How to Setup HTTPS (SSL Certificates) to Secure PhpMyAdmin Login

To introduce this tip, let’s sniff the HTTP traffic between a client machine and the Debian 8 server where we have made the innocent mistake to login using the database root user’s credentials in our last article at: Change and Secure Default PhpMyAdmin Login URL

As we mentioned in the previous tip, do not attempt to do this yet if you don’t want to expose your credentials. To begin sniffing traffic, we typed the following command and pressed Enter:

# tcpdump port http -l -A | egrep -i 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user ' --line-buffered -B20

It will not take us long to realize that the username and password have been sent over the wire in plain text format, as you can see in the truncated output of tcpdump in the image below.

Please note that we have hidden part of the root password with a blue mark over it:

Sniffing HTTP Traffic

Sniffing HTTP Traffic

To avoid this, let’s secure the login page with a certificate. To do this, install mod_ssl package on CentOS based distributions.

# yum install mod_ssl

Although we will use the Debian/Ubuntu path and names, the same procedure is valid for CentOS and RHEL if you replace the commands and paths below with the CentOS equivalents.

Create a directory to store the key and certificate:

# mkdir /etc/apache2/ssl    [On Debian/Ubuntu based systems]
# mkdir /etc/httpd/ssl      [On CentOS based systems]

Create the key and certificate:

----------- On Debian/Ubuntu based systems ----------- 
# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt

----------- On CentOS based systems ----------- 
# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/httpd/ssl/apache.key -out /etc/httpd/ssl/apache.crt
Sample Output
........................+++
.....................................................+++
writing new private key to '/etc/httpd/ssl/apache.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:Maharashtra
Locality Name (eg, city) [Default City]:Mumbai
Organization Name (eg, company) [Default Company Ltd]:TecMint
Organizational Unit Name (eg, section) []:TecMint
Common Name (eg, your name or your server's hostname) []:TecMint
Email Address []:[email protected]

Next, verify key and certificate.

# cd /etc/apache2/ssl/   [On Debian/Ubuntu based systems]
# cd /etc/httpd/ssl/     [On CentOS based systems]
# ls -l

total 8
-rw-r--r--. 1 root root 1424 Sep  7 15:19 apache.crt
-rw-r--r--. 1 root root 1704 Sep  7 15:19 apache.key

In Debian/Ubuntu, make sure that Apache is listening on port 443 for the default site (/etc/apache2/sites-available/000-default.conf) and add the 3 SSL-related lines inside the VirtualHost declaration:

SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
Enable SSL on Virtualhost

Enable SSL on Virtualhost

In CentOS based distributions, tell Apache to listen on port 443 and look for the Listen directive in /etc/httpd/conf/httpd.conf and add the above lines below it.

SSLEngine on
SSLCertificateFile /etc/httpd/ssl/apache.crt
SSLCertificateKeyFile /etc/httpd/ssl/apache.key

Save changes, load the SSL Apache module on Debian/Ubuntu distributions (in CentOS this is loaded automatically when you installed mod_ssl earlier):

# a2enmod ssl

Force phpmyadmin to use SSL, make sure the following line is present in /etc/phpmyadmin/config.inc.php or /etc/phpMyAdmin/config.inc.php file:

$cfg['ForceSSL'] = true;

and restart the web server:

# systemctl restart apache2   [On Debian/Ubuntu based systems]
# systemctl restart httpd     [On Debian/Ubuntu based systems]

Next, launch your web browser and type https://<ip address>/my (learn how to change PhpMyAdmin login URL) as shown below.

Important: Please note that it is only saying that the connection is not secure because we are using a self-signed certificate. Click on Advanced and confirm the security exception:

Enable PhpMyAdmin HTTPS

Enable PhpMyAdmin HTTPS

After confirming the security exception, and before login in, let’s start sniffing HTTP and HTTPS traffic:

# tcpdump port http or port https -l -A | egrep -i 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user ' --line-buffered -B20

Then login using the same credentials as earlier. The traffic sniffer will only capture gibberish at best:

Sniffing HTTP and HTTPS Traffic

Sniffing HTTP and HTTPS Traffic

That’s it for now, in next article we will share you to restrict PhpMyAdmin access with username/password, till then stay tuned to Tecmint.

If You Appreciate What We Do Here On TecMint, You Should Consider:

TecMint is the fastest growing and most trusted community site for any kind of Linux Articles, Guides and Books on the web. Millions of people visit TecMint! to search or browse the thousands of published articles available FREELY to all.

If you like what you are reading, please consider buying us a coffee ( or 2 ) as a token of appreciation.

Support Us

We are thankful for your never ending support.

Gabriel Cánepa

Gabriel Cánepa is a GNU/Linux sysadmin and web developer from Villa Mercedes, San Luis, Argentina. He works for a worldwide leading consumer product company and takes great pleasure in using FOSS tools to increase productivity in all areas of his daily work.

Your name can also be listed here. Got a tip? Submit it here to become an TecMint author.

RedHat RHCE and RHCSA Certification Book
Linux Foundation LFCS and LFCE Certification Preparation Guide

You may also like...

3 Responses

  1. Geekomancer says:

    Can you please post an update on this for nginx?

  2. Lorien says:

    Regarding to phpMyAdmin I also suggest hide server information (php version, mysql version) for better security:

    $cfg[‘ShowServerInfo’] = false;

    in config.inc.php file.

Got something to say? Join the discussion.

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.