One place for hosting & domains


      How To Install and Secure Grafana on Ubuntu 20.04

      Not using Ubuntu 20.04?

      Choose a different version or distribution.

      The author selected the COVID-19 Relief Fund to receive a donation as part of the Write for DOnations program.


      Grafana is an open-source data visualization and monitoring tool that integrates with complex data from sources like Prometheus, InfluxDB, Graphite, and ElasticSearch. Grafana lets you create alerts, notifications, and ad-hoc filters for your data while also making collaboration with your teammates easier through built-in sharing features.

      In this tutorial, you will install Grafana and secure it with an SSL certificate and an Nginx reverse proxy. Once you have set up Grafana, you’ll have the option to configure user authentication through GitHub, allowing you to better organize your team permissions.


      To follow this tutorial, you will need:

      Step 1 — Installing Grafana

      In this first step, you will install Grafana onto your Ubuntu 20.04 server. You can install Grafana either by downloading it directly from its official website or by going through an APT repository. Because an APT repository makes it easier to install and manage Grafana’s updates, you’ll use that method in this tutorial.

      Download the Grafana GPG key with wget, then pipe the output to apt-key. This will add the key to your APT installation’s list of trusted keys, which will allow you to download and verify the GPG-signed Grafana package:

      • wget -q -O - | sudo apt-key add -

      In this command, the option -q turns off the status update message for wget, and -O outputs the file that you downloaded to the terminal. These two options ensure that only the contents of the downloaded file are pipelined to apt-key.

      Next, add the Grafana repository to your APT sources:

      • sudo add-apt-repository "deb stable main"

      Refresh your APT cache to update your package lists:

      You can now proceed with the installation:

      Once Grafana is installed, use systemctl to start the Grafana server:

      • sudo systemctl start grafana-server

      Next, verify that Grafana is running by checking the service’s status:

      • sudo systemctl status grafana-server

      You will receive output similar to this:


      ● grafana-server.service - Grafana instance Loaded: loaded (/lib/systemd/system/grafana-server.service; disabled; vendor preset: enabled) Active: active (running) since Thu 2020-05-21 08:08:10 UTC; 4s ago Docs: Main PID: 15982 (grafana-server) Tasks: 7 (limit: 1137) ...

      This output contains information about Grafana’s process, including its status, Main Process Identifier (PID), and more. active (running) shows that the process is running correctly.

      Lastly, enable the service to automatically start Grafana on boot:

      • sudo systemctl enable grafana-server

      You will receive the following output:


      Synchronizing state of grafana-server.service with SysV service script with /lib/systemd/systemd-sysv-install. Executing: /lib/systemd/systemd-sysv-install enable grafana-server Created symlink /etc/systemd/system/ → /usr/lib/systemd/system/grafana-server.service.

      This confirms that systemd has created the necessary symbolic links to autostart Grafana.

      Grafana is now installed and ready for use. Next, you wil secure your connection to Grafana with a reverse proxy and SSL certificate.

      Step 2 — Setting Up the Reverse Proxy

      Using an SSL certificate will ensure that your data is secure by encrypting the connection to and from Grafana. But, to make use of this connection, you’ll first need to reconfigure Nginx as a reverse proxy for Grafana.

      Open the Nginx configuration file you created when you set up the Nginx server block with Let’s Encrypt in the Prerequisites. You can use any text editor, but for this tutorial we’ll use nano:

      • sudo nano /etc/nginx/sites-available/your_domain

      Locate the following block:


          location / {
              try_files $uri $uri/ =404;

      Because you already configured Nginx to communicate over SSL and because all web traffic to your server already passes through Nginx, you just need to tell Nginx to forward all requests to Grafana, which runs on port 3000 by default.

      Delete the existing try_files line in this location block and replace it with the following proxy_pass option:


          location / {
              proxy_pass http://localhost:3000;

      This will map the proxy to the appropriate port. Once you’re done, save and close the file by pressing CTRL+X, Y, and then ENTER if you’re using nano.

      Now, test the new settings to make sure everything is configured correctly:

      You will receive the following output:


      nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful

      Finally, activate the changes by reloading Nginx:

      • sudo systemctl reload nginx

      You can now access the default Grafana login screen by pointing your web browser to https://your_domain. If you’re unable to reach Grafana, verify that your firewall is set to allow traffic on port 443 and then re-trace the previous instructions.

      With the connection to Grafana encrypted, you can now implement additional security measures, starting with changing Grafana’s default administrative credentials.

      Step 3 — Updating Credentials

      Because every Grafana installation uses the same administrative credentials by default, it is a best practice to change your login information as soon as possible. In this step, you’ll update the credentials to improve security.

      Start by navigating to https://your_domain from your web browser. This will bring up the default login screen where you’ll see the Grafana logo, a form asking you to enter an Email or username and Password, a Log in button, and a Forgot your password? link.

      Grafana Login

      Enter admin into both the Email or username and Password fields and then click on the Log in button.

      On the next screen, you’ll be asked to make your account more secure by changing the default password:

      Change Password

      Enter the password you’d like to start using into the New password and Confirm new password fields.

      From here, you can click Submit to save the new information or press Skip to skip this step. If you skip, you will be prompted to change the password next time you log in.

      In order to increase the security of your Grafana setup, click Submit. You’ll go to the Welcome to Grafana dashboard:

      Home Dashboard

      You’ve now secured your account by changing the default credentials. Next, you will make changes to your Grafana configuration so that nobody can create a new Grafana account without your permission.

      Step 4 — Disabling Grafana Registrations and Anonymous Access

      Grafana provides options that allow visitors to create user accounts for themselves and preview dashboards without registering. When Grafana isn’t accessible via the internet or when it’s working with publicly available data like service statuses, you may want to allow these features. However, when using Grafana online to work with sensitive data, anonymous access could be a security problem. To fix this problem, make some changes to your Grafana configuration.

      Start by opening Grafana’s main configuration file for editing:

      • sudo nano /etc/grafana/grafana.ini

      Locate the following allow_sign_up directive under the [users] heading:


      # disable user signup / registration
      ;allow_sign_up = true

      Enabling this directive with true adds a Sign Up button to the login screen, allowing users to register themselves and access Grafana.

      Disabling this directive with false removes the Sign Up button and strengthens Grafana’s security and privacy.

      Uncomment this directive by removing the ; at the beginning of the line and then setting the option to false:


      # disable user signup / registration
      allow_sign_up = false

      Next, locate the following enabled directive under the [auth.anonymous] heading:


      # enable anonymous access
      ;enabled = false

      Setting enabled to true gives non-registered users access to your dashboards; setting this option to false limits dashboard access to registered users only.

      Uncomment this directive by removing the ; at the beginning of the line and then setting the option to false.


      # enable anonymous access
      enabled = false

      Save the file and exit your text editor.

      To activate the changes, restart Grafana:

      • sudo systemctl restart grafana-server

      Verify that everything is working by checking Grafana’s service status:

      • sudo systemctl status grafana-server

      Like before, the output will report that Grafana is active (running).

      Now, point your web browser to https://your_domain. To return to the Sign Up screen, bring your cursor to your avatar in the lower left of the screen and click on the Sign out option that appears.

      Once you have signed out, verify that there is no Sign Up button and that you can’t sign in without entering login credentials.

      At this point, Grafana is fully configured and ready for use. Next, you can simplify the login process for your organization by authenticating through GitHub.

      (Optional) Step 5 — Setting Up a GitHub OAuth App

      For an alternative approach to signing in, you can configure Grafana to authenticate through GitHub, which provides login access to all members of authorized GitHub organizations. This can be particularly useful when you want to allow multiple developers to collaborate and access metrics without having to create Grafana-specific credentials.

      Start by logging in to a GitHub account associated with your organization and then navigate to your GitHub profile page at

      Switch settings context by clicking on your name on the left side of the screen then selecting your organization in the dropdown menu. This will switch context from Personal settings to Organization settings.

      On the next screen, you’ll see your Organization profile where you can change settings like your Organization display name, organization Email, and organization URL.

      Because Grafana uses OAuth—an open standard for granting remote third parties access to local resources—to authenticate users through GitHub, you’ll need to create a new OAuth application within GitHub.

      Click the OAuth Apps link under Developer settings on the lower left-hand side of the screen.

      If you don’t already have any OAuth applications associated with your organization on GitHub, you’ll be told there are No Organization Owned Applications. Otherwise, you’ll see a list of the OAuth applications already connected to your account.

      Click the New OAuth App button to continue.

      On the next screen, fill in the following details about your Grafana installation:

      • Application name – This helps you distinguish your different OAuth applications from one another.
      • Homepage URL – This tells GitHub where to find Grafana. Type https://your_domain into this field, replacing your_domain with your domain.
      • Application Description – This provides a description of your OAuth application’s purpose.
      • Application callback URL – This is the address where users will be sent once successfully authenticated. For Grafana, this field must be set to https://your_domain/login/github.

      Keep in mind that Grafana users logging in through GitHub will see the values you entered in the first three preceding fields, so be sure to enter something meaningful and appropriate.

      When completed, the form will look something like:

      GitHub Register OAuth Application

      Click the green Register application button.

      You will now be redirected to a page containing the Client ID and Client Secret associated with your new OAuth application. Make note of both values, because you will need to add them to Grafana’s main configuration file to complete the setup.

      Warning: Make sure to keep your Client ID and Client Secret in a secure and non-public location, because they could be used as the basis of an attack.

      With your GitHub OAuth application created, you’re now ready to reconfigure Grafana to use GitHub for authentication.

      (Optional) Step 6 — Configuring Grafana as a GitHub OAuth App

      To complete GitHub authentication for your Grafana setup, you will now make some changes to your Grafana configuration files.

      To begin, open the main Grafana configuration file.

      • sudo nano /etc/grafana/grafana.ini

      Locate the [auth.github] heading, and uncomment this section by removing the ; at the beginning of every line except ;allowed_domains = and ;team_ids =, which will not be changed in this tutorial.

      Next, make the following changes:

      • Set enabled and allow_sign_up to true. This will enable GitHub Authentication and permit members of the allowed organization to create accounts themselves. Note that this setting is different from the allow_sign_up property under [users] that you changed in Step 4.
      • Set client_id and client_secret to the values you got while creating your GitHub OAuth application.
      • Set allowed_organizations to the name of your organization to ensure that only members of your organization can sign up and log in to Grafana.

      The complete configuration will look like this:


      enabled = true
      allow_sign_up = true
      client_id = your_client_id_from_github
      client_secret = your_client_secret_from_github
      scopes = user:email,read:org
      auth_url =
      token_url =
      api_url =
      ;allowed_domains =
      ;team_ids =
      allowed_organizations = your_organization_name

      You’ve now told Grafana everything it needs to know about GitHub. To complete the setup, you’ll need to enable redirects behind a reverse proxy. This is done by setting a root_url value under the [server] heading.


      root_url = https://your_domain

      Save your configuration and close the file.

      Then, restart Grafana to activate the changes:

      • sudo systemctl restart grafana-server

      Lastly, verify that the service is up and running.

      • sudo systemctl status grafana-server

      The output will indicate that the service is active (running).

      Now, test your new authentication system by navigating to https://your_domain. If you are already logged in to Grafana, hover your mouse over the avatar log in the lower left-hand corner of the screen, and click on Sign out in the secondary menu that appears next to your name.

      On the login page, you’ll see a new section under the original Log in button that includes a Sign in with GitHub button with the GitHub logo.

      Grafana Login page with GitHub

      Click on the Sign in with GitHub button to be redirected to GitHub, where you’ll sign in to your GitHub account and confirm your intention to Authorize Grafana.

      Click the green Authorize your_github_organization button.

      Note: Make sure your GitHub account is a member of your approved organization and your Grafana email address matches your GitHub email address. If you try to authenticate with a GitHub account that isn’t a member of your approved organization, you’ll get a Login Failed message telling you User not a member of one of the required organizations.

      You will now be logged in with your existing Grafana account. If a Grafana account doesn’t already exist for the user you logged in as, Grafana will create a new user account with Viewer permissions, ensuring that new users can only use existing dashboards.

      To change the default permissions for new users, open the main Grafana configuration file for editing.

      • sudo nano /etc/grafana/grafana.ini

      Locate the auto_assign_org_role directive under the [users] heading, and uncomment the setting by removing the ; at the beginning of the line.

      Set the directive to one of the following values:

      • Viewer — can only use existing dashboards
      • Editor — can use, modify, and add dashboards
      • Admin — has permission to do everything

      This tutorial will set the auto-assign to Viewer:


      auto_assign_org_role = Viewer

      Once you’ve saved your changes, close the file and restart Grafana:

      • sudo systemctl restart grafana-server

      Check the service’s status:

      • sudo systemctl status grafana-server

      Like before, the status will read active (running).

      At this point, you have fully configured Grafana to allow members of your GitHub organization to register and use your Grafana installation.


      In this tutorial you installed, configured, and secured Grafana, and you also learned how to permit members of your organization to authenticate through GitHub.

      To extend your current Grafana installation, see the list of official and community-built dashboards and plugins. To learn more about using Grafana in general, see the official Grafana documentation, or check out our other monitoring tutorials.

      Source link

      How To Secure Nginx with Let’s Encrypt on Ubuntu 20.04

      Not using Ubuntu 20.04?

      Choose a different version or distribution.


      Let’s Encrypt is a Certificate Authority (CA) that provides an easy way to obtain and install free TLS/SSL certificates, thereby enabling encrypted HTTPS on web servers. It simplifies the process by providing a software client, Certbot, that attempts to automate most (if not all) of the required steps. Currently, the entire process of obtaining and installing a certificate is fully automated on both Apache and Nginx.

      In this tutorial, you will use Certbot to obtain a free SSL certificate for Nginx on Ubuntu 20.04 and set up your certificate to renew automatically.

      This tutorial will use a separate Nginx server configuration file instead of the default file. We recommend creating new Nginx server block files for each domain because it helps to avoid common mistakes and maintains the default files as a fallback configuration.


      To follow this tutorial, you will need:

      • One Ubuntu 20.04 server set up by following this initial server setup for Ubuntu 20.04 tutorial, including a sudo-enabled non-root user and a firewall.

      • A registered domain name. This tutorial will use throughout. You can purchase a domain name from Namecheap, get one for free with Freenom, or use the domain registrar of your choice.

      • Both of the following DNS records set up for your server. If you are using DigitalOcean, please see our DNS documentation for details on how to add them.

        • An A record with pointing to your server’s public IP address.
        • An A record with pointing to your server’s public IP address.
      • Nginx installed by following How To Install Nginx on Ubuntu 20.04. Be sure that you have a server block for your domain. This tutorial will use /etc/nginx/sites-available/ as an example.

      Step 1 — Installing Certbot

      The first step to using Let’s Encrypt to obtain an SSL certificate is to install the Certbot software on your server.

      Install Certbot and it’s Nginx plugin with apt:

      • sudo apt install certbot python3-certbot-nginx

      Certbot is now ready to use, but in order for it to automatically configure SSL for Nginx, we need to verify some of Nginx’s configuration.

      Step 2 — Confirming Nginx’s Configuration

      Certbot needs to be able to find the correct server block in your Nginx configuration for it to be able to automatically configure SSL. Specifically, it does this by looking for a server_name directive that matches the domain you request a certificate for.

      If you followed the server block set up step in the Nginx installation tutorial, you should have a server block for your domain at /etc/nginx/sites-available/ with the server_name directive already set appropriately.

      To check, open the configuration file for your domain using nano or your favorite text editor:

      • sudo nano /etc/nginx/sites-available/

      Find the existing server_name line. It should look like this:



      If it does, exit your editor and move on to the next step.

      If it doesn’t, update it to match. Then save the file, quit your editor, and verify the syntax of your configuration edits:

      If you get an error, reopen the server block file and check for any typos or missing characters. Once your configuration file’s syntax is correct, reload Nginx to load the new configuration:

      • sudo systemctl reload nginx

      Certbot can now find the correct server block and update it automatically.

      Next, let’s update the firewall to allow HTTPS traffic.

      Step 3 — Allowing HTTPS Through the Firewall

      If you have the ufw firewall enabled, as recommended by the prerequisite guides, you’ll need to adjust the settings to allow for HTTPS traffic. Luckily, Nginx registers a few profiles with ufw upon installation.

      You can see the current setting by typing:

      It will probably look like this, meaning that only HTTP traffic is allowed to the web server:


      Status: active To Action From -- ------ ---- OpenSSH ALLOW Anywhere Nginx HTTP ALLOW Anywhere OpenSSH (v6) ALLOW Anywhere (v6) Nginx HTTP (v6) ALLOW Anywhere (v6)

      To additionally let in HTTPS traffic, allow the Nginx Full profile and delete the redundant Nginx HTTP profile allowance:

      • sudo ufw allow 'Nginx Full'
      • sudo ufw delete allow 'Nginx HTTP'

      Your status should now look like this:


      Status: active To Action From -- ------ ---- OpenSSH ALLOW Anywhere Nginx Full ALLOW Anywhere OpenSSH (v6) ALLOW Anywhere (v6) Nginx Full (v6) ALLOW Anywhere (v6)

      Next, let’s run Certbot and fetch our certificates.

      Step 4 — Obtaining an SSL Certificate

      Certbot provides a variety of ways to obtain SSL certificates through plugins. The Nginx plugin will take care of reconfiguring Nginx and reloading the config whenever necessary. To use this plugin, type the following:

      • sudo certbot --nginx -d -d

      This runs certbot with the --nginx plugin, using -d to specify the domain names we’d like the certificate to be valid for.

      If this is your first time running certbot, you will be prompted to enter an email address and agree to the terms of service. After doing so, certbot will communicate with the Let’s Encrypt server, then run a challenge to verify that you control the domain you’re requesting a certificate for.

      If that’s successful, certbot will ask how you’d like to configure your HTTPS settings.


      Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

      Select your choice then hit ENTER. The configuration will be updated, and Nginx will reload to pick up the new settings. certbot will wrap up with a message telling you the process was successful and where your certificates are stored:


      IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/ Your key file has been saved at: /etc/letsencrypt/live/ Your cert will expire on 2020-08-18. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: Donating to EFF:

      Your certificates are downloaded, installed, and loaded. Try reloading your website using https:// and notice your browser’s security indicator. It should indicate that the site is properly secured, usually with a lock icon. If you test your server using the SSL Labs Server Test, it will get an A grade.

      Let’s finish by testing the renewal process.

      Step 5 — Verifying Certbot Auto-Renewal

      Let’s Encrypt’s certificates are only valid for ninety days. This is to encourage users to automate their certificate renewal process. The certbot package we installed takes care of this for us by adding a systemd timer that will run twice a day and automatically renew any certificate that’s within thirty days of expiration.

      You can query the status of the timer with systemctl:

      • sudo systemctl status certbot.timer


      ● certbot.timer - Run certbot twice daily Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset: enabled) Active: active (waiting) since Mon 2020-05-04 20:04:36 UTC; 2 weeks 1 days ago Trigger: Thu 2020-05-21 05:22:32 UTC; 9h left Triggers: ● certbot.service

      To test the renewal process, you can do a dry run with certbot:

      • sudo certbot renew --dry-run

      If you see no errors, you’re all set. When necessary, Certbot will renew your certificates and reload Nginx to pick up the changes. If the automated renewal process ever fails, Let’s Encrypt will send a message to the email you specified, warning you when your certificate is about to expire.


      In this tutorial, you installed the Let’s Encrypt client certbot, downloaded SSL certificates for your domain, configured Nginx to use these certificates, and set up automatic certificate renewal. If you have further questions about using Certbot, the official documentation is a good place to start.

      Source link

      How To Install and Secure phpMyAdmin on Ubuntu 20.04

      An earlier version of this tutorial was written by Brennan Bearnes.


      While many users need the functionality of a database management system like MySQL, they may not feel comfortable interacting with the system solely from the MySQL prompt.

      phpMyAdmin was created so that users can interact with MySQL through a web interface. In this guide, we’ll discuss how to install and secure phpMyAdmin so that you can safely use it to manage your databases on an Ubuntu 20.04 system.


      In order to complete this guide, you will need:

      Additionally, there are important security considerations when using software like phpMyAdmin, since it:

      • Communicates directly with your MySQL installation
      • Handles authentication using MySQL credentials
      • Executes and returns results for arbitrary SQL queries

      For these reasons, and because it is a widely-deployed PHP application which is frequently targeted for attack, you should never run phpMyAdmin on remote systems over a plain HTTP connection.

      If you do not have an existing domain configured with an SSL/TLS certificate, you can follow this guide on securing Apache with Let’s Encrypt on Ubuntu 20.04. This will require you to register a domain name, create DNS records for your server, and set up an Apache Virtual Host.

      Step 1 — Installing phpMyAdmin

      You can use APT to install phpMyAdmin from the default Ubuntu repositories.

      As your non-root sudo user, update your server’s package index:

      Following that you can install the phpmyadmin package. Along with this package, the official documentation also recommends that you install a few PHP extensions onto your server to enable certain functionalities and improve performance.

      If you followed the prerequisite LAMP stack tutorial, several of these modules will have been installed along with the php package. However, it’s recommended that you also install these packages:

      • php-mbstring: A module for managing non-ASCII strings and convert strings to different encodings
      • php-zip: This extension supports uploading .zip files to phpMyAdmin
      • php-gd: Enables support for the GD Graphics Library
      • php-json: Provides PHP with support for JSON serialization
      • php-curl: Allows PHP to interact with different kinds of servers using different protocols

      Run the following command to install these packages onto your system. Please note, though, that the installation process requires you to make some choices to configure phpMyAdmin correctly. We’ll walk through these options shortly:

      • sudo apt install phpmyadmin php-mbstring php-zip php-gd php-json php-curl

      Here are the options you should choose when prompted in order to configure your installation correctly:

      • For the server selection, choose apache2

        Warning: When the prompt appears, “apache2” is highlighted, but not selected. If you do not hit SPACE to select Apache, the installer will not move the necessary files during installation. Hit SPACE, TAB, and then ENTER to select Apache.
      • Select Yes when asked whether to use dbconfig-common to set up the database
      • You will then be asked to choose and confirm a MySQL application password for phpMyAdmin

      Note: Assuming you installed MySQL by following Step 2 of the prerequisite LAMP stack tutorial, you may have decided to enable the Validate Password plugin. As of this writing, enabling this component will trigger an error when you attempt to set a password for the phpmyadmin user:

      phpMyAdmin password validation error

      To resolve this, select the abort option to stop the installation process. Then, open up your MySQL prompt:

      Or, if you enabled password authentication for the root MySQL user, run this command and then enter your password when prompted:

      From the prompt, run the following command to disable the Validate Password component. Note that this won’t actually uninstall it, but just stop the component from being loaded on your MySQL server:

      • UNINSTALL COMPONENT "file://component_validate_password";

      Following that, you can close the MySQL client:

      Then try installing the phpmyadmin package again and it will work as expected:

      • sudo apt install phpmyadmin

      Once phpMyAdmin is installed, you can open the MySQL prompt once again with sudo mysql or mysql -u root -p and then run the following command to re-enable the Validate Password component:

      • INSTALL COMPONENT "file://component_validate_password";

      The installation process adds the phpMyAdmin Apache configuration file into the /etc/apache2/conf-enabled/ directory, where it is read automatically. To finish configuring Apache and PHP to work with phpMyAdmin, the only remaining task in this section of the tutorial is to is explicitly enable the mbstring PHP extension, which you can do by typing:

      Afterwards, restart Apache for your changes to be recognized:

      • sudo systemctl restart apache2

      phpMyAdmin is now installed and configured to work with Apache. However, before you can log in and begin interacting with your MySQL databases, you will need to ensure that your MySQL users have the privileges required for interacting with the program.

      Step 2 — Adjusting User Authentication and Privileges

      When you installed phpMyAdmin onto your server, it automatically created a database user called phpmyadmin which performs certain underlying processes for the program. Rather than logging in as this user with the administrative password you set during installation, it’s recommended that you log in as either your root MySQL user or as a user dedicated to managing databases through the phpMyAdmin interface.

      Configuring Password Access for the MySQL Root Account

      In Ubuntu systems running MySQL 5.7 (and later versions), the root MySQL user is set to authenticate using the auth_socket plugin by default rather than with a password. This allows for some greater security and usability in many cases, but it can also complicate things when you need to allow an external program — like phpMyAdmin — to access the user.

      In order to log in to phpMyAdmin as your root MySQL user, you will need to switch its authentication method from auth_socket to one that makes use of a password, if you haven’t already done so. To do this, open up the MySQL prompt from your terminal:

      Next, check which authentication method each of your MySQL user accounts use with the following command:

      • SELECT user,authentication_string,plugin,host FROM mysql.user;


      +------------------+-------------------------------------------+-----------------------+-----------+ | user | authentication_string | plugin | host | +------------------+-------------------------------------------+-----------------------+-----------+ | root | | auth_socket | localhost | | mysql.session | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE | caching_sha2_password | localhost | | mysql.sys | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE | caching_sha2_password | localhost | | debian-sys-maint | *8486437DE5F65ADC4A4B001CA591363B64746D4C | caching_sha2_password | localhost | | phpmyadmin | *5FD2B7524254B7F81B32873B1EA6D681503A5CA9 | caching_sha2_password | localhost | +------------------+-------------------------------------------+-----------------------+-----------+ 5 rows in set (0.00 sec)

      In this example, you can see that the root user does in fact authenticate using the auth_socket plugin. To configure the root account to authenticate with a password, run the following ALTER USER command. Be sure to change password to a strong password of your choosing:

      • ALTER USER 'root'@'localhost' IDENTIFIED WITH caching_sha2_password BY 'password';

      Note: The previous ALTER USER statement sets the root MySQL user to authenticate with the caching_sha2_password plugin. Per the official MySQL documentation, caching_sha2_password is MySQL’s preferred authentication plugin, as it provides more secure password encryption than the older, but still widely used, mysql_native_password.

      However, some versions of PHP don’t work reliably with caching_sha2_password. PHP has reported that this issue was fixed as of PHP 7.4, but if you encounter an error when trying to log in to phpMyAdmin later on, you may want to set root to authenticate with mysql_native_password instead:

      • ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'password';

      Then, check the authentication methods employed by each of your users again to confirm that root no longer authenticates using the auth_socket plugin:

      • SELECT user,authentication_string,plugin,host FROM mysql.user;


      +------------------+-------------------------------------------+-----------------------+-----------+ | user | authentication_string | plugin | host | +------------------+-------------------------------------------+-----------------------+-----------+ | root | *DE06E242B88EFB1FE4B5083587C260BACB2A6158 | caching_sha2_password | localhost | | mysql.session | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE | caching_sha2_password | localhost | | mysql.sys | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE | caching_sha2_password | localhost | | debian-sys-maint | *8486437DE5F65ADC4A4B001CA591363B64746D4C | caching_sha2_password | localhost | | phpmyadmin | *5FD2B7524254B7F81B32873B1EA6D681503A5CA9 | caching_sha2_password | localhost | +------------------+-------------------------------------------+-----------------------+-----------+ 5 rows in set (0.00 sec)

      You can see from this output that the root user will authenticate using a password. You can now log in to the phpMyAdmin interface as your root user with the password you’ve set for it here.

      Configuring Password Access for a Dedicated MySQL User

      Alternatively, some may find that it better suits their workflow to connect to phpMyAdmin with a dedicated user. To do this, open up the MySQL shell once again:

      If you have password authentication enabled for your root user, as described in the previous section, you will need to run the following command and enter your password when prompted in order to connect:

      From there, create a new user and give it a strong password:

      • CREATE USER 'sammy'@'localhost' IDENTIFIED WITH caching_sha2_password BY 'password';

      Note: Again, depending on what version of PHP you have installed, you may want to set your new user to authenticate with mysql_native_password instead of caching_sha2_password:

      • ALTER USER 'sammy'@'localhost' IDENTIFIED WITH mysql_native_password BY 'password';

      Then, grant your new user appropriate privileges. For example, you could grant the user privileges to all tables within the database, as well as the power to add, change, and remove user privileges, with this command:

      • GRANT ALL PRIVILEGES ON *.* TO 'sammy'@'localhost' WITH GRANT OPTION;

      Following that, exit the MySQL shell:

      You can now access the web interface by visiting your server’s domain name or public IP address followed by /phpmyadmin:


      phpMyAdmin login screen

      Log in to the interface, either as root or with the new username and password you just configured.

      When you log in, you’ll see the user interface, which will look something like this:

      phpMyAdmin user interface

      Now that you’re able to connect and interact with phpMyAdmin, all that’s left to do is harden your system’s security to protect it from attackers.

      Step 3 — Securing Your phpMyAdmin Instance

      Because of its ubiquity, phpMyAdmin is a popular target for attackers, and you should take extra care to prevent unauthorized access. One way of doing this is to place a gateway in front of the entire application by using Apache’s built-in .htaccess authentication and authorization functionalities.

      To do this, you must first enable the use of .htaccess file overrides by editing your phpMyAdmin installation’s Apache configuration file.

      Use your preferred text editor to edit the phpmyadmin.conf file that has been placed in your Apache configuration directory. Here, we’ll use nano:

      • sudo nano /etc/apache2/conf-available/phpmyadmin.conf

      Add an AllowOverride All directive within the <Directory /usr/share/phpmyadmin> section of the configuration file, like this:


      <Directory /usr/share/phpmyadmin>
          Options FollowSymLinks
          DirectoryIndex index.php
          AllowOverride All
          . . .

      When you have added this line, save and close the file. If you used nano to edit the file, do so by pressing CTRL + X, Y, and then ENTER.

      To implement the changes you made, restart Apache:

      • sudo systemctl restart apache2

      Now that you have enabled the use of .htaccess files for your application, you need to create one to actually implement some security.

      In order for this to be successful, the file must be created within the application directory. You can create the necessary file and open it in your text editor with root privileges by typing:

      • sudo nano /usr/share/phpmyadmin/.htaccess

      Within this file, enter the following information:


      AuthType Basic
      AuthName "Restricted Files"
      AuthUserFile /etc/phpmyadmin/.htpasswd
      Require valid-user

      Here is what each of these lines mean:

      • AuthType Basic: This line specifies the authentication type that you are implementing. This type will implement password authentication using a password file.
      • AuthName: This sets the message for the authentication dialog box. You should keep this generic so that unauthorized users won’t gain any information about what is being protected.
      • AuthUserFile: This sets the location of the password file that will be used for authentication. This should be outside of the directories that are being served. We will create this file shortly.
      • Require valid-user: This specifies that only authenticated users should be given access to this resource. This is what actually stops unauthorized users from entering.

      When you are finished, save and close the file.

      The location that you selected for your password file was /etc/phpmyadmin/.htpasswd. You can now create this file and pass it an initial user with the htpasswd utility:

      • sudo htpasswd -c /etc/phpmyadmin/.htpasswd username

      You will be prompted to select and confirm a password for the user you are creating. Afterwards, the file is created with the hashed password that you entered.

      If you want to enter an additional user, you need to do so without the -c flag, like this:

      • sudo htpasswd /etc/phpmyadmin/.htpasswd additionaluser

      Now, when you access your phpMyAdmin subdirectory, you will be prompted for the additional account name and password that you just configured:


      phpMyAdmin apache password

      After entering the Apache authentication, you’ll be taken to the regular phpMyAdmin authentication page to enter your MySQL credentials. By adding an extra set of non-MySQL credentials, you’re providing your database with an additional layer of security. This is desirable, since phpMyAdmin has been vulnerable to security threats in the past.


      You should now have phpMyAdmin configured and ready to use on your Ubuntu 20.04 server. Using this interface, you can create databases, users, and tables, as well as perform the usual operations like deleting and modifying structures and data.

      Source link