In this blog, I will show you how to secure phpMyAdmin so that you can safely use it to manage your databases. I assume that you are using Ubtuntu 16 and already installed phpMyAdmin in /var/www/html/pma
Prerequisites
Download https://github.com/itemir/apache_2fa/archive/master.zip and extract it to /var/www/a2fa/
Install onetimepass
pip install onetimepass
Configuration
Create a directory for storing states
mkdir /var/www/a2fa/state
Adjust permissions
chown -R www-data:www-data /var/www/a2fa
chmod 750 /var/www/a2fa/state
chmod 755 /var/www/a2fa/auth
chmod 755 /var/www/a2fa/state_clean
chmod 640 /var/www/a2fa/tokens.json
Enable Apache modules
a2enmod rewrite
a2enmod auth_digest
a2enmod cgid
service apache2 restart
Edit vhost
nano /etc/apache2/sites-available/default-ssl.conf
Add this code block inside the VirtualHost block
# a2fa
ScriptAlias /auth/ /var/www/a2fa/
<Directory /var/www/a2fa>
AuthType Digest
AuthName "yourdomain.com"
AuthDigestDomain /
AuthDigestProvider file
AuthUserFile /var/www/a2fa/apache_credentials
Require valid-user
</Directory>
# a2fa protected pma
<Directory /var/www/html/pma>
AuthType Digest
AuthName "yourdomain.com"
AuthDigestDomain /
AuthDigestProvider file
AuthUserFile /var/www/a2fa/apache_credentials
Require valid-user
</Directory>
Create/edit .htaccess
in phpMyAdmin directory and add the text below
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/auth/
RewriteCond %{HTTP_COOKIE} !^.*2FA_Auth=([a-zA-Z0-9]+)
RewriteRule ^(.*)$ /auth/auth?$1?%{QUERY_STRING} [L,R=302]
RewriteCond %{REQUEST_URI} !^/auth/
RewriteCond %{HTTP_COOKIE} ^.*2FA_Auth=([a-zA-Z0-9]+)
RewriteCond /var/www/a2fa/state/%1 !-f
RewriteRule ^(.*)$ /auth/auth?/pma
Generate your auth key at https://daplie.github.io/browser-authenticator/ then update your key in /var/www/a2fa/tokens.json
Add new user by running this command
htdigest apache_credentials yourdomain.com <new_user>
Delete the test_user in /var/www/a2fa/apache_credentials
Finally, add cronjob to clean the states every hour
crontab -e
And add this line at the bottom
0 * * * * /var/www/a2fa/state_clean
--- END ---