need clean, secure installation of phpmyadmin
I have an Ubuntu 10.04 server that I've taken great pains to set up securely and I would like to install phpMyAdmin on this machine to allow me to administer MySQL databases. I have run this:
Code:
apt-get install phpmyadmin 1) The install process prompted me to ask if I wanted to use dbconfig-common with phpMyAdmin without telling me what the ramifications might be. As I already had my database functioning, I chose not to. 2) phpMyAdmin is configured for plain old HTTP (rather than HTTPS) access. It is critical that all interactions with phpMyAdmin be served via HTTP 3) Trying to access phpmyadmin at the default location (which I believe is http://www.mydomain.com/phpmyadmin) results in a 403/Forbidden response from my server. This is either because there's a problem in the newly installed file /etc/apache2/conf.d/phpmyadmin.conf (which is actually a symbolic links to /etc/phpmyadmin/apache.conf) or perhaps I have some other conflicting configuration. 4) The install results in a phpmyadmin/setup url which is not adequately explained in the documentation (/usr/share/doc/phpmyadmin/Documentation.html). I don't really understand what this setup script will do and wonder if it's necessary. 5) The package install results in a lot of files in the bin folder: /usr/sbin/pma-configure /usr/sbin/pma-secure /usr/sbin/dbconfig-generate-include /usr/sbin/dconfig-load-include If anyone has any tips or heuristic guidlines to achieve the following, I'd love to hear about it: 1) phpmyadmin only accessible via HTTPS 2) phpmyadmin requires login using MySQL user and credentials 3) phpmyadmin configuration is as simple as possible and does not install binaries I will never use 4) phpmyadmin is *secure*. |
2) is a server question. You have to setup a virtual host running on https that provides access to phpmyadmin.
3) Try to add "index.php" to the url. If that works the 403 error results in a missing directive in the httpd.conf regarding <Directory>. You have to set Options +Index in that tag. 4) run that script. It will ask a couple of infos that it needs for db access... |
2) I've begun working on an HTTPS directive in the file /etc/apache2/sites-available/default-ssl. The code below is what I have currently inside the _default_:443 VirtualHost section:
Code:
Alias /pma /usr/share/phpmyadmin Code:
$ cat /etc/apache2/conf.d/phpmyadmin.conf 3) Adding index.php to the url doesn't help. http://www.mydomain.com/phpmyadmin/index.php still gives "forbidden 403". 4) When you say "run that script" do you mean visit it in a browser? If that's what you mean, then I have and as far as I can tell this allows one to change the phpmyadmin settings (blowfish secret, etc.) in a browser and requires that apache have write access to a particular folder. This runs contrary to my desire for security and I'd rather just change configuration settings via ssh if possible. Is it safe to remove this setup directory? 5) What about all the extra executables in /usr/sbin? Are they required by phpmyadmin? |
Quote:
|
Quote:
Code:
client denied by server configuration: /usr/share/phpmyadmin |
I think you do not allow your webserver to browse that directory.
Look in your httpd.conf file and see if your directory is in something like this: <Directory "/var/www"> Order allow,deny Allow from all </directory> So in your case: <Directory "/usr/share/phpmyadmin"> Order allow,deny Allow from all </directory> |
I looked in the file /etc/apache2/sites-enabled/000-default and saw this:
Code:
# So I've cleaned up my apache configuration. I removed the phpmyadmin.conf: Code:
rm /etc/apache2/conf.d/phpmyadmin.conf Code:
Alias /phpmyadmin /usr/share/phpmyadmin |
All times are GMT -5. The time now is 02:25 AM. |