How to Setup HTTPS (SSL Certificates) to Secure PhpMyAdmin Login

To introduce this tip, let’s sniff the HTTP traffic between a client machine and the Debian 8 server where we have made the innocent mistake to login using the database root user’s credentials in our last article at: Change and Secure Default PhpMyAdmin Login URL

As we mentioned in the previous tip, do not attempt to do this yet if you don’t want to expose your credentials. To begin sniffing traffic, we typed the following command and pressed Enter:

# tcpdump port http -l -A | egrep -i 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user ' --line-buffered -B20

It will not take us long to realize that the username and password have been sent over the wire in plain text format, as you can see in the truncated output of tcpdump in the image below.

Please note that we have hidden part of the root password with a blue mark over it:

Sniffing HTTP Traffic
Sniffing HTTP Traffic

To avoid this, let’s secure the login page with a certificate. To do this, install mod_ssl package on CentOS based distributions.

# yum install mod_ssl

Although we will use the Debian/Ubuntu path and names, the same procedure is valid for CentOS and RHEL if you replace the commands and paths below with the CentOS equivalents.

Create a directory to store the key and certificate:

# mkdir /etc/apache2/ssl    [On Debian/Ubuntu based systems]
# mkdir /etc/httpd/ssl      [On CentOS based systems]

Create the key and certificate:

----------- On Debian/Ubuntu based systems ----------- 
# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt

----------- On CentOS based systems ----------- 
# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/httpd/ssl/apache.key -out /etc/httpd/ssl/apache.crt
Sample Output
........................+++
.....................................................+++
writing new private key to '/etc/httpd/ssl/apache.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:Maharashtra
Locality Name (eg, city) [Default City]:Mumbai
Organization Name (eg, company) [Default Company Ltd]:TecMint
Organizational Unit Name (eg, section) []:TecMint
Common Name (eg, your name or your server's hostname) []:TecMint
Email Address []:[email protected]

Next, verify key and certificate.

# cd /etc/apache2/ssl/   [On Debian/Ubuntu based systems]
# cd /etc/httpd/ssl/     [On CentOS based systems]
# ls -l

total 8
-rw-r--r--. 1 root root 1424 Sep  7 15:19 apache.crt
-rw-r--r--. 1 root root 1704 Sep  7 15:19 apache.key

In Debian/Ubuntu, make sure that Apache is listening on port 443 for the default site (/etc/apache2/sites-available/000-default.conf) and add the 3 SSL-related lines inside the VirtualHost declaration:

SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
Enable SSL on Virtualhost
Enable SSL on Virtualhost

In CentOS based distributions, tell Apache to listen on port 443 and look for the Listen directive in /etc/httpd/conf/httpd.conf and add the above lines below it.

SSLEngine on
SSLCertificateFile /etc/httpd/ssl/apache.crt
SSLCertificateKeyFile /etc/httpd/ssl/apache.key

Save changes, load the SSL Apache module on Debian/Ubuntu distributions (in CentOS this is loaded automatically when you installed mod_ssl earlier):

# a2enmod ssl

Force phpmyadmin to use SSL, make sure the following line is present in /etc/phpmyadmin/config.inc.php or /etc/phpMyAdmin/config.inc.php file:

$cfg['ForceSSL'] = true;

and restart the web server:

# systemctl restart apache2   [On Debian/Ubuntu based systems]
# systemctl restart httpd     [On Debian/Ubuntu based systems]

Next, launch your web browser and type https://<ip address>/my (learn how to change PhpMyAdmin login URL) as shown below.

Important: Please note that it is only saying that the connection is not secure because we are using a self-signed certificate. Click on Advanced and confirm the security exception:

Enable PhpMyAdmin HTTPS
Enable PhpMyAdmin HTTPS

After confirming the security exception, and before login in, let’s start sniffing HTTP and HTTPS traffic:

# tcpdump port http or port https -l -A | egrep -i 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user ' --line-buffered -B20

Then login using the same credentials as earlier. The traffic sniffer will only capture gibberish at best:

Sniffing HTTP and HTTPS Traffic
Sniffing HTTP and HTTPS Traffic

That’s it for now, in next article we will share you to restrict PhpMyAdmin access with username/password, till then stay tuned to Tecmint.

Hey TecMint readers,

Exciting news! Every month, our top blog commenters will have the chance to win fantastic rewards, like free Linux eBooks such as RHCE, RHCSA, LFCS, Learn Linux, and Awk, each worth $20!

Learn more about the contest and stand a chance to win by sharing your thoughts below!

Gabriel Cánepa
Gabriel Cánepa is a GNU/Linux sysadmin and web developer from Villa Mercedes, San Luis, Argentina. He works for a worldwide leading consumer product company and takes great pleasure in using FOSS tools to increase productivity in all areas of his daily work.

Each tutorial at TecMint is created by a team of experienced Linux system administrators so that it meets our high-quality standards.

Join the TecMint Weekly Newsletter (More Than 156,129 Linux Enthusiasts Have Subscribed)
Was this article helpful? Please add a comment or buy me a coffee to show your appreciation.

4 Comments

Leave a Reply
  1. Regarding to phpMyAdmin I also suggest hide server information (php version, mysql version) for better security:

    $cfg[‘ShowServerInfo’] = false;

    in config.inc.php file.

    Reply

Got Something to Say? Join the Discussion...

Thank you for taking the time to share your thoughts with us. We appreciate your decision to leave a comment and value your contribution to the discussion. It's important to note that we moderate all comments in accordance with our comment policy to ensure a respectful and constructive conversation.

Rest assured that your email address will remain private and will not be published or shared with anyone. We prioritize the privacy and security of our users.