Protect phpMyAdmin directory issue

Discussion in 'Installation/Configuration' started by hhhhhh, Oct 7, 2008.

  1. hhhhhh

    hhhhhh New Member

    Hello,

    I am running Apache2 in my server and the following configuration:

    I've installed phpMyAdmin and I linked from /usr/shared/phpmyadmin to /var/www/phpmyadmin

    I have few websites in the server using sites enabled so I have:
    /var/www/domain1/
    /var/www/domain2/
    ...

    If I write on address bar the following:
    Code:
    www.domain1.com/phpmyadmin
    the user will go to phpmyadmin page, it is not protected.

    How can I protect this directory with user and password?

    I tried the following:

    I create a .htaccess file with the following info inside /var/www/phpmyadmin

    Code:
    AuthUserFile /etc/secret/.htpasswd
    AuthName "Login page"
    AuthType Basic
    Require valid-user
    And I create a .htpasswd file in /etc/secret with the following info:
    Code:
    User1:PasswordEncriptedWithmd5
    But the result is nothing, when I put on url address
    Code:
    www.domain1.com/phpmyadmin
    the page show all without protection.

    I think that I need to add another thing but I don't know what is.

    Anyone can help me?

    Thanks in advance!
     
  2. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    There should be a config.php file in /usr/shared/phpmyadmin where you can specify the authentication method.
     
  3. hhhhhh

    hhhhhh New Member

    Hi falko,
    Thank you for your reply.
    I search inside this folder and found the following files:

    config.inc.php
    congif.sample.inc.php
    config.footer.inc.php
    config.header.inc.php

    Config.inc.php has got the following inside:

    PHP:
    <?php
    /**
     * Please, do not edit this file. The configuration file for Debian
     * is located in the /etc/phpmyadmin directory.
     */

    // Load secret generated on postinst
    include('/var/lib/phpmyadmin/blowfish_secret.inc.php');

    // Load autoconf local config
    include('/var/lib/phpmyadmin/config.inc.php');

    // Load user's local config
    include('/etc/phpmyadmin/config.inc.php');

    // Set the default server if there is no defined
    if (!isset($cfg['Servers'])) {
        
    $cfg['Servers'][1]['host'] = 'localhost';
    }

    // Set the default values for $cfg['Servers'] entries
    for ($i=1; (!empty($cfg['Servers'][$i]['host']) || (isset($cfg['Servers'][$i]['connect_type']) && $cfg['Servers'][$i]['connect_type'] == 'socket')); $i++) {
        if (!isset(
    $cfg['Servers'][$i]['auth_type'])) {
            
    $cfg['Servers'][$i]['auth_type'] = 'cookie';
        }
        if (!isset(
    $cfg['Servers'][$i]['host'])) {
            
    $cfg['Servers'][$i]['host'] = 'localhost';
        }
        if (!isset(
    $cfg['Servers'][$i]['connect_type'])) {
            
    $cfg['Servers'][$i]['connect_type'] = 'tcp';
        }
        if (!isset(
    $cfg['Servers'][$i]['compress'])) {
            
    $cfg['Servers'][$i]['compress'] = false;
        }
        if (!isset(
    $cfg['Servers'][$i]['extension'])) {
            
    $cfg['Servers'][$i]['extension'] = 'mysql';
        }
    }


    And config.sample.inc.php has got it:
    PHP:
    <?php
    /* vim: set expandtab sw=4 ts=4 sts=4: */
    /**
     * phpMyAdmin sample configuration, you can use it as base for
     * manual configuration. For easier setup you can use scripts/setup.php
     *
     * All directives are explained in Documentation.html and on phpMyAdmin
     * wiki <http://wiki.cihar.com>.
     *
     * @version $Id: config.sample.inc.php 10142 2007-03-20 10:32:13Z cybot_tm $
     */

    /*
     * This is needed for cookie based authentication to encrypt password in
     * cookie
     */
    $cfg['blowfish_secret'] = ''/* YOU MUST FILL IN THIS FOR COOKIE AUTH! */

    /*
     * Servers configuration
     */
    $i 0;

    /*
     * First server
     */
    $i++;
    /* Authentication type */
    $cfg['Servers'][$i]['auth_type'] = 'cookie';
    /* Server parameters */
    $cfg['Servers'][$i]['host'] = 'localhost';
    $cfg['Servers'][$i]['connect_type'] = 'tcp';
    $cfg['Servers'][$i]['compress'] = false;
    /* Select mysqli if your server has it */
    $cfg['Servers'][$i]['extension'] = 'mysql';
    /* User for advanced features */
    // $cfg['Servers'][$i]['controluser'] = 'pma';
    // $cfg['Servers'][$i]['controlpass'] = 'pmapass';
    /* Advanced phpMyAdmin features */
    // $cfg['Servers'][$i]['pmadb'] = 'phpmyadmin';
    // $cfg['Servers'][$i]['bookmarktable'] = 'pma_bookmark';
    // $cfg['Servers'][$i]['relation'] = 'pma_relation';
    // $cfg['Servers'][$i]['table_info'] = 'pma_table_info';
    // $cfg['Servers'][$i]['table_coords'] = 'pma_table_coords';
    // $cfg['Servers'][$i]['pdf_pages'] = 'pma_pdf_pages';
    // $cfg['Servers'][$i]['column_info'] = 'pma_column_info';
    // $cfg['Servers'][$i]['history'] = 'pma_history';
    // $cfg['Servers'][$i]['designer_coords'] = 'pma_designer_coords';

    /*
     * End of servers configuration
     */

    /*
     * Directories for saving/loading files from server
     */
    $cfg['UploadDir'] = '';
    $cfg['SaveDir'] = '';

    ?>
    There are the default configuration.

    How can I modify this files to allow the protection?

    Maybe removing the comment in these lines:?

    // $cfg['Servers'][$i]['controluser'] = 'pma';
    // $cfg['Servers'][$i]['controlpass'] = 'pmapass';

    Thank you in advance
     
  4. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    Please check /var/lib/phpmyadmin/config.inc.php and /etc/phpmyadmin/config.inc.php.
     
  5. hhhhhh

    hhhhhh New Member

    Hi falko,

    Thanks for your reply

    I've checked /var/lib/phpmyadmin/config.inc.php and it is empty

    And /etc/phpmyadmin/config.inc.php display the following:

    PHP:
    <?php
    /**
     * Debian local configuration file
     *
     * This file overrides the settings made by phpMyAdmin interactive setup
     * utility.
     *
     * For example configuration see /usr/share/doc/phpmyadmin/examples/config.default.php.gz
     *
     * NOTE: do not add security sensitive data to this file (like passwords)
     * unless you really know what you're doing. If you do, any user that can
     * run PHP or CGI on your webserver will be able to read them. If you still
     * want to do this, make sure to properly secure the access to this file
     * (also on the filesystem level).
     */

    /**
     * Server(s) configuration
     */
    $i 0;
    // The $cfg['Servers'] array starts with $cfg['Servers'][1].  Do not use $cfg['Servers'][0].
    // You can disable a server config entry by setting host to ''.
    $i++;

    /* Authentication type */
    //$cfg['Servers'][$i]['auth_type'] = 'cookie';
    /* Server parameters */
    //$cfg['Servers'][$i]['host'] = 'localhost';
    //$cfg['Servers'][$i]['connect_type'] = 'tcp';
    //$cfg['Servers'][$i]['compress'] = false;
    /* Select mysqli if your server has it */
    //$cfg['Servers'][$i]['extension'] = 'mysql';
    /* Optional: User for advanced features */
    // $cfg['Servers'][$i]['controluser'] = 'pma';
    // $cfg['Servers'][$i]['controlpass'] = 'pmapass';
    /* Optional: Advanced phpMyAdmin features */
    // $cfg['Servers'][$i]['pmadb'] = 'phpmyadmin';
    // $cfg['Servers'][$i]['bookmarktable'] = 'pma_bookmark';
    // $cfg['Servers'][$i]['relation'] = 'pma_relation';
    // $cfg['Servers'][$i]['table_info'] = 'pma_table_info';
    // $cfg['Servers'][$i]['table_coords'] = 'pma_table_coords';
    // $cfg['Servers'][$i]['pdf_pages'] = 'pma_pdf_pages';
    // $cfg['Servers'][$i]['column_info'] = 'pma_column_info';
    // $cfg['Servers'][$i]['history'] = 'pma_history';
    // $cfg['Servers'][$i]['designer_coords'] = 'pma_designer_coords';

    /*
     * End of servers configuration
     */

    /*
     * Directories for saving/loading files from server
     */
    $cfg['UploadDir'] = '';
    $cfg['SaveDir'] = '';
    Should I remove the comments in //$cfg['Servers'][$i]['auth_type'] = 'cookie'; line?

    Thanks in advance!
     
  6. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    Yes, you can try that.
     
  7. hhhhhh

    hhhhhh New Member

    The same, User&pass alert from .htaccess didn't show :(
     
  8. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    Can you post the vhost configuration for domain1?
     
  9. hhhhhh

    hhhhhh New Member

    Hello!

    Thank you for your reply and support!

    Code:
    <VirtualHost *>
            ServerAdmin root@domain1.info
            ServerName www.domain1.com
            DocumentRoot /var/www/domain1/
            <Directory />
                    Options FollowSymLinks
                    AllowOverride None
            </Directory>
            <Directory /var/www/domain1/>
                    Options Indexes FollowSymLinks MultiViews
                    AllowOverride All
                    Order allow,deny
                    allow from all
            </Directory>
    
            ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
            <Directory "/usr/lib/cgi-bin">
                    AllowOverride None
                    Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                    Order allow,deny
                    Allow from all
            </Directory>
    
            ErrorLog /var/log/apache2/error.log
    
            # Possible values include: debug, info, notice, warn, error, crit,
            # alert, emerg.
            LogLevel warn
    
            CustomLog /var/log/apache2/access.log combined
            ServerSignature On
    
        Alias /doc/ "/usr/share/doc/"
        <Directory "/usr/share/doc/">
            Options Indexes MultiViews FollowSymLinks
            AllowOverride None
            Order deny,allow
            Deny from all
            Allow from 127.0.0.0/255.0.0.0 ::1/128
        </Directory>
    
    </VirtualHost>
    It is located in /etc/apache2/sites-available/domain1.com

    Thank you!!
     
  10. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    What's the output of
    Code:
    ls -la /var/www/domain1/
    ?
     
  11. hhhhhh

    hhhhhh New Member

    Hello falko!

    Thank you for your reply.

    The display info was:

    Code:
    total 8
    drwxr-xr-x  2 root root 4096 2008-10-07 17:10 .
    drwxr-xr-x 14 root root 4096 2008-10-10 23:32 ..
    Thank you for your support with me falko
     
  12. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    But there's nothing in the directory - no .htaccess, no phpMyAdmin, etc. :confused:
     
  13. hhhhhh

    hhhhhh New Member

    Yes, phpmyadmin is inside /var/www/ not inside /var/www/domain1/

    And phpmyadmin is linked from /usr/share/phpmyadmin

    The .htaccess is inside /usr/share/phpmyadmin

    Now every domain directory inside /var/www can go to phpmyadmin writing in url address: www.domain$.com/phpmyadmin

    You mean that I should delete the link of phpmyadmin from /var/www and create it into /var/www/domain$ and create .htaccess there, right?

    If not what is the best way to do it?

    Thank you for your support!
     
    Last edited: Oct 13, 2008
  14. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    Try this:
    Code:
    ln -s /usr/share/phpmyadmin /var/www/domain1/phpmyadmin
     
  15. hhhhhh

    hhhhhh New Member

    Hello,

    I solved the issue. I'm going to explain if anyone have the same error:

    I had in /etc/apache2/conf.d directory the following file: @phpmyadmin.conf

    This file are not a real file, was a link file from /etc/phpmyadmin/apache.conf
    It had the same content.
    For that reason the .htaccess didn't apply its protections.

    I deleted the linked file @phpmyadmin and make new ones inside folders of domains to /usr/share/phpmyadmin instead of link to etc/phpmyadmin/apache2.conf. Now .htaccess and .htpasswd run perfect.

    Thank you for your support!
     

Share This Page