Protect phpMyAdmin directory issue

Discussion in 'Installation/Configuration' started by hhhhhh, Oct 7, 2008.

  1. hhhhhh

    hhhhhh New Member

    Hello,

    I am running Apache2 in my server and the following configuration:

    I've installed phpMyAdmin and I linked from /usr/shared/phpmyadmin to /var/www/phpmyadmin

    I have few websites in the server using sites enabled so I have:
    /var/www/domain1/
    /var/www/domain2/
    ...

    If I write on address bar the following:
    Code:
    www.domain1.com/phpmyadmin
    the user will go to phpmyadmin page, it is not protected.

    How can I protect this directory with user and password?

    I tried the following:

    I create a .htaccess file with the following info inside /var/www/phpmyadmin

    Code:
    AuthUserFile /etc/secret/.htpasswd
    AuthName "Login page"
    AuthType Basic
    Require valid-user
    And I create a .htpasswd file in /etc/secret with the following info:
    Code:
    User1:PasswordEncriptedWithmd5
    But the result is nothing, when I put on url address
    Code:
    www.domain1.com/phpmyadmin
    the page show all without protection.

    I think that I need to add another thing but I don't know what is.

    Anyone can help me?

    Thanks in advance!
     
  2. falko

    falko Super Moderator ISPConfig Developer

    There should be a config.php file in /usr/shared/phpmyadmin where you can specify the authentication method.
     
  3. hhhhhh

    hhhhhh New Member

    Hi falko,
    Thank you for your reply.
    I search inside this folder and found the following files:

    config.inc.php
    congif.sample.inc.php
    config.footer.inc.php
    config.header.inc.php

    Config.inc.php has got the following inside:

    PHP:
    <?php
    /**
     * Please, do not edit this file. The configuration file for Debian
     * is located in the /etc/phpmyadmin directory.
     */

    // Load secret generated on postinst
    include('/var/lib/phpmyadmin/blowfish_secret.inc.php');

    // Load autoconf local config
    include('/var/lib/phpmyadmin/config.inc.php');

    // Load user's local config
    include('/etc/phpmyadmin/config.inc.php');

    // Set the default server if there is no defined
    if (!isset($cfg['Servers'])) {
        
    $cfg['Servers'][1]['host'] = 'localhost';
    }

    // Set the default values for $cfg['Servers'] entries
    for ($i=1; (!empty($cfg['Servers'][$i]['host']) || (isset($cfg['Servers'][$i]['connect_type']) && $cfg['Servers'][$i]['connect_type'] == 'socket')); $i++) {
        if (!isset(
    $cfg['Servers'][$i]['auth_type'])) {
            
    $cfg['Servers'][$i]['auth_type'] = 'cookie';
        }
        if (!isset(
    $cfg['Servers'][$i]['host'])) {
            
    $cfg['Servers'][$i]['host'] = 'localhost';
        }
        if (!isset(
    $cfg['Servers'][$i]['connect_type'])) {
            
    $cfg['Servers'][$i]['connect_type'] = 'tcp';
        }
        if (!isset(
    $cfg['Servers'][$i]['compress'])) {
            
    $cfg['Servers'][$i]['compress'] = false;
        }
        if (!isset(
    $cfg['Servers'][$i]['extension'])) {
            
    $cfg['Servers'][$i]['extension'] = 'mysql';
        }
    }


    And config.sample.inc.php has got it:
    PHP:
    <?php
    /* vim: set expandtab sw=4 ts=4 sts=4: */
    /**
     * phpMyAdmin sample configuration, you can use it as base for
     * manual configuration. For easier setup you can use scripts/setup.php
     *
     * All directives are explained in Documentation.html and on phpMyAdmin
     * wiki <http://wiki.cihar.com>.
     *
     * @version $Id: config.sample.inc.php 10142 2007-03-20 10:32:13Z cybot_tm $
     */

    /*
     * This is needed for cookie based authentication to encrypt password in
     * cookie
     */
    $cfg['blowfish_secret'] = ''/* YOU MUST FILL IN THIS FOR COOKIE AUTH! */

    /*
     * Servers configuration
     */
    $i 0;

    /*
     * First server
     */
    $i++;
    /* Authentication type */
    $cfg['Servers'][$i]['auth_type'] = 'cookie';
    /* Server parameters */
    $cfg['Servers'][$i]['host'] = 'localhost';
    $cfg['Servers'][$i]['connect_type'] = 'tcp';
    $cfg['Servers'][$i]['compress'] = false;
    /* Select mysqli if your server has it */
    $cfg['Servers'][$i]['extension'] = 'mysql';
    /* User for advanced features */
    // $cfg['Servers'][$i]['controluser'] = 'pma';
    // $cfg['Servers'][$i]['controlpass'] = 'pmapass';
    /* Advanced phpMyAdmin features */
    // $cfg['Servers'][$i]['pmadb'] = 'phpmyadmin';
    // $cfg['Servers'][$i]['bookmarktable'] = 'pma_bookmark';
    // $cfg['Servers'][$i]['relation'] = 'pma_relation';
    // $cfg['Servers'][$i]['table_info'] = 'pma_table_info';
    // $cfg['Servers'][$i]['table_coords'] = 'pma_table_coords';
    // $cfg['Servers'][$i]['pdf_pages'] = 'pma_pdf_pages';
    // $cfg['Servers'][$i]['column_info'] = 'pma_column_info';
    // $cfg['Servers'][$i]['history'] = 'pma_history';
    // $cfg['Servers'][$i]['designer_coords'] = 'pma_designer_coords';

    /*
     * End of servers configuration
     */

    /*
     * Directories for saving/loading files from server
     */
    $cfg['UploadDir'] = '';
    $cfg['SaveDir'] = '';

    ?>
    There are the default configuration.

    How can I modify this files to allow the protection?

    Maybe removing the comment in these lines:?

    // $cfg['Servers'][$i]['controluser'] = 'pma';
    // $cfg['Servers'][$i]['controlpass'] = 'pmapass';

    Thank you in advance
     
  4. falko

    falko Super Moderator ISPConfig Developer

    Please check /var/lib/phpmyadmin/config.inc.php and /etc/phpmyadmin/config.inc.php.
     
  5. hhhhhh

    hhhhhh New Member

    Hi falko,

    Thanks for your reply

    I've checked /var/lib/phpmyadmin/config.inc.php and it is empty

    And /etc/phpmyadmin/config.inc.php display the following:

    PHP:
    <?php
    /**
     * Debian local configuration file
     *
     * This file overrides the settings made by phpMyAdmin interactive setup
     * utility.
     *
     * For example configuration see /usr/share/doc/phpmyadmin/examples/config.default.php.gz
     *
     * NOTE: do not add security sensitive data to this file (like passwords)
     * unless you really know what you're doing. If you do, any user that can
     * run PHP or CGI on your webserver will be able to read them. If you still
     * want to do this, make sure to properly secure the access to this file
     * (also on the filesystem level).
     */

    /**
     * Server(s) configuration
     */
    $i 0;
    // The $cfg['Servers'] array starts with $cfg['Servers'][1].  Do not use $cfg['Servers'][0].
    // You can disable a server config entry by setting host to ''.
    $i++;

    /* Authentication type */
    //$cfg['Servers'][$i]['auth_type'] = 'cookie';
    /* Server parameters */
    //$cfg['Servers'][$i]['host'] = 'localhost';
    //$cfg['Servers'][$i]['connect_type'] = 'tcp';
    //$cfg['Servers'][$i]['compress'] = false;
    /* Select mysqli if your server has it */
    //$cfg['Servers'][$i]['extension'] = 'mysql';
    /* Optional: User for advanced features */
    // $cfg['Servers'][$i]['controluser'] = 'pma';
    // $cfg['Servers'][$i]['controlpass'] = 'pmapass';
    /* Optional: Advanced phpMyAdmin features */
    // $cfg['Servers'][$i]['pmadb'] = 'phpmyadmin';
    // $cfg['Servers'][$i]['bookmarktable'] = 'pma_bookmark';
    // $cfg['Servers'][$i]['relation'] = 'pma_relation';
    // $cfg['Servers'][$i]['table_info'] = 'pma_table_info';
    // $cfg['Servers'][$i]['table_coords'] = 'pma_table_coords';
    // $cfg['Servers'][$i]['pdf_pages'] = 'pma_pdf_pages';
    // $cfg['Servers'][$i]['column_info'] = 'pma_column_info';
    // $cfg['Servers'][$i]['history'] = 'pma_history';
    // $cfg['Servers'][$i]['designer_coords'] = 'pma_designer_coords';

    /*
     * End of servers configuration
     */

    /*
     * Directories for saving/loading files from server
     */
    $cfg['UploadDir'] = '';
    $cfg['SaveDir'] = '';
    Should I remove the comments in //$cfg['Servers'][$i]['auth_type'] = 'cookie'; line?

    Thanks in advance!
     
  6. falko

    falko Super Moderator ISPConfig Developer

    Yes, you can try that.
     
  7. hhhhhh

    hhhhhh New Member

    The same, User&pass alert from .htaccess didn't show :(
     
  8. falko

    falko Super Moderator ISPConfig Developer

    Can you post the vhost configuration for domain1?
     
  9. hhhhhh

    hhhhhh New Member

    Hello!

    Thank you for your reply and support!

    Code:
    <VirtualHost *>
            ServerAdmin [email protected]
            ServerName www.domain1.com
            DocumentRoot /var/www/domain1/
            <Directory />
                    Options FollowSymLinks
                    AllowOverride None
            </Directory>
            <Directory /var/www/domain1/>
                    Options Indexes FollowSymLinks MultiViews
                    AllowOverride All
                    Order allow,deny
                    allow from all
            </Directory>
    
            ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
            <Directory "/usr/lib/cgi-bin">
                    AllowOverride None
                    Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                    Order allow,deny
                    Allow from all
            </Directory>
    
            ErrorLog /var/log/apache2/error.log
    
            # Possible values include: debug, info, notice, warn, error, crit,
            # alert, emerg.
            LogLevel warn
    
            CustomLog /var/log/apache2/access.log combined
            ServerSignature On
    
        Alias /doc/ "/usr/share/doc/"
        <Directory "/usr/share/doc/">
            Options Indexes MultiViews FollowSymLinks
            AllowOverride None
            Order deny,allow
            Deny from all
            Allow from 127.0.0.0/255.0.0.0 ::1/128
        </Directory>
    
    </VirtualHost>
    It is located in /etc/apache2/sites-available/domain1.com

    Thank you!!
     
  10. falko

    falko Super Moderator ISPConfig Developer

    What's the output of
    Code:
    ls -la /var/www/domain1/
    ?
     
  11. hhhhhh

    hhhhhh New Member

    Hello falko!

    Thank you for your reply.

    The display info was:

    Code:
    total 8
    drwxr-xr-x  2 root root 4096 2008-10-07 17:10 .
    drwxr-xr-x 14 root root 4096 2008-10-10 23:32 ..
    Thank you for your support with me falko
     
  12. falko

    falko Super Moderator ISPConfig Developer

    But there's nothing in the directory - no .htaccess, no phpMyAdmin, etc. :confused:
     
  13. hhhhhh

    hhhhhh New Member

    Yes, phpmyadmin is inside /var/www/ not inside /var/www/domain1/

    And phpmyadmin is linked from /usr/share/phpmyadmin

    The .htaccess is inside /usr/share/phpmyadmin

    Now every domain directory inside /var/www can go to phpmyadmin writing in url address: www.domain$.com/phpmyadmin

    You mean that I should delete the link of phpmyadmin from /var/www and create it into /var/www/domain$ and create .htaccess there, right?

    If not what is the best way to do it?

    Thank you for your support!
     
    Last edited: Oct 13, 2008
  14. falko

    falko Super Moderator ISPConfig Developer

    Try this:
    Code:
    ln -s /usr/share/phpmyadmin /var/www/domain1/phpmyadmin
     
  15. hhhhhh

    hhhhhh New Member

    Hello,

    I solved the issue. I'm going to explain if anyone have the same error:

    I had in /etc/apache2/conf.d directory the following file: @phpmyadmin.conf

    This file are not a real file, was a link file from /etc/phpmyadmin/apache.conf
    It had the same content.
    For that reason the .htaccess didn't apply its protections.

    I deleted the linked file @phpmyadmin and make new ones inside folders of domains to /usr/share/phpmyadmin instead of link to etc/phpmyadmin/apache2.conf. Now .htaccess and .htpasswd run perfect.

    Thank you for your support!
     

Share This Page