Tutorial

How To Install and Secure phpMyAdmin with Nginx on a CentOS 7 Server

Published on August 6, 2014
How To Install and Secure phpMyAdmin with Nginx on a CentOS 7 Server
Not using CentOS 7?Choose a different version or distribution.
CentOS 7

Introduction

Relational database management systems like MySQL and MariaDB are needed for a significant portion of web sites and applications. However, not all users feel comfortable administering their data from the command line.

To solve this problem, a project called phpMyAdmin was created in order to offer an alternative in the form of a web-based management interface. In this guide, we will demonstrate how to install and secure a phpMyAdmin configuration on a CentOS 7 server. We will build this setup on top of the Nginx web server, which has a good performance profile and can handle heavy loads better than some other web servers.

Prerequisites

Before we begin, there are a few requirements that need to be settled.

To ensure that you have a solid base to build this system upon, you should run through our initial server setup guide for CentOS 7. Among other things, this will walk you through setting up a non-root user with sudo access for administrative commands.

The second prerequisite that must be fulfilled in order to start on this guide is to install a LEMP (Linux, Nginx, MariaDB, and PHP) stack on your CentOS 7 server. This is the platform that we will use to serve our phpMyAdmin interface (MariaDB is also the database management software that we are wishing to manage). If you do not yet have a LEMP installation on your server, follow our tutorial on installing LEMP on CentOS 7.

When your server is in a properly functioning state after following these guides, you can continue on with the rest of this page.

Step One — Install phpMyAdmin

With our LEMP platform already in place, we can begin right away with installing the phpMyAdmin software. Unfortunately, phpMyAdmin is not available in CentOS 7’s default repository.

To get the packages we need, we’ll have to add an additional repo to our system. The EPEL repo (Extra Packages for Enterprise Linux) contains many additional packages, including the phpMyAdmin package we are looking for.

Luckily, the procedure for adding the EPEL repository has gotten a lot easier. There is actually a package called epel-release that reconfigures our package manager to use the EPEL repos.

We can install that now by typing:

sudo yum install epel-release

Now that you have access to the EPEL repository, you can install phpMyAdmin through yum:

sudo yum install phpmyadmin

The installation will now complete. For the Nginx web server to find and serve the phpMyAdmin files correctly, we just need to create a symbolic link from the installation files to our Nginx document root directory by typing this:

sudo ln -s /usr/share/phpMyAdmin /usr/share/nginx/html

We should also restart our PHP processor to be sure that it can load the additional PHP modules that we installed:

sudo systemctl restart php-fpm

With that, our phpMyAdmin installation is now operational. To access the interface, go to your server’s domain name or public IP address followed by /phpMyAdmin, in your web browser:

http://server_domain_or_IP/phpMyAdmin

phpMyAdmin login screen

To sign in, use a username/password pair of a valid MariaDB user. The root user and the MariaDB administrative password is a good choice to get started. You will then be able to access the administrative interface:

phpMyAdmin admin interface

Click around to get familiar with the interface. In the next section, we will take steps to secure our new interface.

Step Two — Secure your phpMyAdmin Instance

The phpMyAdmin instance installed on our server should be completely usable at this point. However, by installing a web interface, we have exposed our MySQL system to the outside world.

Even with the included authentication screen, this is quite a problem. Because of phpMyAdmin’s popularity combined with the large amount of data it provides access to, installations like these are common targets for attackers.

We will implement two simple strategies to lessen the chances of our installation being targeted and compromised. We will change the location of the interface from /phpMyAdmin to something else to sidestep some of the automated bot brute-force attempts. We will also create an additional, web server-level authentication gateway that must be passed before even getting to the phpMyAdmin login screen.

Changing the Application’s Access Location

In order for our Nginx web server to find and serve our phpMyAdmin files, we created a symbolic link from the phpMyAdmin directory to our document root in an earlier step.

To change the URL where our phpMyAdmin interface can be accessed, we simply need to rename the symbolic link. Move into the Nginx document root directory to get a better idea of what we are doing:

cd /usr/share/nginx/html
ls -l
-rw-r--r-- 1 root root 537 Aug  5 08:15 50x.html
-rw-r--r-- 1 root root 612 Aug  5 08:15 index.html
lrwxrwxrwx 1 root root  21 Aug  6 17:29 phpMyAdmin -> /usr/share/phpMyAdmin

As you can see, we have a symbolic link called phpMyAdmin in this directory. We can change this link name to whatever we would like. This will change the location where phpMyAdmin can be accessed from a browser, which can help obscure the access point from hard-coded bots.

Choose a name that does not indicate the purpose of the location. In this guide, we will name our access location /nothingtosee. To accomplish this, we will just rename the link:

sudo mv phpMyAdmin nothingtosee
ls -l
total 8
-rw-r--r-- 1 root root 537 Aug  5 08:15 50x.html
-rw-r--r-- 1 root root 612 Aug  5 08:15 index.html
lrwxrwxrwx 1 root root  21 Aug  6 17:29 nothingtosee -> /usr/share/phpMyAdmin

Now, if you go to the previous location of your phpMyAdmin installation, you will get a 404 error:

http://server_domain_or_IP/phpMyAdmin

phpMyAdmin 404 error

However, your phpMyAdmin interface will be available at the new location we selected:

http://server_domain_or_IP/nothingtosee

phpMyAdmin login screen

Setting up a Web Server Authentication Gate

The next feature we wanted for our installation was an authentication prompt that a user would be required to pass before ever seeing the phpMyAdmin login screen.

Fortunately, most web servers, including Nginx, provide this capability natively. We will just need to modify our Nginx configuration file with the details.

Before we do this, we will create a password file that will store our the authentication credentials. Nginx requires that passwords be encrypted using the crypt() function. The OpenSSL suite, which should already be installed on your server, includes this functionality.

To create an encrypted password, type:

openssl passwd

You will be prompted to enter and confirm the password that you wish to use. The utility will then display an encrypted version of the password that will look something like this:

O5az.RSPzd.HE

Copy this value, as you will need to paste it into the authentication file we will be creating.

Now, create an authentication file. We will call this file pma_pass and place it in the Nginx configuration directory:

sudo nano /etc/nginx/pma_pass

Within this file, you simply need to specify the username you would like to use, followed by a colon (:), followed by the encrypted version of your password you received from the openssl passwd utility.

We are going to name our user demo, but you should choose a different username. The file for this guide looks like this:

demo:O5az.RSPzd.HE

Save and close the file when you are finished.

Now, we are ready to modify our Nginx configuration file. Open this file in your text editor to get started:

sudo nano /etc/nginx/conf.d/default.conf

Within this file, we need to add a new location section. This will target the location we chose for our phpMyAdmin interface (we selected /nothingtosee in this guide).

Create this section within the server block, but outside of any other blocks. We will put our new location block below the location / block in our example:

server {
    . . .

    location / {
        try_files $uri $uri/ =404;
    }

    location /nothingtosee {
    }

    . . .
}

Within this block, we need to set the value of a directive called auth_basic to an authentication message that our prompt will display to users. We do not want to indicate to unauthenticated users what we are protecting, so do not give specific details. We will just use “Admin Login” in our example.

We then need to use a directive called auth_basic_user_file to point our web server to the authentication file that we created. Nginx will prompt the user for authentication details and check that the inputted values match what it finds in the specified file.

After we are finished, the file should look like this:

server {
    . . .

    location / {
        try_files $uri $uri/ =404;
    }

    location /nothingtosee {
        auth_basic "Admin Login";
        auth_basic_user_file /etc/nginx/pma_pass;
    }

    . . .
}

Save and close the file when you are finished.

To implement our new authentication gate, we must restart the web server:

sudo systemctl restart nginx

Now, if we visit our phpMyAdmin location in our web browser (you may have to clear your cache or use a different browser session if you have already been using phpMyAdmin), you should be prompted for the username and password you added to the pma_pass file:

http://server_domain_or_IP/nothingtosee

Nginx authentication page

Once you enter your credentials, you will be taken to the normal phpMyAdmin login page. This added layer of protection will help keep your MySQL logs clean of authentication attempts in addition to the added security benefit.

Conclusion

You can now manage your MySQL databases from a reasonably secure web interface. This UI exposes most of the functionality that is available from the MySQL command prompt. You can view databases and schema, execute queries, and create new data sets and structures.

Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.

Learn more about us


About the authors

Still looking for an answer?

Ask a questionSearch for more help

Was this helpful?
 
10 Comments


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

don’t you have to have index index.php; inside the location? otherwise it’ll end up with 403, right?

like this:

server {
    . . .

    location / {
        try_file $uri $uri/ =404;
    }

    location /nothingtosee {
        auth_basic "Admin Login";
        auth_basic_user_file /etc/nginx/pma_pass;
        index index.php;
    }

    . . .
}

I was having some permission issues getting phpMyAdmin session_start() errors after I followed this guide. I made sure session.save_path was set to /tmp and permissions were able to write to it, but same error: session_start(): open(/var/lib/php/session/sess_4ek0oog8j55aostlrfp562djlr7l29v8, O_RDWR) failed: Permission denied (13)

then I ran: chown root:nginx /var/lib/php/ -R which will set nginx permission for session directory (php.ini - session.save_path directive). Hope this helps anyone that runs into the same issue.

get 404 in first step

I have followed your steps, but phpMyAdmin is not able to connect RDS instance while it is connecting/working from phpminiadmin, ssh and php symfony application.

I have an EC2 instance on which centos7, nginx, php7.1, php-fpm are installed.

NOTE:
SELinux and httpd is disabled.
EC2 and RDS in launched in same Security group, same VPC.

Got 403 error: 403 Forbidden nginx/1.12.2

after research nginx i found this “Since the phpMyAdmin package does not put any configuration (virtual host) file for Nginx” and tried but not solved here is the link https://www.itzgeek.com/how-tos/linux/centos-how-tos/phpmyadmin-with-nginx-on-centos-7-rhel-7.html

i tried many but not solved btw article need to be updated for phpmyadmin section with configuretaion file

Using CentOS, Nginx, MariaDB, and PHP exactly as recommended- after the part of this tutorial where it says “With that, our phpMyAdmin installation is now operational” I tried loading the phpMyAdmin page and I was getting a lengthy error message under the login box that said “failed: Permission denied (13)”

I found an another article that gninx needs permission to the php session folder so I issued the following command below and the error cleared up and I was then able to login to phpMyAdmin.

Is this fix secure and acceptable moving forward?

chown nginx:nginx /var/lib/php/session

…does not work for centos 6. Any instructions for centos 6?

On doing this - namei -om /var/www/html/phpMyAdmin/index.php

i get - namei: failed to stat: /var/www/html/phpMyAdmin/index.php: No such file or directory

x.x.x.x/phpMyAdmin —> it’s just blank page , whats wrong with my coding !!!

and i found something strange, when i “yum install phpmyadmin” in epel repository and installation complete.

i found phpMyAdmin.conf in directory /etc/httpd/conf.d/phpMyAdmin.conf the question is why not in directory /etc/nginx/conf.d/phpMyAdmin.conf ??

and when i move phpMyAdmin.conf manually from httpd to nginx . nginx not running !!! gezzzz… (-., - )

After I did as you wrote, I am getting, forbidden error ?

This one : location /nothingtosee { auth_basic “Admin Login”; auth_basic_user_file /etc/nginx/pma_pass; }

Hello,

I was following this tutorial but when I access to http://my-IP/phpMyAdmin shows me a 404 error… someone can help me, please? Also I followed this tutorial to set up my LEMP server. --> https://www.digitalocean.com/community/tutorials/how-to-install-linux-nginx-mysql-php-lemp-stack-on-centos-7

Thank you!

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Join the Tech Talk
Success! Thank you! Please check your email for further details.

Please complete your information!

Get our biweekly newsletter

Sign up for Infrastructure as a Newsletter.

Hollie's Hub for Good

Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.

Become a contributor

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Welcome to the developer cloud

DigitalOcean makes it simple to launch in the cloud and scale up as you grow — whether you're running one virtual machine or ten thousand.

Learn more
DigitalOcean Cloud Control Panel