Nginx with PhpMyAdmin (Secured via ssl)

2
votes

I've configured a webserver with Nginx. Now, I have an instance of MariaDB running with PhpMyAdmin as management gui. It is all working it suppose to. I am still learning Nginx and all webserver related things since I started last year.

I do have every app that I run protected with a SSL certificate, so is the connection for PHPMyAdmin over https everytime I visit the url where the app is located. 


    server {
      listen 80;
      listen [::]:80;
      server_name sub.example.com;

      location / {
        rewrite ^ https://$host$request_uri? permanent;
      }
    }

    server {
      listen 443 ssl http2;
      listen [::]:443 ssl;
      server_name sub.example.com;

      gzip off;
      server_tokens off;

      ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
      ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

      ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;

      ssl_ecdh_curve secp384r1;
      ssl_session_tickets off;
      ssl_dhparam /etc/ssl/certs/dhparam-4096.pem;

      # OCSP stapling
      ssl_stapling on;
      ssl_stapling_verify on;
      resolver 8.8.8.8;

      # SSL sessions
      ssl_session_cache shared:SSL:10m;
      ssl_session_timeout 10m;

      add_header X-Frame-Options DENY;
      add_header X-Content-Type-Options nosniff;
      add_header X-XSS-Protection "1; mode=block";
      add_header Strict-Transport-Security "max-age=0; includeSubDomains";

      location / {
        proxy_pass ip:port;
      }
    }

Still improvements possible I think, but which is my question: Like I said, PhpMyAdmin is running over https by Nginx. But PhpMyAdmin itself is showing a message that there is a mismatch:

This message is readable on the login

After login, I see a: warning under database

I looked at the docs from above warning from PhpMyAdmin itself

I made the connection available to a config.user.inc.php file, and try to include the ssl lines in there. I've done a lot of research in the last couple days to fix this. With my setup such as described, is PhpMyAdmin protected, or is only serverside protected? I readed from a post somewhere that it's enough to lead the encryption by nginx only.

How can I make sure that PhpMyAdmin is running secure? Besides that, Is the documentation mentioned above deprecated for the rencent PhpMyAdmin version, or can I use that insteat. And what about the cert files, I written down two paths to the certficate files in the Nginx conf file. Which files do I need to fill in at the ssl configuration lines for PMA? I mean, are that different files because of needing more? Example is this post

$cfg['Servers'][$i]['ssl'] = true;
$cfg['Servers'][$i]['ssl_cert'] = '/etc/mysql/client-cert.pem';
$cfg['Servers'][$i]['ssl_ca'] = '/etc/mysql/ca-cert.pem';
$cfg['Servers'][$i]['ssl_key'] = '/etc/mysql/client-key.pem';

Edit: I only have these cert files

If I can figure it out with adding it to the pma config, which files match which line?

2
phpsslnginxphpmyadminmariadb

2 Answers

1
votes

I think you might be misunderstanding the ssl options in the pma config.

This does not encrypt traffic between your web browser and phpmyadmin, but rather the connection between phpmyadmin and your mysql server and it has to be set up on your mysql server.

If your mysql server is only listening on localhost and your phpmyadmin and mysql servers are on the same machine, you don't need to set this.

0
votes

Connect via TCP/IP instead of Socket (localhost). That would let you verify that form of connection and let you test with and without SSL.

It may be appropriate to test from a separate physical machine, but I don't know if that will actually exercise anything different than a same-machine TCP/IP connection.