Securing links

By default, your web server allows anyone to connect to it via the browser. This is an good thing as you wish for your website to be accessible. However there may be pages where by you wish to be restricted where by only yourself can make use of. An example of this would be phpmyadmin.

The website https://mysuperweb.co.uk is accessible by anyone on the internet, however my database is also accessible by anyone at: https://mysuperweb.co.uk/phpmyadmin. The database would contain very important files regarding the website and its vital that no one other than authorized personnel is able to view the database.

Whilst there is an active SSL certificate to encrypt the connection, it doesn’t stop people from brute-forcing their way into my database, this means people can keep on guessing the password non-stop. This will cause issues for other legitimate users on the website as they is consuming the resources and the fact that they may eventually get the password correct.

We would look to request an password to view the website link of https://mysuperweb.co.uk/phpmyadmin first, afterwards they will be also be requested another password for phpmyadmin itself to view the database.

We would need to edit the following file to allow the .htaccess file to work within the phpmyadmin directory:

sudo nano /etc/phpmyadmin/apache.conf

Inside this file you will have the following contents:

<Directory /usr/share/phpmyadmin>
	Options FollowSymLinks
	DirectoryIndex index.php

We will add the the following line of “AllowOverride All“. This will give us:

<Directory /usr/share/phpmyadmin>
	Options FollowSymLinks
	DirectoryIndex index.php
	AllowOverride All

The next step is to define the rules for the .htaccess file. The .htaccess rules will be located at:

sudo nano /usr/share/phpmyadmin/.htaccess

Within this file we will submit the following information:

AuthType Basic
AuthName "Restricted Files"
AuthUserFile /etc/apache2/.phpmyadmin.htpasswd
Require valid-user

For the attribute of “AuthName” you can modify this to any value you wish, this is the value which will be shown at login. It should be something informative for the user to understand.

The authorized users will be defined at “/etc/apache2/.phpmyadmin.htpasswd“. To create the users we will use the following command:

sudo htpasswd -c /etc/apache2/.phpmyadmin.htpasswd username

You will be prompted to create an password for the user “username”. The last step is to restart the services so the changes can take affect with:

service apache2 restart

When we visit https://mysuperweb.co.uk/phpmyadmin our username will be: “username” and our password. This will provide us with the default phpmyadmin login page itself.

phpmyadmin

You can review the list of authorized users at:

more /etc/apache2/.phpmyadmin.htpasswd

Try it for yourself at:

https://mysuperweb.co.uk/phpmyadmin