Install of PHPMyAdmin on Debian 10 involves the download of the source file and a manual set up as PHPMyAdmin is not available in the default Debian repositories.

As a part of our Server Management Services, we help our Customers with software installations regularly.

Let us today discuss the steps to install PHPMyAdmin on Debian 10.

 

How to install PHPMyAdmin on Debian 10?

The phpMyAdmin utility is a graphical database management tool. As phpMyAdmin is not available from the default Debian repositories, we will need to download the source code to the server from the phpMyAdmin site to perform the installation.

The steps involved in this process include:

• Update Software Packages
• Install Apache
• PHP install on Debian 10
• Install and Set Up MariaDB on Debian 10
• Secure MariaDB
• Create a New MariaDB User
• Installing phpMyAdmin and Recommended Packages
• Configuring phpMyAdmin Manually
• Create the phpMyAdmin storage database and tables
• Configuring Apache to Serve phpMyAdmin
• Accessing phpMyAdmin
• Securing the phpMyAdmin Instance

Let us look at each of these steps in detail:

 

Update Software Packages

As with any other installation, the first step here is to update the software packages. Access the terminal window, and update the software package lists using the following command:

$ sudo apt update

 

Install Apache

Once the software packages are up to date, let us proceed to install Apache webserver. Open a terminal window, and install Apache by entering the following command:

$ sudo apt install apache2 -y

The process can take a few moments to complete. Enter the following command to make sure the Apache service is running:

$ systemctl status apache2

 

PHP install on Debian 10

After the install of Apache, let us proceed to install core PHP packages and other dependency modules with the following command:

$ sudo apt install php php-cgi php-mysqli php-pear php-mbstring php-gettext libapache2-mod-php php-common php-phpseclib php-mysql -y

Once the installation process is complete, verify that PHP has been installed:

$ php --version

The system displays the current version of PHP, along with the date of the release.

 

MariaDB install and Set Up on Debian 10

To install MariaDB, enter the following command into the terminal:

$ sudo apt install mariadb-server mariadb-client -y

Once the process is complete, verify the MariaDB installation with the following command:

$ systemctl status mariadb

Like with Apache, we will see an active (running) status.

Before installing phpMyAdmin, you need to configure the MariaDB database.

Secure MariaDB

After installing MariaDB, it is important to configure basic MariaDB security features by launching a built-in script:

$ sudo mysql_secure_installation

At this stage, set a strong root password for the database by choosing the appropriate options when prompted. Ensure to remove anonymous users and disallow root logins remotely. Also, remove the test database and reload the privilege tables.

Create a New MariaDB User

The phpMyAdmin utility needs a designated user to be able to connect to the database. Creating a new MariaDB user improves security and allows us to control the level of permissions granted to this user. Once we have set up a MariaDB user, we are ready to start the phpMyAdmin installation process.

Install phpMyAdmin and Recommended Packages on Debian 10

Install of phpMyAdmin requires some additional PHP modules like php-mbstring, php-zip, and php-gd. We can install it on the server with the command below:

$ sudo apt install php-mbstring php-zip php-gd

Next, we can install phpMyAdmin. phpMyAdmin is not available from the default Debian repositories, so we will need to download the source code to the server from the phpMyAdmin site.

In order to do that, navigate to the URL https://www.phpmyadmin.net/downloads/, scroll down to the table with download links for the latest stable release, and copy the download link ending in tar.gz.

Replace the link in the following wget command with the download link we just copied, then press ENTER. This will run the command and download the tarball to the server:

$ wget https://files.phpmyadmin.net/phpMyAdmin/4.9.7/phpMyAdmin-4.9.7-all-languages.tar.gz

Then extract the tarball:

$ tar xvf phpMyAdmin-4.9.7-all-languages.tar.gz

This will create a number of new files and directories on the server under a parent directory named phpMyAdmin-4.9.7-all-languages.

Then move the phpMyAdmin-4.9.7-all-languages directory and all its subdirectories to the /usr/share/ directory, the location where phpMyAdmin expects to find its configuration files by default:

$ sudo mv phpMyAdmin-4.9.7-all-languages/ /usr/share/phpmyadmin

 

Configuring phpMyAdmin Manually

To begin the setup, make a new directory where phpMyAdmin will store its temporary files and correct its ownership:

$ sudo mkdir -p /var/lib/phpmyadmin/tmp

$ sudo chown -R www-data:www-data /var/lib/phpmyadmin

The files we extracted previously include a sample configuration file that we can use as our base configuration file. Make a copy of this file, keeping it in the /usr/share/phpmyadmin directory, and rename it config.inc.php:

$ sudo cp /usr/share/phpmyadmin/config.sample.inc.php /usr/share/phpmyadmin/config.inc.php

Now, open this file using any preferred text editor. Scroll down to the line that begins with $cfg[‘blowfish_secret’]. It will look like this:

$cfg['blowfish_secret'] = ''; /* YOU MUST FILL IN THIS FOR COOKIE AUTH! */

In between the single quotes, enter a string of 32 random characters. This is not a passphrase we need to remember, it will just be used internally by the AES algorithm:

$cfg['blowfish_secret'] = 'STRINGOFTHIRTYTWORANDOMCHARACTERS'; /* YOU MUST FILL IN THIS FOR COOKIE AUTH! */

If the passphrase you enter here is shorter than 32 characters in length, it will result in the encrypted cookies being less secure. Entering a string longer than 32 characters, though, will not cause any harm.

To generate a truly random string of characters, we can install and use the pwgen program:

$ sudo apt install pwgen

Use the command below to generate a random, difficult-to-memorize password. Note the final two arguments to this command: 32, which dictates how long the password string should be; and 1 which tells pwgen how many strings it should generate:

$ pwgen -s 32 1

 

Updating the password

Next, scroll down to the comment reading /* User used to manipulate with storage */. This section includes some directives that define a MariaDB database user named pma which performs certain administrative tasks within phpMyAdmin. According to the official documentation, this special user account is not necessary in cases where only one user will access phpMyAdmin, but it is recommended in multi-user scenarios.

Uncomment the controluser and controlpass directives by removing the preceding slashes. Then update the controlpass directive to point to a secure password. If we do not do this, the default password will remain in place and unknown users could easily gain access to the database through the phpMyAdmin interface.

After making these changes, this section of the file will look like this:

/* User used to manipulate with storage */
// $cfg['Servers'][$i]['controlhost'] = '';
// $cfg['Servers'][$i]['controlport'] = '';
$cfg['Servers'][$i]['controluser'] = 'pma';
$cfg['Servers'][$i]['controlpass'] = 'password';

Below this section, we will find another section preceded by a comment reading /* Storage database and tables */. This section includes a number of directives that define the phpMyAdmin configuration storage, a database, and several tables used by the administrative pma database user. These tables enable a number of features in phpMyAdmin, including Bookmarks, comments, PDF generation, and more.

Uncomment each line in this section by removing the slashes at the beginning of each line so it looks like this:

/* Storage database and tables */
$cfg['Servers'][$i]['pmadb'] = 'phpmyadmin';
$cfg['Servers'][$i]['bookmarktable'] = 'pma__bookmark';
$cfg['Servers'][$i]['relation'] = 'pma__relation';
$cfg['Servers'][$i]['table_info'] = 'pma__table_info';
$cfg['Servers'][$i]['table_coords'] = 'pma__table_coords';
$cfg['Servers'][$i]['pdf_pages'] = 'pma__pdf_pages';
$cfg['Servers'][$i]['column_info'] = 'pma__column_info';
$cfg['Servers'][$i]['history'] = 'pma__history';
$cfg['Servers'][$i]['table_uiprefs'] = 'pma__table_uiprefs';
$cfg['Servers'][$i]['tracking'] = 'pma__tracking';
$cfg['Servers'][$i]['userconfig'] = 'pma__userconfig';
$cfg['Servers'][$i]['recent'] = 'pma__recent';
$cfg['Servers'][$i]['favorite'] = 'pma__favorite';
$cfg['Servers'][$i]['users'] = 'pma__users';
$cfg['Servers'][$i]['usergroups'] = 'pma__usergroups';
$cfg['Servers'][$i]['navigationhiding'] = 'pma__navigationhiding';
$cfg['Servers'][$i]['savedsearches'] = 'pma__savedsearches';
$cfg['Servers'][$i]['central_columns'] = 'pma__central_columns';
$cfg['Servers'][$i]['designer_settings'] = 'pma__designer_settings';
$cfg['Servers'][$i]['export_templates'] = 'pma__export_templates';

These tables do not yet exist, but we will create them shortly.

Lastly, scroll down to the bottom of the file and add the following line. This will configure phpMyAdmin to use the /var/lib/phpmyadmin/tmp directory we created earlier as its temporary directory. phpMyAdmin will use this temporary directory as a templates cache which allows for faster page loading:

$cfg['TempDir'] = '/var/lib/phpmyadmin/tmp';

 

 Create the phpMyAdmin storage database and tables

Next, we will need to create a phpMyAdmin storage database and tables. When we installed phpMyAdmin in the previous step, it came with a file named create_tables.sql. This SQL file contains all the commands needed to create the configuration storage database and tables phpMyAdmin needs to function correctly.

Run the following command to use the create_tables.sql file to create the configuration storage database and tables:

$ sudo mariadb < /usr/share/phpmyadmin/sql/create_tables.sql

Following that, we will need to create the administrative pma user. Open up the MariaDB prompt:

$ sudo mariadb

From the prompt, run the following command to create the pma user and grant it the appropriate permissions. Be sure to change the password to align with the password we defined in the config.inc.php file:

MariaDB [(none)]> GRANT SELECT, INSERT, UPDATE, DELETE ON phpmyadmin.* TO 'pma'@'localhost' IDENTIFIED BY 'password';

If we have not created one already, we should also create a regular MariaDB user for the purpose of managing databases through phpMyAdmin, as it is recommended that we log in using another account than the pma user. We could create a user that has privileges to all tables within the database, as well as the power to add, change, and remove user privileges, with this command.

MariaDB [(none)]> GRANT ALL PRIVILEGES ON *.* TO 'sammy'@'localhost' IDENTIFIED BY 'password' WITH GRANT OPTION;

Following that, exit the MariaDB shell:

MariaDB [(none)]> exit

phpMyAdmin is now fully installed and configured on the server. However, the Apache server does not yet know how to serve the application. To resolve this, we will create an Apache configuration file for it.

Configuring Apache to Serve phpMyAdmin

When installing phpMyAdmin from the default repositories, the installation process creates an Apache configuration file automatically and places it in the /etc/apache2/conf-enabled/ directory. Because we installed phpMyAdmin from source, however, we will need to create and enable this file manually.

Create a file named phpmyadmin.conf in the /etc/apache2/conf-available/ directory:

$ sudo nano /etc/apache2/conf-available/phpmyadmin.conf

Then add the following content to the file

# phpMyAdmin default Apache configuration

Alias /phpmyadmin /usr/share/phpmyadmin

<Directory /usr/share/phpmyadmin>
Options SymLinksIfOwnerMatch
DirectoryIndex index.php

<IfModule mod_php5.c>
<IfModule mod_mime.c>
AddType application/x-httpd-php .php
</IfModule>
<FilesMatch ".+\.php$">
SetHandler application/x-httpd-php
</FilesMatch>

php_value include_path .
php_admin_value upload_tmp_dir /var/lib/phpmyadmin/tmp
php_admin_value open_basedir /usr/share/phpmyadmin/:/etc/phpmyadmin/:/var/lib/phpmyadmin/:/usr/share/php/php-gettext/:/usr/share/php/php-php-gettext/:/usr/share/javascript/:/usr/share/php/tcpdf/:/usr/share/doc/phpmyadmin/:/usr/share/php/phpseclib/
php_admin_value mbstring.func_overload 0
</IfModule>
<IfModule mod_php.c>
<IfModule mod_mime.c>
AddType application/x-httpd-php .php
</IfModule>
<FilesMatch ".+\.php$">
SetHandler application/x-httpd-php
</FilesMatch>

php_value include_path .
php_admin_value upload_tmp_dir /var/lib/phpmyadmin/tmp
php_admin_value open_basedir /usr/share/phpmyadmin/:/etc/phpmyadmin/:/var/lib/phpmyadmin/:/usr/share/php/php-gettext/:/usr/share/php/php-php-gettext/:/usr/share/javascript/:/usr/share/php/tcpdf/:/usr/share/doc/phpmyadmin/:/usr/share/php/phpseclib/
php_admin_value mbstring.func_overload 0
</IfModule>

</Directory>

# Authorize for setup
<Directory /usr/share/phpmyadmin/setup>
<IfModule mod_authz_core.c>
<IfModule mod_authn_file.c>
AuthType Basic
AuthName "phpMyAdmin Setup"
AuthUserFile /etc/phpmyadmin/htpasswd.setup
</IfModule>
Require valid-user
</IfModule>
</Directory>

# Disallow web access to directories that don't need it
<Directory /usr/share/phpmyadmin/templates>
Require all denied
</Directory>
<Directory /usr/share/phpmyadmin/libraries>
Require all denied
</Directory>
<Directory /usr/share/phpmyadmin/setup/lib>
Require all denied
</Directory>

This is the default phpMyAdmin Apache configuration file found on Ubuntu installations, though it will be adequate for a Debian setup as well.

Save and close the file, then enable it by typing:

$ sudo a2enconf phpmyadmin.conf

Then reload the apache2 service to put the configuration changes into effect:

$ sudo systemctl reload apache2

Accessing phpMyAdmin

Now, we will be able to access the phpMyAdmin login screen by navigating to the following URL in the web browser:

https://your_domain/phpmyadmin

Log in to the interface with the MariaDB username and password we configured.

Now that we are able to connect and interact with phpMyAdmin, all that is left to do is harden the system’s security to protect it from attackers.

Securing Your phpMyAdmin Instance

Being a popular target for attackers we should take extra care to prevent unauthorized access in phpMyAdmin. One of the easiest ways of doing this is to place a gateway in front of the entire application by using Apache’s built-in .htaccess authentication and authorization functionalities.

To do this, we must first enable the use of .htaccess file overrides by editing the Apache configuration file.

Edit the linked file that placed in the Apache configuration directory:

$ sudo nano /etc/apache2/conf-available/phpmyadmin.conf

Add an AllowOverride All directive within the <Directory /usr/share/phpmyadmin> section of the configuration file, like this:

<Directory /usr/share/phpmyadmin>
Options FollowSymLinks
DirectoryIndex index.php
AllowOverride All

<IfModule mod_php5.c>
. . .

When we have added this line, save and close the file. To implement the changes we made, restart Apache:

$ sudo systemctl restart apache2

Now that we have enabled .htaccess use for the application, we need to create one to actually implement some security.

Implement security

In order to implement security, the file must be created within the application directory. We can create the necessary file and open it in the text editor with root privileges by typing:

$ sudo nano /usr/share/phpmyadmin/.htaccess

Within this file, enter the following content:

AuthType Basic
AuthName "Restricted Files"
AuthUserFile /usr/share/phpmyadmin/.htpasswd
Require valid-user

Here is what each of these lines means:

• AuthType Basic: This line specifies the authentication type that we are implementing. This type will implement password authentication using a password file.
• AuthName: This sets the message for the authentication dialog box. We should keep this generic so that unauthorized users will not gain any information about what is being protected.
• AuthUserFile: This sets the location of the password file that will be used for authentication. This should be outside of the directories that are being served. We will create this file shortly.
• Require valid-user: This specifies that only authenticated users should be given access to this resource. This is what actually stops unauthorized users from entering.

Save and close the file, once completed.

The location that we selected for the password file was /usr/share/phpmyadmin/.htpasswd. We can now create this file and pass it to an initial user with the htpasswd utility:

$ sudo htpasswd -c /usr/share/phpmyadmin/.htpasswd username

We will be prompted to select and confirm a password for the user we are creating. Afterward, it creates the file with the hashed password that we entered.

If we want to enter an additional user, we need to do so without the -c flag, like this:

$ sudo htpasswd /etc/phpmyadmin/.htpasswd additionaluser

Now, when we access the phpMyAdmin subdirectory, it prompts for the additional account name and password that we just configured:

https://your_domain_or_IP/phpmyadmin

After entering the Apache authentication, we will be taken to the regular phpMyAdmin authentication page to enter the MariaDB credentials. This setup adds an additional layer of security, which is desirable since phpMyAdmin has suffered from vulnerabilities in the past.

[Need any further assistance in install PHPMyAdmin on Debian 10? – We’re available 24*7]

Conclusion

In short, we will need to download the source code to the server from the phpMyAdmin site to perform the installation as phpMyAdmin is not available from the default Debian repositories. Today, we saw how our Support Engineers install PHPMyAdmin on Debian 10.