介绍 (Introduction)
While many users need the functionality of a database system like MySQL, interacting with the system solely from the MySQL command-line client requires familiarity with the SQL language, so it may not be the preferred interface for some.
尽管许多用户需要像MySQL这样的数据库系统的功能,但是仅通过MySQL命令行客户端与系统进行交互需要熟悉SQL语言,因此对于某些人来说,它可能不是首选的接口。
phpMyAdmin was created so that users can interact with MySQL through an intuitive web interface, running alongside a PHP development environment. In this guide, we’ll discuss how to install phpMyAdmin on top of an Nginx server, and how to configure the server for increased security.
创建phpMyAdmin是为了使用户可以通过与PHP开发环境一起运行的直观Web界面与MySQL进行交互。 在本指南中,我们将讨论如何在Nginx服务器之上安装phpMyAdmin,以及如何配置服务器以提高安全性。
Note: There are important security considerations when using software like phpMyAdmin, since it runs on the database server, it deals with database credentials, and it enables a user to easily execute arbitrary SQL queries into your database. Because phpMyAdmin is a widely-deployed PHP application, it is frequently targeted for attack. We will go over some security measures you can take in this tutorial so that you can make informed decisions.
注意:使用phpMyAdmin之类的软件时,有一些重要的安全注意事项 ,因为它运行在数据库服务器上,它处理数据库凭证,并且使用户能够轻松地对数据库执行任意SQL查询。 由于phpMyAdmin是广泛部署PHP应用程序,因此经常成为攻击的目标。 我们将介绍本教程中可以采取的一些安全措施,以便您可以做出明智的决定。
先决条件 (Prerequisites)
Before you get started with this guide, you’ll need the following available to you:
在开始使用本指南之前,您需要满足以下条件:
A Debian 9 server running a LEMP (Linux, Nginx, MySQL and PHP) stack secured with
ufw, as described in the initial server setup guide for Debian 9. If you haven’t set up your server yet, you can follow the guide on installing a LEMP stack on Debian 9.运行由
ufw保护的LEMP(Linux,Nginx,MySQL和PHP)堆栈的Debian 9服务器,如Debian 9初始服务器设置指南中所述。 如果尚未设置服务器,则可以遵循在Debian 9上安装LEMP堆栈的指南。Access to this server as a regular user with
sudoprivileges.以具有
sudo特权的普通用户身份访问此服务器。
Because phpMyAdmin handles authentication using MySQL credentials, it is strongly advisable to install an SSL/TLS certificate to enable encrypted traffic between server and client. If you don’t have an existing domain configured with a valid certificate, you can follow the guide on How to Secure Nginx with Let’s Encrypt on Debian 9.
由于phpMyAdmin使用MySQL凭据处理身份验证,因此强烈建议安装SSL / TLS证书以启用服务器与客户端之间的加密流量。 如果您没有使用有效证书配置的现有域,则可以遵循有关如何在Debian 9上使用Let's Encrypt保护Nginx的指南。
Warning: If you don’t have an SSL/TLS certificate installed on the server and you still want to proceed, please consider enforcing access via SSH Tunnels as explained in Step 5 of this guide.
警告:如果您没有在服务器上安装SSL / TLS证书,但仍要继续,请按照本指南第5步中的说明,考虑通过SSH隧道强制执行访问。
Once you have met these prerequisites, you can go ahead with the rest of the guide.
满足这些先决条件后,即可继续进行本指南的其余部分。
第1步-安装phpMyAdmin (Step 1 — Installing phpMyAdmin)
The first thing we need to do is install phpMyAdmin on the LEMP server. We’re going to use the default Debian repositories to achieve this goal.
我们需要做的第一件事是在LEMP服务器上安装phpMyAdmin。 我们将使用默认的Debian存储库来实现此目标。
Let’s start by updating the server’s package index with:
让我们开始使用以下命令更新服务器的软件包索引:
- sudo apt update sudo apt更新
Now you can install phpMyAdmin with:
现在,您可以使用以下命令安装phpMyAdmin:
- sudo apt install phpmyadmin 须藤apt安装phpmyadmin
During the installation process, you will be prompted to choose the web server (either Apache or Lighthttp) to configure. Because we are using Nginx as web server, we shouldn’t make a choice here. Press tab and then OK to advance to the next step.
在安装过程中,系统将提示您选择要配置的Web服务器( Apache或Lighthttp )。 因为我们使用Nginx作为Web服务器,所以我们不应该在这里做出选择。 按tab ,然后按OK进入下一步。
Next, you’ll be prompted whether to use dbconfig-common for configuring the application database. Select Yes. This will set up the internal database and administrative user for phpMyAdmin. You will be asked to define a new password for the phpmyadmin MySQL user. You can also leave it blank and let phpMyAdmin randomly create a password.
接下来,系统将提示您是否使用dbconfig-common来配置应用程序数据库。 选择Yes 。 这将为phpMyAdmin设置内部数据库和管理用户。 系统将要求您为phpmyadmin MySQL用户定义一个新密码。 您也可以将其保留为空白,并让phpMyAdmin随机创建一个密码。
The installation will now finish. For the Nginx web server to find and serve the phpMyAdmin files correctly, we’ll need to create a symbolic link from the installation files to Nginx’s document root directory:
现在安装将完成。 为了使Nginx Web服务器正确找到并提供phpMyAdmin文件,我们需要创建一个从安装文件到Nginx文档根目录的符号链接:
- sudo ln -s /usr/share/phpmyadmin /var/www/html/phpmyadmin 须藤ln -s / usr / share / phpmyadmin / var / www / html / phpmyadmin
Your phpMyAdmin installation is now operational. To access the interface, go to your server’s domain name or public IP address followed by /phpmyadmin in your web browser:
您的phpMyAdmin安装现在可以运行了。 要访问该界面,请在Web浏览器中转到服务器的域名或公共IP地址,然后是/phpmyadmin :
https://server_domain_or_IP/phpmyadminAs mentioned before, phpMyAdmin handles authentication using MySQL credentials, which means you should use the same username and password you would normally use to connect to the database via console or via an API. If you need help creating MySQL users, check this guide on How To Manage an SQL Database.
如前所述,phpMyAdmin使用MySQL凭据处理身份验证,这意味着您应使用通常用于通过控制台或API连接到数据库的用户名和密码。 如果您在创建MySQL用户方面需要帮助,请查看有关如何管理SQL数据库的指南 。
Note: Logging into phpMyAdmin as the root MySQL user is discouraged because it represents a significant security risk. We’ll see how to disable root login in a subsequent step of this guide.
注意:不建议以MySQL的root用户身份登录phpMyAdmin,因为这会带来重大的安全风险。 在本指南的后续步骤中,我们将介绍如何禁用root登录 。
Your phpMyAdmin installation should be completely functional at this point. However, by installing a web interface, we’ve exposed our MySQL database server to the outside world. Because of phpMyAdmin’s popularity, and the large amounts of data it may provide access to, installations like these are common targets for attacks. In the following sections of this guide, we’ll see a few different ways in which we can make our phpMyAdmin installation more secure.
此时,您的phpMyAdmin安装应已完全正常运行。 但是,通过安装Web界面,我们已经将MySQL数据库服务器公开给外界。 由于phpMyAdmin的普及以及它可能提供的大量数据访问,此类安装是攻击的常见目标。 在本指南的以下各节中,我们将介绍几种使phpMyAdmin安装更加安全的方法。
第2步-更改phpMyAdmin的默认位置 (Step 2 — Changing phpMyAdmin’s Default Location)
One of the most basic ways to protect your phpMyAdmin installation is by making it harder to find. Bots will scan for common paths, like /phpmyadmin, /pma, /admin, /mysql and such. Changing the interface’s URL from /phpmyadmin to something non-standard will make it much harder for automated scripts to find your phpMyAdmin installation and attempt brute-force attacks.
保护您的phpMyAdmin安装的最基本方法之一是使其更难找到。 漫游器将扫描常见路径,例如/phpmyadmin , /pma , /admin , /mysql等。 将接口的URL从/phpmyadmin更改为非标准名称将使自动脚本更难找到phpMyAdmin安装并尝试蛮力攻击。
With our phpMyAdmin installation, we’ve created a symbolic link pointing to /usr/share/phpmyadmin, where the actual application files are located. To change phpMyAdmin’s interface URL, we will rename this symbolic link.
通过安装phpMyAdmin,我们创建了一个指向/usr/share/phpmyadmin的符号链接,该链接位于实际的应用程序文件所在的位置。 要更改phpMyAdmin的界面URL,我们将重命名此符号链接。
First, let’s navigate to the Nginx document root directory and list the files it contains to get a better sense of the change we’ll make:
首先,让我们导航到Nginx文档的根目录,并列出其中包含的文件,以更好地了解我们将要进行的更改:
- cd /var/www/html/ cd / var / www / html /
- ls -l ls -l
You’ll receive the following output:
您将收到以下输出:
Output
total 8
-rw-r--r-- 1 root root 612 Apr 8 13:30 index.nginx-debian.html
lrwxrwxrwx 1 root root 21 Apr 8 15:36 phpmyadmin -> /usr/share/phpmyadmin
The output shows that we have a symbolic link called phpmyadmin in this directory. We can change this link name to whatever we’d like. This will in turn change phpMyAdmin’s access URL, which can help obscure the endpoint from bots hardcoded to search common endpoint names.
输出显示在此目录中有一个名为phpmyadmin的符号链接。 我们可以将此链接名称更改为所需的名称。 反过来,这将更改phpMyAdmin的访问URL,这可以帮助使端点免于经过硬编码以搜索通用端点名称的bot。
Choose a name that obscures the purpose of the endpoint. In this guide, we’ll name our endpoint /nothingtosee, but you should choose an alternate name. To accomplish this, we’ll rename the link:
选择一个模糊端点目的的名称。 在本指南中,我们将命名端点/ nothingtosee ,但是您应该选择一个替代名称 。 为此,我们将重命名链接:
sudo mv phpmyadmin nothingtosee
sudo mv phpmyadmin 什么都看不到
- ls -l ls -l
After running the above commands, you’ll receive this output:
运行以上命令后,您将收到以下输出:
Output
total 8
-rw-r--r-- 1 root root 612 Apr 8 13:30 index.nginx-debian.html
lrwxrwxrwx 1 root root 21 Apr 8 15:36 nothingtosee -> /usr/share/phpmyadmin
Now, if you go to the old URL, you’ll get a 404 error:
现在,如果您转到旧的URL,则会收到404错误:
https://server_domain_or_IP/phpmyadminYour phpMyAdmin interface will now be available at the new URL we just configured:
您的phpMyAdmin界面现在将在我们刚刚配置的新URL上可用:
https://server_domain_or_IP/nothingtoseeBy obfuscating phpMyAdmin’s real location on the server, you’re securing its interface against automated scans and manual brute-force attempts.
通过混淆phpMyAdmin在服务器上的真实位置,可以保护其界面免受自动扫描和手动蛮力尝试的侵害。
步骤3 —禁用根登录 (Step 3 — Disabling Root Login)
On MySQL as well as within regular Linux systems, the root account is a special administrative account with unrestricted access to the system. In addition to being a privileged account, it’s a known login name, which makes it an obvious target for brute-force attacks. To minimize risks, we’ll configure phpMyAdmin to deny any login attempts coming from the user root. This way, even if you provide valid credentials for the user root, you’ll still get an “access denied” error and won’t be allowed to log in.
在MySQL以及常规Linux系统中, 根帐户是一个特殊的管理帐户,对系统的访问不受限制。 除了是特权帐户之外,它还是一个已知的登录名,这使其成为暴力攻击的明显目标。 为了最大程度地降低风险,我们将phpMyAdmin配置为拒绝来自root用户的任何登录尝试。 这样,即使您为用户root提供了有效的凭据,您仍然会收到“访问被拒绝”错误,并且将不允许登录。
Because we chose to use dbconfig-common to configure and store phpMyAdmin settings, the default configuration is currently stored in the database. We’ll need to create a new config.inc.php file to define our custom settings.
因为我们选择使用dbconfig-common来配置和存储phpMyAdmin设置,所以默认配置当前存储在数据库中。 我们需要创建一个新的config.inc.php文件来定义我们的自定义设置。
Even though the PHP files for phpMyAdmin are located inside /usr/share/phpmyadmin, the application uses configuration files located at /etc/phpmyadmin. We will create a new custom settings file inside /etc/phpmyadmin/conf.d, and name it pma_secure.php:
即使phpMyAdminPHP文件位于/usr/share/phpmyadmin ,该应用程序仍使用位于/etc/phpmyadmin配置文件。 我们将在/etc/phpmyadmin/conf.d创建一个新的自定义设置文件,并将其命名为pma_secure.php :
- sudo nano /etc/phpmyadmin/conf.d/pma_secure.php 须藤纳米/etc/phpmyadmin/conf.d/pma_secure.php
The following configuration file contains the necessary settings to disable passwordless logins (AllowNoPassword set to false) and root login (AllowRoot set to false):
以下配置文件包含必要的设置,以禁用无密码登录( AllowNoPassword设置为false )和root登录( AllowRoot设置为false ):
<?php
# PhpMyAdmin Settings
# This should be set to a random string of at least 32 chars
$cfg['blowfish_secret'] = '3!#32@3sa(+=_4?),5XP_:U%%8\34sdfSdg43yH#{o';
$i=0;
$i++;
$cfg['Servers'][$i]['auth_type'] = 'cookie';
$cfg['Servers'][$i]['AllowNoPassword'] = false;
$cfg['Servers'][$i]['AllowRoot'] = false;
?>Save the file when you’re done editing by pressing CTRL + X then y to confirm changes and ENTER. The changes will apply automatically. If you reload the login page now and try to log in as root, you will get an Access Denied error:
编辑完毕后,按CTRL + X然后按y确认更改ENTER保存文件。 更改将自动应用。 如果现在重新加载登录页面并尝试以root用户身份登录,则会出现“ 访问被拒绝”错误:
Root login is now prohibited on your phpMyAdmin installation. This security measure will block brute-force scripts from trying to guess the root database password on your server. Moreover, it will enforce the usage of less-privileged MySQL accounts for accessing phpMyAdmin’s web interface, which by itself is an important security practice.
现在,禁止在phpMyAdmin安装中进行root登录。 此安全措施将阻止暴力脚本尝试猜测服务器上的根数据库密码。 而且,它将强制使用特权较少MySQL帐户来访问phpMyAdmin的Web界面,这本身就是重要的安全实践。
步骤4 —创建身份验证网关 (Step 4 — Creating an Authentication Gateway)
Hiding your phpMyAdmin installation on an unusual location might sidestep some automated bots scanning the network, but it’s useless against targeted attacks. To better protect a web application with restricted access, it’s generally more effective to stop attackers before they can even reach the application. This way, they’ll be unable to use generic exploits and brute-force attacks to guess access credentials.
将您的phpMyAdmin安装隐藏在不寻常的位置可能会避开一些自动bot扫描网络的机器人,但这对于定向攻击毫无用处。 为了更好地保护具有受限访问权限的Web应用程序,通常更有效的方法是在攻击者可以到达应用程序之前阻止它们。 这样,他们将无法使用通用漏洞利用和蛮力攻击来猜测访问凭据。
In the specific case of phpMyAdmin, it’s even more important to keep the login interface locked away. By keeping it open to the world, you’re offering a brute-force platform for attackers to guess your database credentials.
在phpMyAdmin的特定情况下,保持登录界面处于锁定状态更为重要。 通过向世界开放,您为攻击者提供了一个蛮力平台,使您可以猜测您的数据库凭据。
Adding an extra layer of authentication to your phpMyAdmin installation enables you to increase security. Users will be required to pass through an HTTP authentication prompt before ever seeing the phpMyAdmin login screen. Most web servers, including Nginx, provide this capability natively.
在phpMyAdmin安装中添加额外的身份验证层可以提高安全性。 在看到phpMyAdmin登录屏幕之前,将要求用户通过HTTP身份验证提示。 包括Nginx在内的大多数Web服务器都本机提供此功能。
To set this up, we first need to create a password file to store the authentication credentials. Nginx requires that passwords be encrypted using the crypt() function. The OpenSSL suite, which should already be installed on your server, includes this functionality.
要进行设置,我们首先需要创建一个密码文件来存储身份验证凭据。 Nginx要求使用crypt()函数对密码进行加密。 应该已经在您的服务器上安装的OpenSSL套件包含此功能。
To create an encrypted password, type:
要创建加密的密码,请键入:
- openssl passwd openssl密码
You will be prompted to enter and confirm the password that you wish to use. The utility will then display an encrypted version of the password that will look something like this:
系统将提示您输入并确认您想要使用的密码。 然后,该实用程序将显示密码的加密版本,如下所示:
Output
O5az.RSPzd.HE
Copy this value, as you will need to paste it into the authentication file we’ll be creating.
复制此值,因为您需要将其粘贴到我们将创建的身份验证文件中。
Now, create an authentication file. We’ll call this file pma_pass and place it in the Nginx configuration directory:
现在,创建一个身份验证文件。 我们将这个文件pma_pass并将其放置在Nginx配置目录中:
- sudo nano /etc/nginx/pma_pass 须藤纳米/ etc / nginx / pma_pass
In this file, you’ll specify the username you would like to use, followed by a colon (:), followed by the encrypted version of the password you received from the openssl passwd utility.
在这个文件中,你指定你想使用的用户名,后面跟一个冒号( : ),其次是你从接收密码的加密版本openssl passwd效用。
We are going to name our user sammy, but you should choose a different username. The file should look like this:
我们将用户命名为sammy ,但是您应该选择其他用户名。 该文件应如下所示:
sammy:O5az.RSPzd.HESave and close the file when you’re done.
完成后,保存并关闭文件。
Now we’re ready to modify the Nginx configuration file. For this guide, we’ll use the configuration file located at /etc/nginx/sites-available/example.com. You should use the relevant Nginx configuration file for the web location where phpMyAdmin is currently hosted. Open this file in your text editor to get started:
现在,我们准备修改Nginx配置文件。 对于本指南,我们将使用位于/etc/nginx/sites-available/ example.com的配置文件。 您应该将相关的Nginx配置文件用于当前托管phpMyAdmin的网站位置。 在文本编辑器中打开此文件以开始使用:
sudo nano /etc/nginx/sites-available/example.com
须藤纳米/ etc / nginx / sites-available / example.com
Locate the server block, and the location / section within it. We need to create a new location section within this block to match phpMyAdmin’s current path on the server. In this guide, phpMyAdmin’s location relative to the web root is /nothingtosee:
找到server块及其中的location /部分。 我们需要在此块中创建一个新的 location部分,以匹配phpMyAdmin在服务器上的当前路径。 在本指南中,phpMyAdmin相对于Web根的位置为/nothingtosee :
server {
. . .
location / {
try_files $uri $uri/ =404;
}
location /nothingtosee {
# Settings for phpMyAdmin will go here
}
. . .
}Within this block, we’ll need to set up two different directives: auth_basic, which defines the message that will be displayed on the authentication prompt, and auth_basic_user_file, pointing to the file we just created. This is how your configuration file should look like when you’re finished:
在此块中,我们需要设置两个不同的指令: auth_basic ,它定义了将在认证提示,并显示信息auth_basic_user_file ,指着我们刚刚创建的文件。 完成后,配置文件应如下所示:
server {
. . .
location /nothingtosee {
auth_basic "Admin Login";
auth_basic_user_file /etc/nginx/pma_pass;
}
. . .
}Save and close the file when you’re done. To check if the configuration file is valid, you can run:
完成后,保存并关闭文件。 要检查配置文件是否有效,可以运行:
- sudo nginx -t 须藤Nginx -t
The following output is expected:
预期输出如下:
Output
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
To activate the new authentication gate, you must reload the web server:
要激活新的身份验证门,必须重新加载Web服务器:
- sudo systemctl reload nginx 须藤systemctl重新加载nginx
Now, if you visit the phpMyAdmin URL in your web browser, you should be prompted for the username and password you added to the pma_pass file:
现在,如果您在Web浏览器中访问phpMyAdmin URL,则将提示您输入添加到pma_pass文件中的用户名和密码:
https://server_domain_or_IP/nothingtoseeOnce you enter your credentials, you’ll be taken to the standard phpMyAdmin login page.
输入凭据后,您将被带到标准的phpMyAdmin登录页面。
Note: If refreshing the page does not work, you may have to clear your cache or use a different browser session if you’ve already been using phpMyAdmin.
注意:如果无法刷新页面,则可能必须清除缓存或使用其他浏览器会话(如果您已经在使用phpMyAdmin)。
In addition to providing an extra layer of security, this gateway will help keep your MySQL logs clean of spammy authentication attempts.
除了提供额外的安全性外,此网关还将帮助保持您MySQL日志清洁垃圾邮件身份验证尝试。
步骤5 —设置通过加密隧道的访问权限(可选) (Step 5 — Setting Up Access via Encrypted Tunnels (Optional))
For increased security, it is possible to lock down your phpMyAdmin installation to authorized hosts only. You can whitelist authorized hosts in your Nginx configuration file, so that any request coming from an IP address that is not on the list will be denied.
为了提高安全性,可以将phpMyAdmin安装仅锁定到授权主机。 您可以在Nginx配置文件中将授权的主机列入白名单 ,这样,来自列表中未列出的IP地址的任何请求都将被拒绝。
Even though this feature alone can be enough in some use cases, it’s not always the best long-term solution, mainly due to the fact that most people don’t access the Internet from static IP addresses. As soon as you get a new IP address from your Internet provider, you’ll be unable to get to the phpMyAdmin interface until you update the Nginx configuration file with your new IP address.
即使仅在某些使用情况下仅此功能就已足够,它也不总是最佳的长期解决方案,这主要是由于大多数人并不从静态IP地址访问Internet。 从Internet提供商处获得新的IP地址后,您将无法访问phpMyAdmin界面,直到使用新的IP地址更新Nginx配置文件为止。
For a more robust long-term solution, you can use IP-based access control to create a setup in which users will only have access to your phpMyAdmin interface if they’re accessing from either an authorized IP address or localhost via SSH tunneling. We’ll see how to set this up in the sections below.
对于更强大的长期解决方案,您可以使用基于IP的访问控制来创建一个设置,在该设置中,如果用户通过SSH隧道从授权IP地址或本地主机访问,则只能访问您的phpMyAdmin接口。 我们将在以下各节中介绍如何进行设置。
Combining IP-based access control with SSH tunneling greatly increases security because it fully blocks access coming from the public internet (except for authorized IPs), in addition to providing a secure channel between user and server through the use of encrypted tunnels.
将基于IP的访问控制与SSH隧道相结合可以极大地提高安全性,因为它可以完全阻止来自公用Internet的访问(授权IP除外),此外还可以通过使用加密隧道在用户和服务器之间提供安全通道。
在Nginx上设置基于IP的访问控制 (Setting Up IP-Based Access Control on Nginx)
On Nginx, IP-based access control can be defined in the corresponding location block of a given site, using the directives allow and deny. For instance, if we want to only allow requests coming from a given host, we should include the following two lines, in this order, inside the relevant location block for the site we would like to protect:
在Nginx上,可以使用指令allow和deny在给定站点的相应location块中定义基于IP的访问控制。 例如,如果我们只允许来自给定主机的请求,则应按此顺序在要保护的站点的相关location块内包括以下两行:
allow hostname_or_IP;
deny all;You can allow as many hosts as you want, you only need to include one allow line for each authorized host/IP inside the respective location block for the site you’re protecting. The directives will be evaluated in the same order as they are listed, until a match is found or the request is finally denied due to the deny all directive.
您可以允许任意数量的主机,您只需要在要保护的站点的相应location块内为每个授权的主机/ IP包含一条allow行。 指令将按照与列出顺序相同的顺序进行评估,直到找到匹配项或由于deny all指令而最终拒绝请求为止。
We’ll now configure Nginx to only allow requests coming from localhost or your current IP address. First, you’ll need to know the current public IP address your local machine is using to connect to the Internet. There are various ways to obtain this information; for simplicity, we’re going to use the service provided by ipinfo.io. You can either open the URL https://ipinfo.io/ip in your browser, or run the following command from your local machine:
现在,我们将Nginx配置为仅允许来自本地主机或您当前IP地址的请求。 首先,您需要知道本地计算机用于连接到Internet的当前公共IP地址。 有多种方法可以获取此信息。 为了简单起见,我们将使用ipinfo.io提供的服务。 您可以在浏览器中打开URL https://ipinfo.io/ip ,或从本地计算机运行以下命令:
- curl https://ipinfo.io/ip 卷曲https://ipinfo.io/ip
You should get a simple IP address as output, like this:
您应该获得一个简单的IP地址作为输出,如下所示:
Output
203.0.113.111
That is your current public IP address. We’ll configure phpMyAdmin’s location block to only allow requests coming from that IP, in addition to localhost. We’ll need to edit once again the configuration block for phpMyAdmin inside /etc/nginx/sites-available/example.com.
那是您当前的公共 IP地址。 我们将配置phpMyAdmin的location块,以仅允许来自该IP的请求(除了本地主机)。 我们需要再次在/etc/nginx/sites-available/ example.com编辑phpMyAdmin的配置块。
Open the Nginx configuration file using your command-line editor of choice:
使用您选择的命令行编辑器打开Nginx配置文件:
sudo nano /etc/nginx/sites-available/example.com
须藤纳米/ etc / nginx / sites-available / example.com
Because we already have an access rule within our current configuration, we need to combine it with IP-based access control using the directive satisfy all. This way, we can keep the current HTTP authentication prompt for increased security.
因为我们当前的配置中已经有一个访问规则,所以我们需要使用satisfy all指令将其与基于IP的访问控制结合起来。 这样,我们可以保留当前的HTTP身份验证提示,以提高安全性。
This is how your phpMyAdmin Nginx configuration should look like after you’re done editing:
完成编辑后,这就是phpMyAdmin Nginx配置的样子:
server {
. . .
location /nothingtosee {
satisfy all; #requires both conditions
allow 203.0.113.111; #allow your IP
allow 127.0.0.1; #allow localhost via SSH tunnels
deny all; #deny all other sources
auth_basic "Admin Login";
auth_basic_user_file /etc/nginx/pma_pass;
}
. . .
}Remember to replace nothingtosee with the actual path where phpMyAdmin can be found, and the highlighted IP address with your current public IP address.
切记不要用可以找到phpMyAdmin的实际路径替换无所不能 ,并用当前的公共IP地址来突出显示突出显示的IP地址。
Save and close the file when you’re done. To check if the configuration file is valid, you can run:
完成后,保存并关闭文件。 要检查配置文件是否有效,可以运行:
- sudo nginx -t 须藤Nginx -t
The following output is expected:
预期输出如下:
Output
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
Now reload the web server so the changes take effect:
现在,重新加载Web服务器,以使更改生效:
- sudo systemctl reload nginx 须藤systemctl重新加载nginx
Because your IP address is explicitly listed as an authorized host, your access shouldn’t be disturbed. Anyone else trying to access your phpMyAdmin installation will now get a 403 error (Forbidden):
由于您的IP地址已明确列为授权主机,因此不会影响您的访问。 现在,尝试访问phpMyAdmin安装的任何其他人都会收到403错误(禁止):
https://server_domain_or_IP/nothingtoseeIn the next section, we’ll see how to use SSH tunneling to access the web server through local requests. This way, you’ll still be able to access phpMyAdmin’s interface even when your IP address changes.
在下一部分中,我们将看到如何使用SSH隧道通过本地请求访问Web服务器。 这样,即使您的IP地址发生更改,您仍然可以访问phpMyAdmin的界面。
通过加密隧道访问phpMyAdmin (Accessing phpMyAdmin Through an Encrypted Tunnel)
SSH tunneling works as a way of redirecting network traffic through encrypted channels. By running an ssh command similar to what you would use to log into a server, you can create a secure “tunnel” between your local machine and that server. All traffic coming in on a given local port can now be redirected through the encrypted tunnel and use the remote server as a proxy, before reaching out to the internet. It’s similar to what happens when you use a VPN (Virtual Private Network), however SSH tunneling is much simpler to set up.
SSH隧道是通过加密通道重定向网络流量的一种方式。 通过运行类似于用于登录服务器的ssh命令,可以在本地计算机和该服务器之间创建安全的“隧道”。 现在,在连接到Internet之前,可以通过加密的隧道重定向进入给定本地端口的所有流量,并将远程服务器用作代理。 这类似于您使用VPN( 虚拟专用网络 )时发生的情况,但是SSH隧道的设置要简单得多。
We’ll use SSH tunneling to proxy our requests to the remote web server running phpMyAdmin. By creating a tunnel between your local machine and the server where phpMyAdmin is installed, you can redirect local requests to the remote web server, and what’s more important, traffic will be encrypted and requests will reach Nginx as if they’re coming from localhost. This way, no matter what IP address you’re connecting from, you’ll be able to securely access phpMyAdmin’s interface.
我们将使用SSH隧道将请求代理到运行phpMyAdmin的远程Web服务器。 通过在本地计算机和安装了phpMyAdmin的服务器之间创建隧道,可以将本地请求重定向到远程Web服务器,更重要的是,流量将被加密,并且请求将到达Nginx,就像它们来自localhost一样 。 这样,无论您从哪个IP地址进行连接,您都可以安全地访问phpMyAdmin的界面。
Because the traffic between your local machine and the remote web server will be encrypted, this is a safe alternative for situations where you can’t have an SSL/TLS certificate installed on the web server running phpMyAdmin.
由于本地计算机和远程Web服务器之间的通信将被加密,因此对于无法在运行phpMyAdmin的Web服务器上安装SSL / TLS证书的情况,这是一种安全的选择。
From your local machine, run this command whenever you need access to phpMyAdmin:
从本地计算机上 ,每当需要访问phpMyAdmin时,运行以下命令:
ssh user@server_domain_or_IP -L 8000:localhost:80 -L 8443:localhost:443 -N
ssh user @ server_domain_or_IP -L 8000:localhost:80 -L 8443:localhost:443 -N
Let’s examine each part of the command:
让我们检查命令的每个部分:
user: SSH user to connect to the server where phpMyAdmin is running
user :SSH用户连接到运行phpMyAdmin的服务器
hostname_or_IP: SSH host where phpMyAdmin is running
hostname_or_IP :运行phpMyAdmin的SSH主机
-L 8000:localhost:80 redirects HTTP traffic on port 8000
-L 8000:localhost:80重定向端口8000上的HTTP通信
-L 8443:localhost:443 redirects HTTPS traffic on port 8443
-L 8443:localhost:443重定向端口8443上的HTTPS通信
-N: do not execute remote commands
-N :不执行远程命令
Note: This command will block the terminal until interrupted with a CTRL+C, in which case it will end the SSH connection and stop the packet redirection. If you’d prefer to run this command in background mode, you can use the SSH option -f.
注意:此命令将阻塞终端,直到被CTRL+C中断为止,在这种情况下,它将终止SSH连接并停止数据包重定向。 如果您希望在后台模式下运行此命令,则可以使用SSH选项-f 。
Now, go to your browser and replace server_domain_or_IP with localhost:PORT, where PORT is either 8000 for HTTP or 8443 for HTTPS:
现在,转到浏览器,将server_domain_or_IP替换为localhost:PORT ,其中PORT对于HTTP来说是8000 ,对于HTTPS是8443 :
http://localhost:8000/nothingtoseehttps://localhost:443/nothingtoseeNote: If you’re accessing phpMyAdmin via https, you might get an alert message questioning the security of the SSL certificate. This happens because the domain name you’re using (localhost) doesn’t match the address registered within the certificate (domain where phpMyAdmin is actually being served). It is safe to proceed.
注意:如果您通过https访问phpMyAdmin,则可能会收到一条警告消息,询问SSL证书的安全性。 发生这种情况是因为您使用的域名(localhost)与证书中注册的地址(实际为phpMyAdmin提供服务的域名)不匹配。 继续进行是安全的。
All requests on localhost:8000 (HTTP) and localhost:8443 (HTTPS) are now being redirected through a secure tunnel to your remote phpMyAdmin application. Not only have you increased security by disabling public access to your phpMyAdmin, you also protected all traffic between your local computer and the remote server by using an encrypted tunnel to send and receive data.
现在,通过安全隧道将localhost:8000 (HTTP)和localhost:8443 (HTTPS)上的所有请求重定向到远程phpMyAdmin应用程序。 通过禁用对phpMyAdmin的公共访问,不仅提高了安全性,而且还通过使用加密隧道发送和接收数据来保护本地计算机和远程服务器之间的所有通信。
If you’d like to enforce the usage of SSH tunneling to anyone who wants access to your phpMyAdmin interface (including you), you can do that by removing any other authorized IPs from the Nginx configuration file, leaving 127.0.0.1 as the only allowed host to access that location. Considering nobody will be able to make direct requests to phpMyAdmin, it is safe to remove HTTP authentication in order to simplify your setup. This is how your configuration file would look like in such a scenario:
如果您想对想要访问phpMyAdmin界面的任何人(包括您)强制使用SSH隧道,则可以通过从Nginx配置文件中删除任何其他授权IP来实现,仅允许使用127.0.0.1主机访问该位置。 考虑到没有人能够直接向phpMyAdmin发出请求,因此删除HTTP身份验证以简化设置是安全的。 在这种情况下,配置文件如下所示:
server {
. . .
location /nothingtosee {
allow 127.0.0.1; #allow localhost only
deny all; #deny all other sources
}
. . .
}Once you reload Nginx’s configuration with sudo systemctl reload nginx, your phpMyAdmin installation will be locked down and users will be required to use SSH tunnels in order to access phpMyAdmin’s interface via redirected requests.
使用sudo systemctl reload nginx重新加载Nginx的配置后,您的phpMyAdmin安装将被锁定,并且用户将需要使用SSH隧道才能通过重定向请求访问phpMyAdmin的界面。
结论 (Conclusion)
In this tutorial, we saw how to install phpMyAdmin on Ubuntu 18.04 running Nginx as the web server. We also covered advanced methods to secure a phpMyAdmin installation on Ubuntu, such as disabling root login, creating an extra layer of authentication, and using SSH tunneling to access a phpMyAdmin installation via local requests only.
在本教程中,我们看到了如何在运行Nginx作为Web服务器的Ubuntu 18.04上安装phpMyAdmin。 我们还介绍了在Ubuntu上确保phpMyAdmin安装安全的高级方法,例如禁用root登录,创建额外的身份验证层以及使用SSH隧道仅通过本地请求访问phpMyAdmin安装。
After completing this tutorial, you should be able to manage your MySQL databases from a reasonably secure web interface. This user interface exposes most of the functionality available via the MySQL command line. You can browse databases and schema, execute queries, and create new data sets and structures.
完成本教程后,您应该能够从一个相当安全的Web界面管理MySQL数据库。 该用户界面提供了可通过MySQL命令行使用的大多数功能。 您可以浏览数据库和架构,执行查询以及创建新的数据集和结构。
663
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
