PhpMyAdmin

From Q
Revision as of 20:03, 20 December 2018 by Tgurr (talk | contribs) (→‎Configuration)
Jump to navigation Jump to search

Apache vhost configuration

File: /etc/apache2/vhosts.d/phpmyadmin.<domain>.conf
<VirtualHost *:80>

    ServerName phpmyadmin.<domain>:80

    RewriteEngine On
    RewriteCond %{HTTPS} !=on
    RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

</VirtualHost>

<VirtualHost *:443>

    DocumentRoot "/var/www/phpmyadmin.<domain>/htdocs"
    ServerName phpmyadmin.<domain>:443
    DirectoryIndex index.php

    <Directory "/var/www/phpmyadmin.<domain>/htdocs">
        Options None
        AllowOverride Limit
        Require ip 10.133 10.132
    </Directory>

    # PHP-FPM
    <FilesMatch "\.(php|php5|phtml)$">
        SetHandler "proxy:unix:/run/php-fpm-phpmyadmin.<domain>.sock|fcgi://localhost"
    </FilesMatch>

    SSLEngine On
    SSLCertificateFile /etc/ssl/apache2/phpmyadmin.<domain>/phpmyadmin.<domain>.crt
    SSLCertificateKeyFile /etc/ssl/apache2/phpmyadmin.<domain>/phpmyadmin.<domain>.key

    # Forward Secrecy
    # Source: https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy
    SSLProtocol all -SSLv2 -SSLv3
    SSLHonorCipherOrder on
    SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"

    # OCSP stapling
    SSLUseStapling on

    # Strict Transport Security (HSTS)
    # 180 days
    Header always set Strict-Transport-Security "max-age=15552000"

</VirtualHost>

PHP-FPM Configuration

# useradd --system --shell /bin/false --no-create-home --home /var/www/phpmyadmin.<domain> -g apache www-phpmyadmin
File: /etc/php/fpm-php7.2/fpm.d/phpmyadmin.<domain>.conf
[phpmyadmin.<domain>]

prefix = /var/www/$pool

user = www-phpmyadmin
group = apache

listen = /run/php-fpm-$pool.sock

listen.owner = www-phpmyadmin
listen.group = apache
listen.mode = 0660

pm = dynamic
pm.max_children = 50
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3

php_admin_value[open_basedir] = /var/www/phpmyadmin.<domain>:/usr/bin:/usr/share/php
php_admin_value[upload_tmp_dir] = /var/www/phpmyadmin.<domain>/tmp
php_admin_value[session.save_path] = /var/www/phpmyadmin.<domain>/session
php_admin_value[sys_temp_dir] = /var/www/phpmyadmin.<domain>/tmp
php_admin_value[date.timezone] = Europe/Berlin
php_admin_value[post_max_size] = 50M
php_admin_value[upload_max_filesize] = 50M

; enable logging
catch_workers_output = yes
php_admin_flag[display_errors] = off
php_admin_flag[log_errors] = on
php_admin_value[error_log] = /var/log/php-fpm.phpmyadmin.<domain>.log

Installation

File: /etc/portage/package.use
dev-db/phpmyadmin vhosts
# emerge phpmyadmin
# webapp-config -h phpmyadmin.<domain> -d / -I phpmyadmin 4.8.4
# mysql -u root -p < /usr/share/webapps/phpmyadmin/<version>/htdocs/sql/create_tables.sql
# mysql -u root -p
Code: Creating phpmyadmin control user
CREATE USER 'phpmyadmin'@'localhost' IDENTIFIED BY 'some_pass';
Code: Granting phpmyadmin control user access to the phpMyAdmin database
GRANT SELECT, INSERT, UPDATE, DELETE ON phpmyadmin.* TO 'phpmyadmin'@'localhost';
Code: Granting phpmyadmin control user access to the MySQL system databases
GRANT USAGE ON mysql.* TO 'phpmyadmin'@'localhost' IDENTIFIED BY 'some_pass';
GRANT SELECT (
    Host, User, Select_priv, Insert_priv, Update_priv, Delete_priv,
    Create_priv, Drop_priv, Reload_priv, Shutdown_priv, Process_priv,
    File_priv, Grant_priv, References_priv, Index_priv, Alter_priv,
    Show_db_priv, Super_priv, Create_tmp_table_priv, Lock_tables_priv,
    Execute_priv, Repl_slave_priv, Repl_client_priv
    ) ON mysql.user TO 'phpmyadmin'@'localhost';
GRANT SELECT ON mysql.db TO 'phpmyadmin'@'localhost';
GRANT SELECT ON mysql.host TO 'phpmyadmin'@'localhost';
GRANT SELECT (Host, Db, User, Table_name, Table_priv, Column_priv)
    ON mysql.tables_priv TO 'phpmyadmin'@'localhost';

Configuration

File: /var/www/phpmyadmin.<domain>/htdocs/config.inc.php
<?php

/* Servers configuration */
$i = 0;

/* Server localhost (http) [1] */
$i++;
$cfg['Servers'][$i]['host'] = 'localhost';
$cfg['Servers'][$i]['compress'] = false;
$cfg['Servers'][$i]['auth_type'] = 'cookie';
/* User for advanced features */
$cfg['Servers'][$i]['controluser'] = 'phpmyadmin';
$cfg['Servers'][$i]['controlpass'] = 'xxx';
/* Advanced phpMyAdmin features */
$cfg['Servers'][$i]['pmadb'] = 'phpmyadmin';
$cfg['Servers'][$i]['bookmarktable'] = 'pma__bookmark';
$cfg['Servers'][$i]['central_columns'] = 'pma__central_columns';
$cfg['Servers'][$i]['column_info'] = 'pma__column_info';
$cfg['Servers'][$i]['designer_coords'] = 'pma__designer_coords';
$cfg['Servers'][$i]['designer_settings'] = 'pma__designer_settings';
$cfg['Servers'][$i]['export_templates'] = 'pma__export_templates';
$cfg['Servers'][$i]['favorite'] = 'pma__favorite';
$cfg['Servers'][$i]['history'] = 'pma__history';
$cfg['Servers'][$i]['navigationhiding'] = 'pma__navigationhiding';
$cfg['Servers'][$i]['pdf_pages'] = 'pma__pdf_pages';
$cfg['Servers'][$i]['recent'] = 'pma__recent';
$cfg['Servers'][$i]['relation'] = 'pma__relation';
$cfg['Servers'][$i]['savedsearches'] = 'pma__savedsearches';
$cfg['Servers'][$i]['table_coords'] = 'pma__table_coords';
$cfg['Servers'][$i]['table_info'] = 'pma__table_info';
$cfg['Servers'][$i]['table_uiprefs'] = 'pma__table_uiprefs';
$cfg['Servers'][$i]['tracking'] = 'pma__tracking';
$cfg['Servers'][$i]['userconfig'] = 'pma__userconfig';
$cfg['Servers'][$i]['usergroups'] = 'pma__usergroups';
$cfg['Servers'][$i]['users'] = 'pma__users';
/* Hide lost+found if on a separate partition */
$cfg['Servers'][$i]['hide_db'] = '#mysql50#lost|^(information\_schema|performance\_schema|mysql|phpmyadmin)$';
/* End of servers configuration */

/* Misc settings */
$cfg['blowfish_secret'] = 'xxx';
$cfg['Export']['compression'] = 'bzip2';
$cfg['DefaultLang'] = 'de';
$cfg['ServerDefault'] = 1;
$cfg['UploadDir'] = '';
$cfg['SaveDir'] = '';
$cfg['VersionCheck'] = 0;
$cfg['TempDir'] = '/var/www/phpmyadmin.<domain>/tmp';

?>

To make the installation scripts inaccessible you should delete the setup directory.

Update

# emerge phpmyadmin
# webapp-config -h phpmyadmin.<domain> -d / -U phpmyadmin 4.8.4
# CONFIG_PROTECT="/var/www/phpmyadmin.<domain>/htdocs//libraries" etc-update
# emerge -C phpmyadmin-<oldversion>