phpMyAdmin SSL – The “how to” you always wanted – but were too shy to admit to.
You should always use SSL with phpMyAdmin. Never leave a phpMyAdmin install insecure. Nowadays, you should secure phpMyAdmin with more than just SSL; like keeping phpMyAdmin SSL on its own private network. But that’s a different story entirely…
2 1/2 ways to force SSL with phpMyAdmin
1) Using Apache .htaccess (this can also be put in the httpd.conf if you don’t use .htaccess files):
RewriteEngine On RewriteCond %{SERVER_PORT} !^443$ RewriteRule ^/phpmyadmin(.*)$ https://%{HTTP_HOST}/phpmyadmin$1 [L,R]
or with nginx:
location /phpmyadmin { if ($ssl_protocol = "") { rewrite ^ https://$server_name$request_uri permanent; } }
Now if you’re behind a proxy of some sort (load balancer), it might not have $ssl_protocol set. You would then have to check the headers to see which one is being set and check based on that. There isn’t a hard-set rule that everyone follows and so, it could be implementation specific. Hire Barton if you need.
2) Using phpMyAdmin’s config.inc.php file:
(NOTE: $cfg[‘ForceSSL’] has been removed as of phpMyAdmin 4.6) via Ken Zalewski
// place this at the bottom somewhere $cfg['ForceSSL'] = true;
I prefer to use #2 because I don’t have to mess with Apache at all.
If you’re wondering what 1/2 way is to use phpMyAdmin with SSL, well, I count #1 a little bit more since it’s talking about doing it with .htaccess and/or Apache/Nginx conf.
Thanks! That saved me a lot of time.
Number 2 is the way to go. Changes are instant :) Thank you
The ForceSSL configuration directive has been removed from phpMyAdmin 4.6 (release pending). The proper way to handle SSL redirects is via the web server config.
Thanks Ken. I’ve updated this blog post with your update. Although, I will miss that configuration.
This was a helpful article to get started, but this didn’t work for me on Ubuntu 16 and Apache 2.4 for some reason…but this worked:
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/phpmyadmin$1 [R,L]
Is your NGINX version correct as it does not seem to support query which phpMyAdmin uses so if some one had an old bookmark it phpMyAdmin will loes track of where to load after login.
I didn’t mention a version # for nginx. If this is still an issue, email support,
so someone may help you out.
As time goes by, things change, and we would prefer people not even use
phpMyAdmin on live websites. Only use it locally, then Deploy, or use something
in a secure environment, and tunnel to your live server; or use VPN to restrict.
These days there are too many hackers trying to ruin your day.
Please be safe.
I’m trying to setup phpmyadmin on a VirtualBox, there is no danger from the internet because this is a local test machine. So I don’t want to have and SSL anything. But I still need to set my setup before I go on the live server, so I need to get phpmyadmin working without an SSL. So how do I do that?
It depends on where you got your virtual box, does it need to be that or may it be Docker? By default, you do not need to use SSL with phpMyAdmin…