How To Install and Secure phpMyAdmin on Debian 11

In this article, we want to teach you How To Install and Secure phpMyAdmin on Debian 11.

phpMyAdmin is a tool that is used for managing and administering databases, such as the MariaDB & MySQL database application systems.

Steps To Install and Secure phpMyAdmin on Debian 11

Before you start to install phpMyAdmin on Debian 11, you need some requirements first.

Requirements

  1. You need to log in to your server as a non-root user with sudo privileges and a basic setup for the firewall. To do this you can check our article about the Initial server setup with Debian 11.
  2. A fully registered Domain name.
  3. Install LAMP (Linux, Apache, MariaDB, PHP) on your server, and set up Apache virtual hosts. You can do these by visiting our article about How To Install the LAMP stack on Debian 11.
  4. You should configure your domain with an SSL/TLS certificate. For this, you can check the How to Secure Apache with Let’s Encrypt on Debian 11.

When you are done with these requirements you can start to install phpMyAdmin on Debian 11.

Install phpMyAdmin on Debian 11

First of all, you need to install a few PHP extensions onto your server to enable certain functionalities and improve performance.

Update and upgrade the APT packages with the following command:

sudo apt update && apt upgrade

Install the PHP extensions with the following command:

sudo apt install php-mbstring php-zip php-gd php-xml

phpmyAdmin is not available in the Debian default repository.

Download phpMyAdmin on Debian

Because of this, you need to download the source code to your server from the phpMyAdmin site. To do this, go to the phpMyAdmin Downloads page and search for the download link in the latest version, and copy the download link ending with tar.gz.

Note: In this article, we will use the all-languages package to install phpMyAdmin. If you want to use it in English, you can install the English package. remember to replace the links and file names in the following commands.

Now you can use the wget command with the link you have copied to download the tarball of phpMyAdmin:

wget https://files.phpmyadmin.net/phpMyAdmin/5.1.1/phpMyAdmin-5.1.1-all-languages.tar.gz

Then extract the file with the following command:

tar xvf phpMyAdmin-5.1.1-all-languages.tar.gz

At this point, you need to move the phpMyAdmin-5.1.1all-languages directory and all its subdirectories to the /usr/share/ directory and rename the directory in place to just phpmyadmin.

To do this run the following command:

sudo mv phpMyAdmin-5.1.1-all-languages/ /usr/share/phpmyadmin

Here you installed phpMyAdmin on Debian 11. you need to make some configuration changes so that you can be able to access phpMyAdmin through a web browser.

Configure phpMyAdmin manually on Debian 11

Because you have installed phpMyAdmin from the source, you need to configure it manually.

First, create a new directory where phpMyAdmin can store its temporary files in it with the following command:

sudo mkdir -p /var/lib/phpmyadmin/tmp

Now you need to set www-data, the Linux user profiles that web servers like Apache use by default for normal operations in Ubuntu and Debian systems, as the owner of this directory with the following command:

sudo chown -R www-data:www-data /var/lib/phpmyadmin

The file that you have extracted, has a sample configuration file that you can use as your base configuration file. copy the file in the /usr/share/phpmyadmin directory, and rename it to config.inc.php with the following command:

sudo cp /usr/share/phpmyadmin/config.sample.inc.php /usr/share/phpmyadmin/config.inc.php

Now open the file with your favorite text editor, we use vi:

sudo vi /usr/share/phpmyadmin/config.inc.php

phpMyAdmin uses the cookie authentication method by default, which allows you to log in to phpMyAdmin as any valid MariaDB user with the help of cookies.

In this method, the MariaDB user password is stored and encrypted with the AES algorithm in a temporary cookie.

Historically, phpMyAdmin instead used the Blowfish cipher for this purpose, and this is still reflected in its configuration file.

Blowfish Cipher

In the file, look for the $cfg['blowfish_secret']line, in between the single quotes, and enter a string of 32 random characters. You don’t need to remember it.

. . .
$cfg['blowfish_secret'] = 'THIRTYTWORSTRINGOFANDOMCHARACTERS'; /* YOU MUST FILL IN THIS FOR COOKIE AUTH! */
. . .

Next, search for the /* User used to manipulate with storage */line. This part has some directives that define a MariaDB user named pma which performs administrative tasks within phpMyAdmin.

Uncomment the “controluser” and “controlpass” directives by removing the preceding slashes. Then update the controlpass directive to point to a secure password of your choosing.

After you make these changes, it should be like this:

. . .
/* User used to manipulate with storage */
// $cfg['Servers'][$i]['controlhost'] = '';
// $cfg['Servers'][$i]['controlport'] = '';
$cfg['Servers'][$i]['controluser'] = 'pma';
$cfg['Servers'][$i]['controlpass'] = 'password';
. . .

Below this part, you will see the/* Storage database and tables */line. you should uncomment each line in this part by removing the slashes at the beginning of each line so it looks like this:

. . .
/* Storage database and tables */
$cfg['Servers'][$i]['pmadb'] = 'phpmyadmin';
$cfg['Servers'][$i]['bookmarktable'] = 'pma__bookmark';
$cfg['Servers'][$i]['relation'] = 'pma__relation';
$cfg['Servers'][$i]['table_info'] = 'pma__table_info';
$cfg['Servers'][$i]['table_coords'] = 'pma__table_coords';
$cfg['Servers'][$i]['pdf_pages'] = 'pma__pdf_pages';
$cfg['Servers'][$i]['column_info'] = 'pma__column_info';
$cfg['Servers'][$i]['history'] = 'pma__history';
$cfg['Servers'][$i]['table_uiprefs'] = 'pma__table_uiprefs';
$cfg['Servers'][$i]['tracking'] = 'pma__tracking';
$cfg['Servers'][$i]['userconfig'] = 'pma__userconfig';
$cfg['Servers'][$i]['recent'] = 'pma__recent';
$cfg['Servers'][$i]['favorite'] = 'pma__favorite';
$cfg['Servers'][$i]['users'] = 'pma__users';
$cfg['Servers'][$i]['usergroups'] = 'pma__usergroups';
$cfg['Servers'][$i]['navigationhiding'] = 'pma__navigationhiding';
$cfg['Servers'][$i]['savedsearches'] = 'pma__savedsearches';
$cfg['Servers'][$i]['central_columns'] = 'pma__central_columns';
$cfg['Servers'][$i]['designer_settings'] = 'pma__designer_settings';
$cfg['Servers'][$i]['export_templates'] = 'pma__export_templates';
. . .

Then, add the following line to the bottom of the file. phpMyAdmin will use this temporary directory as a templates cache which allows for faster page loading:

. . .
$cfg['TempDir'] = '/var/lib/phpmyadmin/tmp';

When you are finished, save and close the file.

Create the phpMyAdmin storage database and tables

At this point, you need to create the phpMyAdmin storage database and tables on Debian 11. Use the create_tables.sql file that comes from the installation of phpMyAdmin to create the configuration storage database and tables:

sudo mariadb < /usr/share/phpmyadmin/sql/create_tables.sql

Then, create the administrative pma user. to do this open the MariaDB console:

sudo mariadb

Now create the user and give it the correct permissions with the following command:

Remember to replace the password phrase with the password that you have defined in the config.inc.php file.

MariaDB [(none)]> GRANT SELECT, INSERT, UPDATE, DELETE ON phpmyadmin.* TO 'pma'@'localhost' IDENTIFIED BY 'password';

It’s recommended to log in to your phpMyAdmin with another MariaDB user instead of pma.

Create the user and give it the correct permissions with a strong password with the following command:

MariaDB [(none)]> GRANT ALL PRIVILEGES ON *.* TO 'olivia'@'localhost' IDENTIFIED BY 'password' WITH GRANT OPTION;

Exit from the MariaDB shell with the following command:

MariaDB [(none)]> exit

phpMyAdmin is now fully installed and configured on Debian 11. Now you need to create an Apache configuration to serve the application.

Configure Apache to Serve phpMyAdmin on Debian

For configuring Apache to serve phpMyAdmin on Debian 11, you need to create a file named phpmyadmin.conf in the /etc/apache2/conf-available directory with the following command:

sudo vi /etc/apache2/conf-available/phpmyadmin.conf

Then add the following content to the file:

# phpMyAdmin default Apache configuration

Alias /phpmyadmin /usr/share/phpmyadmin

<Directory /usr/share/phpmyadmin>
Options SymLinksIfOwnerMatch
DirectoryIndex index.php

<IfModule mod_php5.c>
<IfModule mod_mime.c>
AddType application/x-httpd-php .php
</IfModule>
<FilesMatch ".+\.php$">
SetHandler application/x-httpd-php
</FilesMatch>

php_value include_path .
php_admin_value upload_tmp_dir /var/lib/phpmyadmin/tmp
php_admin_value open_basedir /usr/share/phpmyadmin/:/etc/phpmyadmin/:/var/lib/phpmyadmin/:/usr/share/php/php-gettext/:/usr/share/php/php-php-gettext/:/usr/share/javascript/:/usr/share/php/tcpdf/:/usr/share/doc/phpmyadmin/:/usr/share/php/phpseclib/
php_admin_value mbstring.func_overload 0
</IfModule>
<IfModule mod_php.c>
<IfModule mod_mime.c>
AddType application/x-httpd-php .php
</IfModule>
<FilesMatch ".+\.php$">
SetHandler application/x-httpd-php
</FilesMatch>

php_value include_path .
php_admin_value upload_tmp_dir /var/lib/phpmyadmin/tmp
php_admin_value open_basedir /usr/share/phpmyadmin/:/etc/phpmyadmin/:/var/lib/phpmyadmin/:/usr/share/php/php-gettext/:/usr/share/php/php-php-gettext/:/usr/share/javascript/:/usr/share/php/tcpdf/:/usr/share/doc/phpmyadmin/:/usr/share/php/phpseclib/
php_admin_value mbstring.func_overload 0
</IfModule>

</Directory>

# Authorize for setup
<Directory /usr/share/phpmyadmin/setup>
<IfModule mod_authz_core.c>
<IfModule mod_authn_file.c>
AuthType Basic
AuthName "phpMyAdmin Setup"
AuthUserFile /etc/phpmyadmin/htpasswd.setup
</IfModule>
Require valid-user
</IfModule>
</Directory>

# Disallow web access to directories that don't need it
<Directory /usr/share/phpmyadmin/templates>
Require all denied
</Directory>
<Directory /usr/share/phpmyadmin/libraries>
Require all denied
</Directory>
<Directory /usr/share/phpmyadmin/setup/lib>
Require all denied
</Directory>

Save and close the file when you are finished.

Now enable it with the following command:

sudo a2enconf phpmyadmin.conf

To apply the changes, reload Apache:

sudo systemctl reload apache2

Access phpMyAdmin Web Interface

Now you can access the phpMyAdmin login screen on Debian 11 by typing your domain name or IP address followed by phpmyadmin:

http://your_domain_or_IP/phpmyadmin

You should see:

phpMyAdmin login screen on Debian 11

Enter the MariaDB user and password that you have configured. after you log in you will see something like this:

phpmyadmin interface

Now you can connect and interact with phpMyAdmin on Debian 11.

Let’s see how to secure phpMyAdmin on Debian 11.

How To Secure phpMyAdmin

phpMyAdmin is a popular target for attackers. to protect it from attackers you can place a gateway in front of the entire application by using Apache’s built-in “.htaccess” authentication and authorization functionalities.

To secure phpMyAdmin on Debian 11, First, you need to enable the use of the .htaccess file overrides by editing your Apache configuration file.

Open the file with the following command:

sudo vi /etc/apache2/conf-available/phpmyadmin.conf

Then, add the “AllowOverride All” directive into the<Directory /usr/share/phpmyadmin>part of the configuration file:

<Directory /usr/share/phpmyadmin>
Options FollowSymLinks
DirectoryIndex index.php
AllowOverride All

<IfModule mod_php5.c>
. . .

When you are finished, save and close the file.

To apply these changes, restart Apache:

sudo systemctl restart apache2

At this point, when you have enabled the .htaccess, you can create the file with the following command:

sudo vi /usr/share/phpmyadmin/.htaccess

Add the following content to the file:

AuthType Basic
AuthName "Restricted Files"
AuthUserFile /usr/share/phpmyadmin/.htpasswd
Require valid-user

When you are done, save and close the file.

At this point, you can create the file that you have selected for your password with an initial user with the following command:

sudo htpasswd -c /usr/share/phpmyadmin/.htpasswd username

You will be asked to enter a new password for the user you are creating.

If you want to enter an additional user, run the following command:

sudo htpasswd /etc/phpmyadmin/.htpasswd additionaluser

Now you can access the phpMyAdmin login screen again:

https://your-domain-name/phpmyadmin

You will see something similar to this:

secure phpMyAdmin on Debian 11

After you enter the Apache authentication, you will be taken to the phpMyAdmin login screen.

Conclusion

At this point, you learn to install, configure, and use phpMyAdmin on Debian 11. And you can easily secure your phpMyAdmin to be protected from attackers.

Hope you enjoy this article about How to install and secure phpMyadmin on Debian 11.

You may be interested in these articles on the orcacore website:

How To Set up phpMyAdmin on Centos 7

How to Install and Secure phpMyAdmin on Ubuntu 20.04

Install and Secure phpMyAdmin on Debian 10

Newsletter Updates

Enter your email address below and subscribe to our newsletter

Leave a Reply

Stay informed and not overwhelmed, subscribe now!