Protect phpMyAdmin directory issue

[hhhhhh]

Hello,

I am running Apache2 in my server and the following configuration:

I've installed phpMyAdmin and I linked from /usr/shared/phpmyadmin to /var/www/phpmyadmin

I have few websites in the server using sites enabled so I have:
/var/www/domain1/
/var/www/domain2/
...

If I write on address bar the following:

Code:

www.domain1.com/phpmyadmin

the user will go to phpmyadmin page, it is not protected.

How can I protect this directory with user and password?

I tried the following:

I create a .htaccess file with the following info inside /var/www/phpmyadmin

Code:

AuthUserFile /etc/secret/.htpasswd
AuthName "Login page"
AuthType Basic
Require valid-user

And I create a .htpasswd file in /etc/secret with the following info:

Code:

User1:PasswordEncriptedWithmd5

But the result is nothing, when I put on url address

Code:

www.domain1.com/phpmyadmin

the page show all without protection.

I think that I need to add another thing but I don't know what is.

Anyone can help me?

Thanks in advance!

[falko]

There should be a config.php file in /usr/shared/phpmyadmin where you can specify the authentication method.

[hhhhhh]

Hi falko,
Thank you for your reply.
I search inside this folder and found the following files:

config.inc.php
congif.sample.inc.php
config.footer.inc.php
config.header.inc.php

Config.inc.php has got the following inside:

PHP Code:

<?php
/**
 * Please, do not edit this file. The configuration file for Debian
 * is located in the /etc/phpmyadmin directory.
 */

// Load secret generated on postinst
include('/var/lib/phpmyadmin/blowfish_secret.inc.php');

// Load autoconf local config
include('/var/lib/phpmyadmin/config.inc.php');

// Load user's local config
include('/etc/phpmyadmin/config.inc.php');

// Set the default server if there is no defined
if (!isset($cfg['Servers'])) {
    $cfg['Servers'][1]['host'] = 'localhost';
}

// Set the default values for $cfg['Servers'] entries
for ($i=1; (!empty($cfg['Servers'][$i]['host']) || (isset($cfg['Servers'][$i]['connect_type']) && $cfg['Servers'][$i]['connect_type'] == 'socket')); $i++) {
    if (!isset($cfg['Servers'][$i]['auth_type'])) {
        $cfg['Servers'][$i]['auth_type'] = 'cookie';
    }
    if (!isset($cfg['Servers'][$i]['host'])) {
        $cfg['Servers'][$i]['host'] = 'localhost';
    }
    if (!isset($cfg['Servers'][$i]['connect_type'])) {
        $cfg['Servers'][$i]['connect_type'] = 'tcp';
    }
    if (!isset($cfg['Servers'][$i]['compress'])) {
        $cfg['Servers'][$i]['compress'] = false;
    }
    if (!isset($cfg['Servers'][$i]['extension'])) {
        $cfg['Servers'][$i]['extension'] = 'mysql';
    }
}

And config.sample.inc.php has got it:

PHP Code:

<?php
/* vim: set expandtab sw=4 ts=4 sts=4: */
/**
 * phpMyAdmin sample configuration, you can use it as base for
 * manual configuration. For easier setup you can use scripts/setup.php
 *
 * All directives are explained in Documentation.html and on phpMyAdmin
 * wiki <http://wiki.cihar.com>.
 *
 * @version $Id: config.sample.inc.php 10142 2007-03-20 10:32:13Z cybot_tm $
 */

/*
 * This is needed for cookie based authentication to encrypt password in
 * cookie
 */
$cfg['blowfish_secret'] = ''; /* YOU MUST FILL IN THIS FOR COOKIE AUTH! */

/*
 * Servers configuration
 */
$i = 0;

/*
 * First server
 */
$i++;
/* Authentication type */
$cfg['Servers'][$i]['auth_type'] = 'cookie';
/* Server parameters */
$cfg['Servers'][$i]['host'] = 'localhost';
$cfg['Servers'][$i]['connect_type'] = 'tcp';
$cfg['Servers'][$i]['compress'] = false;
/* Select mysqli if your server has it */
$cfg['Servers'][$i]['extension'] = 'mysql';
/* User for advanced features */
// $cfg['Servers'][$i]['controluser'] = 'pma';
// $cfg['Servers'][$i]['controlpass'] = 'pmapass';
/* Advanced phpMyAdmin features */
// $cfg['Servers'][$i]['pmadb'] = 'phpmyadmin';
// $cfg['Servers'][$i]['bookmarktable'] = 'pma_bookmark';
// $cfg['Servers'][$i]['relation'] = 'pma_relation';
// $cfg['Servers'][$i]['table_info'] = 'pma_table_info';
// $cfg['Servers'][$i]['table_coords'] = 'pma_table_coords';
// $cfg['Servers'][$i]['pdf_pages'] = 'pma_pdf_pages';
// $cfg['Servers'][$i]['column_info'] = 'pma_column_info';
// $cfg['Servers'][$i]['history'] = 'pma_history';
// $cfg['Servers'][$i]['designer_coords'] = 'pma_designer_coords';

/*
 * End of servers configuration
 */

/*
 * Directories for saving/loading files from server
 */
$cfg['UploadDir'] = '';
$cfg['SaveDir'] = '';

?>

There are the default configuration.

How can I modify this files to allow the protection?

Maybe removing the comment in these lines:?

// $cfg['Servers'][$i]['controluser'] = 'pma';
// $cfg['Servers'][$i]['controlpass'] = 'pmapass';

Thank you in advance

[falko]

Please check /var/lib/phpmyadmin/config.inc.php and /etc/phpmyadmin/config.inc.php.

[hhhhhh]

Hi falko,

Thanks for your reply

I've checked /var/lib/phpmyadmin/config.inc.php and it is empty

And /etc/phpmyadmin/config.inc.php display the following:

PHP Code:

<?php
/**
 * Debian local configuration file
 *
 * This file overrides the settings made by phpMyAdmin interactive setup
 * utility.
 *
 * For example configuration see /usr/share/doc/phpmyadmin/examples/config.default.php.gz
 *
 * NOTE: do not add security sensitive data to this file (like passwords)
 * unless you really know what you're doing. If you do, any user that can
 * run PHP or CGI on your webserver will be able to read them. If you still
 * want to do this, make sure to properly secure the access to this file
 * (also on the filesystem level).
 */

/**
 * Server(s) configuration
 */
$i = 0;
// The $cfg['Servers'] array starts with $cfg['Servers'][1].  Do not use $cfg['Servers'][0].
// You can disable a server config entry by setting host to ''.
$i++;

/* Authentication type */
//$cfg['Servers'][$i]['auth_type'] = 'cookie';
/* Server parameters */
//$cfg['Servers'][$i]['host'] = 'localhost';
//$cfg['Servers'][$i]['connect_type'] = 'tcp';
//$cfg['Servers'][$i]['compress'] = false;
/* Select mysqli if your server has it */
//$cfg['Servers'][$i]['extension'] = 'mysql';
/* Optional: User for advanced features */
// $cfg['Servers'][$i]['controluser'] = 'pma';
// $cfg['Servers'][$i]['controlpass'] = 'pmapass';
/* Optional: Advanced phpMyAdmin features */
// $cfg['Servers'][$i]['pmadb'] = 'phpmyadmin';
// $cfg['Servers'][$i]['bookmarktable'] = 'pma_bookmark';
// $cfg['Servers'][$i]['relation'] = 'pma_relation';
// $cfg['Servers'][$i]['table_info'] = 'pma_table_info';
// $cfg['Servers'][$i]['table_coords'] = 'pma_table_coords';
// $cfg['Servers'][$i]['pdf_pages'] = 'pma_pdf_pages';
// $cfg['Servers'][$i]['column_info'] = 'pma_column_info';
// $cfg['Servers'][$i]['history'] = 'pma_history';
// $cfg['Servers'][$i]['designer_coords'] = 'pma_designer_coords';

/*
 * End of servers configuration
 */

/*
 * Directories for saving/loading files from server
 */
$cfg['UploadDir'] = '';
$cfg['SaveDir'] = '';

Should I remove the comments in //$cfg['Servers'][$i]['auth_type'] = 'cookie'; line?

Thanks in advance!

[falko]

Yes, you can try that.

[hhhhhh]

The same, User&pass alert from .htaccess didn't show

[falko]

Can you post the vhost configuration for domain1?

[hhhhhh]

Hello!

Thank you for your reply and support!

Code:

<VirtualHost *>
        ServerAdmin root@domain1.info
        ServerName www.domain1.com
        DocumentRoot /var/www/domain1/
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www/domain1/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Order allow,deny
                allow from all
        </Directory>

        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>

        ErrorLog /var/log/apache2/error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog /var/log/apache2/access.log combined
        ServerSignature On

    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>

</VirtualHost>

It is located in /etc/apache2/sites-available/domain1.com

Thank you!!

[falko]

What's the output of

Code:

ls -la /var/www/domain1/

?