Secure phpmyadmin

delfo2000 · February 10, 2022, 12:28am

Dear,

I’m new here and it’s my first time I use hestia very nice cp, non I want secure “phpmyadmin”, my target is block load phpmyadmin from https://www.example.com/phpmyadmin.
Is there easy way?
Best reagrds

G.

pluto · February 10, 2022, 3:32am

You can edit /etc/apache2/conf.d/phpmyadmin.inc and add Apache Basic Auth to it.
For example, find this line:

<Directory /usr/share/phpmyadmin>
	Options FollowSymLinks

And insert lines like this, changing the location of AuthUserFile accordingly

<Directory /usr/share/phpmyadmin>
        AuthType Basic
        AuthName Private
        Require valid-user
        AuthUserFile /etc/apache2/phpmyadmin.passwd
        Options FollowSymLinks

One problem is that the file sometimes gets overwritten, so you have to monitor that and reinsert if it disappears.

Oh, yes, and generate the password file with htpasswd:
htpasswd -c /etc/apache2/phpmyadmin.passwd username
You can add several user/password combinations to the same file

ScIT · February 10, 2022, 7:01am

Or just remove that file to prevent phpmyadmin loading .

eris · February 10, 2022, 7:15am

Or remove it from any template that you don’t want…

For Hestiacp.com I have created “nophpmyadmin” that doesn’t load the template…

#=======================================================================#
# Default Web Domain Template                                           #
# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS #
#=======================================================================#

<VirtualHost %ip%:%web_port%>

    ServerName %domain_idn%
    %alias_string%
    ServerAdmin %email%
    DocumentRoot %docroot%
    ScriptAlias /cgi-bin/ %home%/%user%/web/%domain%/cgi-bin/
    Alias /vstats/ %home%/%user%/web/%domain%/stats/
    Alias /error/ %home%/%user%/web/%domain%/document_errors/
    #SuexecUserGroup %user% %group%
    CustomLog /var/log/%web_system%/domains/%domain%.bytes bytes
    CustomLog /var/log/%web_system%/domains/%domain%.log combined
    ErrorLog /var/log/%web_system%/domains/%domain%.error.log
        
    IncludeOptional %home%/%user%/conf/web/%domain%/apache2.forcessl.conf*
    
    <Directory %home%/%user%/web/%domain%/stats>
        AllowOverride All
    </Directory>
    <Directory %sdocroot%>
        AllowOverride All
        Options +Includes -Indexes +ExecCGI
    </Directory>

    <FilesMatch \.php$>
        SetHandler "proxy:%backend_lsnr%|fcgi://localhost"
    </FilesMatch>
    SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0

    IncludeOptional %home%/%user%/conf/web/%domain%/%web_system%.conf_*
</VirtualHost>

delfo2000 · February 10, 2022, 8:54pm

Hi All,

thank you for reply and help. I’m using “ScIT” solution and rename /etc/apache2/conf.d/phpmyadmin.inc
for me is easy solution, but I understand other solutions maybe better ex. I want load phpmyadmin only from my network.
Thank you again.
Best regards

G.

system · March 12, 2022, 8:54pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.