Install and Secure phpMyAdmin on Debian 12

This tutorial intends to teach you to Install, Configure, and Secure phpMyAdmin with LAMP Stack on Debian 12 Bookworm. phpMyAdmin is a GUI tool for managing databases such as MariaDB and MySQL.

To see how to install and access phpMyAdmin on Debian 12, follow the steps below.

How To Install and Secure phpMyAdmin on Debian 12?

To set up phpMyAdmin, you need some requirements first.

Requirements

You must log in to your server as a non-root user and set up a basic firewall. For this purpose, you can visit this guide on Initial Server Setup with Debian 12 Bookworm.

Because we want to install phpMyAdmin with LAMP Stack, you must install it on your server. To do this, you can check this guide on How To Install LAMP Stack on Debian 12.

Also, you need a domain name that is pointed to your server’s IP address.

When you are done, follow the steps below to start your phpMyAdmin installation.

Step 1 – Install PHP Extensions for phpMyAdmin

First, you need to update and upgrade the APT packages with the following command:

# sudo apt update 
# sudo apt upgrade -y

Then, install the PHP extensions with the following command:

sudo apt install php-mbstring php-zip php-gd php-xml -y

Step 2 – Download Latest phpMyAdmin From Source

At this point, you need to visit the phpMyAdmin Downloads page and search for the download link in the latest version and copy the download link ending with tar.gz.

Note: In this article, we will use the all-languages package to install phpMyAdmin. If you want to use it in English, you can install the English package. Remember to replace the links and file names in the following commands.

Now you can use the wget command with the link you have copied to download the tarball of phpMyAdmin:

sudo wget https://files.phpmyadmin.net/phpMyAdmin/5.2.1/phpMyAdmin-5.2.1-all-languages.tar.gz

Then extract the file with the following command:

sudo tar xvf phpMyAdmin-5.2.1-all-languages.tar.gz

At this point, you need to move the phpMyAdmin directory and all its subdirectories to the /usr/share/ directory and rename the directory in place to just phpmyadmin.

To do this, run the following command:

sudo mv phpMyAdmin-5.2.1-all-languages/ /usr/share/phpmyadmin

Step 3 – How To Manually Configure phpMyAdmin on Debian 12?

Because you have installed phpMyAdmin from the source, you need to configure it manually.

First, create a new directory where phpMyAdmin can store its temporary files in it with the following command:

sudo mkdir -p /var/lib/phpmyadmin/tmp

Then, set the correct ownership for the directory with the command below:

sudo chown -R www-data:www-data /var/lib/phpmyadmin

The file that you have extracted, has a sample configuration file that you can use as your base configuration file. Copy the file in the /usr/share/phpmyadmin directory, and rename it to config.inc.php with the following command:

sudo cp /usr/share/phpmyadmin/config.sample.inc.php /usr/share/phpmyadmin/config.inc.php

Now open the file with your favorite text editor, here we use vi editor:

sudo vi /usr/share/phpmyadmin/config.inc.php

phpMyAdmin uses the cookie authentication method by default, which allows you to log in to phpMyAdmin as any valid MariaDB user with the help of cookies.

In this method, the MariaDB user password is stored and encrypted with the AES algorithm in a temporary cookie.

Historically, phpMyAdmin instead used the Blowfish cipher for this purpose, and this is still reflected in its configuration file.

Blowfish Cipher in phpMyAdmin Config File

In the file, look for the $cfg[‘blowfish_secret’] line, in between the single quotes, and enter a string of 32 random characters. You don’t need to remember it.

. . .
$cfg['blowfish_secret'] = 'THIRTYTWORSTRINGOFANDOMCHARACTERS'; /* YOU MUST FILL IN THIS FOR COOKIE AUTH! */
. . .

Next, search for the /* User used to manipulate with storage */ line. This part has some directives that define a MariaDB user named pma which performs administrative tasks within phpMyAdmin.

Uncomment the “controluser” and “controlpass” directives by removing the preceding slashes. Then update the controlpass directive to point to a secure password of your choosing.

After you make these changes, it should be like this:

. . .
/* User used to manipulate with storage */
// $cfg['Servers'][$i]['controlhost'] = '';
// $cfg['Servers'][$i]['controlport'] = '';
$cfg['Servers'][$i]['controluser'] = 'pma';
$cfg['Servers'][$i]['controlpass'] = 'password';
. . .

Below this part, you will see the /* Storage database and tables */ line. You should uncomment each line in this part by removing the slashes at the beginning of each line so it looks like this:

. . .
/* Storage database and tables */
$cfg['Servers'][$i]['pmadb'] = 'phpmyadmin';
$cfg['Servers'][$i]['bookmarktable'] = 'pma__bookmark';
$cfg['Servers'][$i]['relation'] = 'pma__relation';
$cfg['Servers'][$i]['table_info'] = 'pma__table_info';
$cfg['Servers'][$i]['table_coords'] = 'pma__table_coords';
$cfg['Servers'][$i]['pdf_pages'] = 'pma__pdf_pages';
$cfg['Servers'][$i]['column_info'] = 'pma__column_info';
$cfg['Servers'][$i]['history'] = 'pma__history';
$cfg['Servers'][$i]['table_uiprefs'] = 'pma__table_uiprefs';
$cfg['Servers'][$i]['tracking'] = 'pma__tracking';
$cfg['Servers'][$i]['userconfig'] = 'pma__userconfig';
$cfg['Servers'][$i]['recent'] = 'pma__recent';
$cfg['Servers'][$i]['favorite'] = 'pma__favorite';
$cfg['Servers'][$i]['users'] = 'pma__users';
$cfg['Servers'][$i]['usergroups'] = 'pma__usergroups';
$cfg['Servers'][$i]['navigationhiding'] = 'pma__navigationhiding';
$cfg['Servers'][$i]['savedsearches'] = 'pma__savedsearches';
$cfg['Servers'][$i]['central_columns'] = 'pma__central_columns';
$cfg['Servers'][$i]['designer_settings'] = 'pma__designer_settings';
$cfg['Servers'][$i]['export_templates'] = 'pma__export_templates';
. . .

Then, add the following line at the bottom of the file. phpMyAdmin will use this temporary directory as a templates cache which allows for faster page loading:

. . .
$cfg['TempDir'] = '/var/lib/phpmyadmin/tmp';

When you are finished, save and close the file.

Step 4 – Create phpMyAdmin storage database and tables on Debian 12

At this point, you need to create the phpMyAdmin storage database and tables on Debian 12. Use the create_tables.sql file that comes from the installation of phpMyAdmin to create the configuration storage database and tables:

sudo mariadb < /usr/share/phpmyadmin/sql/create_tables.sql

Then, create the administrative pma user. To do this open the MariaDB console:

sudo mariadb -u root -p

Now create the user and give it the correct permissions with the following command:

Remember to replace the password phrase with the password that you have defined in the config.inc.php file.

MariaDB [(none)]> GRANT SELECT, INSERT, UPDATE, DELETE ON phpmyadmin.* TO 'pma'@'localhost' IDENTIFIED BY 'password';

It’s recommended to log in to your phpMyAdmin with another MariaDB user instead of pma. So create the user and give it the correct permissions with a strong password with the following command:

MariaDB [(none)]> GRANT ALL PRIVILEGES ON *.* TO 'orca'@'localhost' IDENTIFIED BY 'password' WITH GRANT OPTION;

Flush the privileges and exit from the MariaDB shell:

MariaDB [(none)]> FLUSH PRIVILEGES;
MariaDB [(none)]> EXIT;

phpMyAdmin is now fully installed and configured on Debian 12. Now you need to create an Apache configuration to serve the application.

Step 5 – Apache Configuration for phpMyAdmin on Debian 12

For configuring Apache to serve phpMyAdmin on Debian 12, you need to create a file named phpmyadmin.conf in the /etc/apache2/conf-available directory with the following command:

sudo vi /etc/apache2/conf-available/phpmyadmin.conf

Then add the following content to the file:

# phpMyAdmin default Apache configuration

Alias /phpmyadmin /usr/share/phpmyadmin

<Directory /usr/share/phpmyadmin>
Options SymLinksIfOwnerMatch
DirectoryIndex index.php

<IfModule mod_php5.c>
<IfModule mod_mime.c>
AddType application/x-httpd-php .php
</IfModule>
<FilesMatch ".+\.php$">
SetHandler application/x-httpd-php
</FilesMatch>

php_value include_path .
php_admin_value upload_tmp_dir /var/lib/phpmyadmin/tmp
php_admin_value open_basedir /usr/share/phpmyadmin/:/etc/phpmyadmin/:/var/lib/phpmyadmin/:/usr/share/php/php-gettext/:/usr/share/php/php-php-gettext/:/usr/share/javascript/:/usr/share/php/tcpdf/:/usr/share/doc/phpmyadmin/:/usr/share/php/phpseclib/
php_admin_value mbstring.func_overload 0
</IfModule>
<IfModule mod_php.c>
<IfModule mod_mime.c>
AddType application/x-httpd-php .php
</IfModule>
<FilesMatch ".+\.php$">
SetHandler application/x-httpd-php
</FilesMatch>

php_value include_path .
php_admin_value upload_tmp_dir /var/lib/phpmyadmin/tmp
php_admin_value open_basedir /usr/share/phpmyadmin/:/etc/phpmyadmin/:/var/lib/phpmyadmin/:/usr/share/php/php-gettext/:/usr/share/php/php-php-gettext/:/usr/share/javascript/:/usr/share/php/tcpdf/:/usr/share/doc/phpmyadmin/:/usr/share/php/phpseclib/
php_admin_value mbstring.func_overload 0
</IfModule>

</Directory>

# Authorize for setup
<Directory /usr/share/phpmyadmin/setup>
<IfModule mod_authz_core.c>
<IfModule mod_authn_file.c>
AuthType Basic
AuthName "phpMyAdmin Setup"
AuthUserFile /etc/phpmyadmin/htpasswd.setup
</IfModule>
Require valid-user
</IfModule>
</Directory>

# Disallow web access to directories that don't need it
<Directory /usr/share/phpmyadmin/templates>
Require all denied
</Directory>
<Directory /usr/share/phpmyadmin/libraries>
Require all denied
</Directory>
<Directory /usr/share/phpmyadmin/setup/lib>
Require all denied
</Directory>

Save and close the file when you are finished.

Now enable it with the following command:

sudo a2enconf phpmyadmin.conf

To apply the changes, reload Apache:

sudo systemctl reload apache2

Step 6 – Access phpMyAdmin Web Interface

Now you can access the phpMyAdmin login screen on Debian 12 by typing your domain name or IP address followed by phpmyadmin:

http://your_domain_or_IP/phpmyadmin

You should see the following page. Enter the MariaDB user and password that you have configured and click login.

phpMyAdmin login screen

After you log in you will see something like this:

phpMyAdmin dashboard

Now you can connect and interact with phpMyAdmin on Debian 12.

Step 7 – How To Secure phpMyAdmin on Debian 12?

phpMyAdmin is a popular target for attackers. To protect it from attackers you can place a gateway in front of the entire application by using Apache’s built-in “.htaccess” authentication and authorization functionalities.

To secure phpMyAdmin on Debian 12, First, you need to enable the use of the .htaccess file overrides by editing your Apache configuration file.

Open the file with the following command:

sudo vi /etc/apache2/conf-available/phpmyadmin.conf

Then, add the “AllowOverride All” directive into the<Directory /usr/share/phpmyadmin>part of the configuration file:

<Directory /usr/share/phpmyadmin>
Options FollowSymLinks
DirectoryIndex index.php
AllowOverride All

<IfModule mod_php5.c>
. . .

When you are finished, save and close the file.

To apply these changes, restart Apache:

sudo systemctl restart apache2

At this point, when you have enabled the .htaccess, you can create the file with the following command:

sudo vi /usr/share/phpmyadmin/.htaccess

Add the following content to the file:

AuthType Basic
AuthName "Restricted Files"
AuthUserFile /usr/share/phpmyadmin/.htpasswd
Require valid-user

When you are done, save and close the file.

At this point, you can create the file that you have selected for your password with an initial user with the following command:

sudo htpasswd -c /usr/share/phpmyadmin/.htpasswd username

You will be asked to enter a new password for the user you are creating.

If you want to enter an additional user, run the following command:

sudo htpasswd /etc/phpmyadmin/.htpasswd additionaluser

Now you can access the phpMyAdmin login screen again:

https://your-domain-name/phpmyadmin

You will see something similar to this:

Apache’s built-in “.htaccess” authentication for phpMyAdmin

After you enter the Apache authentication, you will be taken to the phpMyAdmin login screen.

Conclusion

At this point, you have learned to Install, Configure, and Secure phpMyAdmin with LAMP Stack on Debian 12 Bookworm. Also, you have learned to access your dashboard and secure it with Apache’s built-in “.htaccess” authentication and authorization functionalities.

Hope you enjoy it. You may be interested in these articles:

Install and Configure WordPress on Debian 12

How To Install Java with DNF on AlmaLinux 9

Newsletter Updates

Enter your email address below and subscribe to our newsletter

Leave a Reply

Stay informed and not overwhelmed, subscribe now!