Hello,

I am running Apache2 in my server and the following configuration:

I've installed phpMyAdmin and I linked from /usr/shared/phpmyadmin to /var/www/phpmyadmin

I have few websites in the server using sites enabled so I have:
/var/www/domain1/
/var/www/domain2/
...

If I write on address bar the following: www.domain1.com/phpmyadmin the user will go to phpmyadmin page, it is not protected.

How can I protect this directory with user and password?

I tried the following:

I create a .htaccess file with the following info inside /var/www/phpmyadmin

AuthUserFile /etc/secret/.htpasswd
AuthName "Login page"
AuthType Basic
Require valid-user

And I create a .htpasswd file in /etc/secret with the following info:
User1:PasswordEncriptedWithmd5

But the result is nothing, when I put on url address www.domain1.com/phpmyadmin the page show all without protection.

I think that I need to add another thing but I don't know what is.

Anyone can help me?

Thanks in advance!

There should be a config.php file in /usr/shared/phpmyadmin where you can specify the authentication method.

Hi falko,
Thank you for your reply.
I search inside this folder and found the following files:

config.inc.php
congif.sample.inc.php
config.footer.inc.php
config.header.inc.php

Config.inc.php has got the following inside:

<?php
/**
* Please, do not edit this file. The configuration file for Debian
* is located in the /etc/phpmyadmin directory.
*/

// Load secret generated on postinst
include('/var/lib/phpmyadmin/blowfish_secret.inc.php');

// Load autoconf local config
include('/var/lib/phpmyadmin/config.inc.php');

// Load user's local config
include('/etc/phpmyadmin/config.inc.php');

// Set the default server if there is no defined
if (!isset($cfg['Servers'])) {
$cfg['Servers'][1]['host'] = 'localhost';
}

// Set the default values for $cfg['Servers'] entries
for ($i=1; (!empty($cfg['Servers'][$i]['host']) || (isset($cfg['Servers'][$i]['connect_type']) && $cfg['Servers'][$i]['connect_type'] == 'socket')); $i++) {
if (!isset($cfg['Servers'][$i]['auth_type'])) {
$cfg['Servers'][$i]['auth_type'] = 'cookie';
}
if (!isset($cfg['Servers'][$i]['host'])) {
$cfg['Servers'][$i]['host'] = 'localhost';
}
if (!isset($cfg['Servers'][$i]['connect_type'])) {
$cfg['Servers'][$i]['connect_type'] = 'tcp';
}
if (!isset($cfg['Servers'][$i]['compress'])) {
$cfg['Servers'][$i]['compress'] = false;
}
if (!isset($cfg['Servers'][$i]['extension'])) {
$cfg['Servers'][$i]['extension'] = 'mysql';
}
}

And config.sample.inc.php has got it:
<?php
/* vim: set expandtab sw=4 ts=4 sts=4: */
/**
* phpMyAdmin sample configuration, you can use it as base for
* manual configuration. For easier setup you can use scripts/setup.php
*
* All directives are explained in Documentation.html and on phpMyAdmin
* wiki <http://wiki.cihar.com>.
*
* @version $Id: config.sample.inc.php 10142 2007-03-20 10:32:13Z cybot_tm $
*/

/*
* This is needed for cookie based authentication to encrypt password in
* cookie
*/
$cfg['blowfish_secret'] = ''; /* YOU MUST FILL IN THIS FOR COOKIE AUTH! */

/*
* Servers configuration
*/
$i = 0;

/*
* First server
*/
$i++;
/* Authentication type */
$cfg['Servers'][$i]['auth_type'] = 'cookie';
/* Server parameters */
$cfg['Servers'][$i]['host'] = 'localhost';
$cfg['Servers'][$i]['connect_type'] = 'tcp';
$cfg['Servers'][$i]['compress'] = false;
/* Select mysqli if your server has it */
$cfg['Servers'][$i]['extension'] = 'mysql';
/* User for advanced features */
// $cfg['Servers'][$i]['controluser'] = 'pma';
// $cfg['Servers'][$i]['controlpass'] = 'pmapass';
/* Advanced phpMyAdmin features */
// $cfg['Servers'][$i]['pmadb'] = 'phpmyadmin';
// $cfg['Servers'][$i]['bookmarktable'] = 'pma_bookmark';
// $cfg['Servers'][$i]['relation'] = 'pma_relation';
// $cfg['Servers'][$i]['table_info'] = 'pma_table_info';
// $cfg['Servers'][$i]['table_coords'] = 'pma_table_coords';
// $cfg['Servers'][$i]['pdf_pages'] = 'pma_pdf_pages';
// $cfg['Servers'][$i]['column_info'] = 'pma_column_info';
// $cfg['Servers'][$i]['history'] = 'pma_history';
// $cfg['Servers'][$i]['designer_coords'] = 'pma_designer_coords';

/*
* End of servers configuration
*/

/*
* Directories for saving/loading files from server
*/
$cfg['UploadDir'] = '';
$cfg['SaveDir'] = '';

?>

There are the default configuration.

How can I modify this files to allow the protection?

Maybe removing the comment in these lines:?

// $cfg['Servers'][$i]['controluser'] = 'pma';
// $cfg['Servers'][$i]['controlpass'] = 'pmapass';

Thank you in advance

Please check /var/lib/phpmyadmin/config.inc.php and /etc/phpmyadmin/config.inc.php.

Hi falko,

Thanks for your reply

I've checked /var/lib/phpmyadmin/config.inc.php and it is empty

And /etc/phpmyadmin/config.inc.php display the following:

<?php
/**
* Debian local configuration file
*
* This file overrides the settings made by phpMyAdmin interactive setup
* utility.
*
* For example configuration see /usr/share/doc/phpmyadmin/examples/config.default.php.gz
*
* NOTE: do not add security sensitive data to this file (like passwords)
* unless you really know what you're doing. If you do, any user that can
* run PHP or CGI on your webserver will be able to read them. If you still
* want to do this, make sure to properly secure the access to this file
* (also on the filesystem level).
*/

/**
* Server(s) configuration
*/
$i = 0;
// The $cfg['Servers'] array starts with $cfg['Servers'][1]. Do not use $cfg['Servers'][0].
// You can disable a server config entry by setting host to ''.
$i++;

/* Authentication type */
//$cfg['Servers'][$i]['auth_type'] = 'cookie';
/* Server parameters */
//$cfg['Servers'][$i]['host'] = 'localhost';
//$cfg['Servers'][$i]['connect_type'] = 'tcp';
//$cfg['Servers'][$i]['compress'] = false;
/* Select mysqli if your server has it */
//$cfg['Servers'][$i]['extension'] = 'mysql';
/* Optional: User for advanced features */
// $cfg['Servers'][$i]['controluser'] = 'pma';
// $cfg['Servers'][$i]['controlpass'] = 'pmapass';
/* Optional: Advanced phpMyAdmin features */
// $cfg['Servers'][$i]['pmadb'] = 'phpmyadmin';
// $cfg['Servers'][$i]['bookmarktable'] = 'pma_bookmark';
// $cfg['Servers'][$i]['relation'] = 'pma_relation';
// $cfg['Servers'][$i]['table_info'] = 'pma_table_info';
// $cfg['Servers'][$i]['table_coords'] = 'pma_table_coords';
// $cfg['Servers'][$i]['pdf_pages'] = 'pma_pdf_pages';
// $cfg['Servers'][$i]['column_info'] = 'pma_column_info';
// $cfg['Servers'][$i]['history'] = 'pma_history';
// $cfg['Servers'][$i]['designer_coords'] = 'pma_designer_coords';

/*
* End of servers configuration
*/

/*
* Directories for saving/loading files from server
*/
$cfg['UploadDir'] = '';
$cfg['SaveDir'] = '';

Should I remove the comments in //$cfg['Servers'][$i]['auth_type'] = 'cookie'; line?

Thanks in advance!

Yes, you can try that.

The same, User&pass alert from .htaccess didn't show :(

Can you post the vhost configuration for domain1?

Hello!

Thank you for your reply and support!

<VirtualHost *>
ServerAdmin root@domain1.info
ServerName www.domain1.com
DocumentRoot /var/www/domain1/
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/domain1/>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>

ErrorLog /var/log/apache2/error.log

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn

CustomLog /var/log/apache2/access.log combined
ServerSignature On

Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>

</VirtualHost>

It is located in /etc/apache2/sites-available/domain1.com

Thank you!!

What's the output of ls -la /var/www/domain1/?

Hello falko!

Thank you for your reply.

The display info was:

total 8
drwxr-xr-x 2 root root 4096 2008-10-07 17:10 .
drwxr-xr-x 14 root root 4096 2008-10-10 23:32 ..

Thank you for your support with me falko

But there's nothing in the directory - no .htaccess, no phpMyAdmin, etc. :confused:

Yes, phpmyadmin is inside /var/www/ not inside /var/www/domain1/

And phpmyadmin is linked from /usr/share/phpmyadmin

The .htaccess is inside /usr/share/phpmyadmin

Now every domain directory inside /var/www can go to phpmyadmin writing in url address: www.domain$.com/phpmyadmin

You mean that I should delete the link of phpmyadmin from /var/www and create it into /var/www/domain$ and create .htaccess there, right?

If not what is the best way to do it?

Thank you for your support!

Try this:
ln -s /usr/share/phpmyadmin /var/www/domain1/phpmyadmin

Hello,

I solved the issue. I'm going to explain if anyone have the same error:

I had in /etc/apache2/conf.d directory the following file: @phpmyadmin.conf

This file are not a real file, was a link file from /etc/phpmyadmin/apache.conf
It had the same content.
For that reason the .htaccess didn't apply its protections.

I deleted the linked file @phpmyadmin and make new ones inside folders of domains to /usr/share/phpmyadmin instead of link to etc/phpmyadmin/apache2.conf. Now .htaccess and .htpasswd run perfect.

Thank you for your support!