on Apache so setting up LetsEncrypt for it is just as easy as with any website. This guide will walk you through configuration and creation of your SSL certificate.

This tutorial will show you how to set up a free TLS/SSL certificate from Let’s Encrypt on a Ubuntu 16.04 server running Apache as web server. TLS certificates are used within web servers to encrypt the traffic between server and client, providing extra security for users accessing your application.
  • Thanks. I already use LetsEncrypt to secure every Apache virtual host on all my servers; additionally, I have secured phpmyadmin using the .htaccess method outlined in the other D.O tutorial. This, along with adding ForceSSL=true to the phpmyadmin config file means that I can type in https://exampledomain.com/phpmyadmin and get some protection for any virtual host on my droplet.

    However, when I type in http://<dropletipaddress>/phpmyadmin or http://<dropletfqdn>/phpmyadmin, the initial .htaccess pop-up and the subsequent phpmyadmin login screens are all non-https. For whatever reasons, developers seem to prefer these urls than having to remember the specific domain for which they need phpmyadmin.

    So, what I haven't been quite able to figure out is how to tie the server wide phpmyadmin login to a specific Apache vhost and protect it with LetsEncrypt.

Have another answer? Share your knowledge.