Archive for the ‘Apache’ Category

Apache Config on Debian for phpMyAdmin

Monday, July 2nd, 2007

I’ve just been installing phpMyAdmin on a Debian server. This is very easy; simply:

# apt-get install phpmyadmin

However, if you are working on a machine with many vhosts, you need to set up a vhost for pma. Again this is not difficult, the vhost is mostly standard. The following allows access to the phpMyAdmin vhost over HTTPS on port 50002 with basic authentication. It assumes that the public (/etc/apache2/ssl/phpmyadmin.example.com.public.pem) and private (/etc/apache2/ssl/phpmyadmin.example.com.private.pem) key files, the password file (/etc/apache2/passwords/passwords) and the group file (/etc/apache2/passwords/groups) exist and that port 50002 is not blocked by the firewall.

<VirtualHost 1.2.3.4:80>
    ServerName phpmyadmin.example.com

    Redirect permanent / https://phpmyadmin.example.com:50002/
</VirtualHost>

Listen 50002
NameVirtualHost 1.2.3.4:50002

<VirtualHost 1.2.3.4:50002>
    SSLEngine on
    SSLCertificateFile /etc/apache2/ssl/phpmyadmin.example.com.public.pem
    SSLCertificateKeyFile /etc/apache2/ssl/phpmyadmin.example.com.private.pem

    ServerName phpmyadmin.example.com

    DocumentRoot /var/www/phpmyadmin

    <Location />
        AuthType Basic
        AuthName "phpmyadmin on example.com"
        AuthUserFile /etc/apache2/passwords/passwords
        AuthGroupFile /etc/apache2/passwords/groups
        Require group developers
    </Location>
</VirtualHost>

You run into difficulties, though, when you restart the server if you have the default AllowOverride settings. Normally it’s a good security practice to keep your Apache configuration as locked down as possible and only allow directives to be overridden when it’s necessary. Equivalent statements are true in any field of computer with regards to security. phpMyAdmin’s .htaccess file (as supplied via apt) has a number of directives that are not allowed by default config and it’s necessary to allow them in the vhost conf file.

I came up with:

<Directory /var/www/phpmyadmin>
    AllowOverride Options Indexes FileInfo Limit AuthConfig
</Directory>

Details of the AllowOverride dirctive can be found at

http://httpd.apache.org/docs/2.0/mod/core.html#allowoverride

I have to admit that I’m a little confused about the way that they grouped the directives that you can allow to be overridden. Why are AuthConfig and Limit separate groups? There seems to be a lot of semantic overlap there. What about allowing Options to be overridden? What if a sys admin wants to limit which individual options can be overridden?

Altogether, that’s:

<VirtualHost 1.2.3.4:80>
    ServerName phpmyadmin.example.com

    Redirect permanent / https://phpmyadmin.example.com:50002/
</VirtualHost>

Listen 50002
NameVirtualHost 1.2.3.4:50002

<VirtualHost 1.2.3.4:50002>
    SSLEngine on
    SSLCertificateFile /etc/apache2/ssl/phpmyadmin.example.com.public.pem
    SSLCertificateKeyFile /etc/apache2/ssl/phpmyadmin.example.com.private.pem

    ServerName phpmyadmin.example.com

    DocumentRoot /var/www/phpmyadmin

    <Directory /var/www/phpmyadmin>
        AllowOverride Options Indexes FileInfo Limit AuthConfig
    </Directory>

    <Location />
        AuthType Basic
        AuthName "phpmyadmin on example.com"
        AuthUserFile /etc/apache2/passwords/passwords
        AuthGroupFile /etc/apache2/passwords/groups
        Require group developers
    </Location>
</VirtualHost>