This article explains how to install phpMyAdmin on your Nginx server using a Ubuntu PPA (Personal Package Archives), and self-signing an SSL certificate for added security. It assumes you are running Nginx and PHP-FPM.
The motivations for using this setup:
- No need to manually update phpMyAdmin
- Take advantage of SSL
The PPA ppa:vincent-c/ppa holds stable upstream versions of phpMyAdmin and seems to be updated fairly often.
Install the PPA and the phpMyAdmin package:
sudo add-apt-repository ppa:vincent-c/ppa
Say yes when it asks whether to use dbconfig-common.
PHP-FPM creates a master process that that forwards HTTP requests to one or more child processes. A PHP-FPM pool is a collection of related PHP child processes, and it’s not uncommon to have one such pool for each PHP application.
We’ll create a dedicated PHP-FPM pool and socket for phpMyAdmin. This pool will run as the user
First, create the user:
Then create a new PHP-FPM pool config file file based on the default
pma.conf (I’m only showing the directives I’ve changed):
Notice the first line: Each pool configuration begins with
pma is the name of our new pool.
These settings are probably not recommended for your typical PHP website or app; the phpMyAdmin installation will not generate a lot of traffic, so it has been deliberately allocated a small amount of resources (see
sudo service php-fpm restart
Because the only one accessing phpMyAdmin is myself, and because my only concern is that the traffic is encrypted, I’ll use a self-signed certificate.
Create a self-signed SSL certificate:
sudo mkdir /etc/ssl/pma
The question that you must answer correctly is the “Common Name”. Use your domain name or Server IP Address for this field. I will use
The next step is to create an Nginx server block (“Virtual Host”) for phpMyAdmin that responds to pma.myserver.example.com.
# Redirect non-SSL to SSL
- This file actually creates two server blocks: the first is for redirecting non-HTTPS traffic to HTTPS.
- The cipher list (
ssl_ciphers) is taken from the Mozilla Wiki’s Security/Server Side TLS article. Their recommendation is subject to change.
- There are many more SSL options that are worth looking into.
Then you must then enable the server block:
sudo ln -s /etc/nginx/sites-available/phpmyadmin.conf /etc/nginx/sites-enabled/phpmyadmin.conf
And reload Nginx’s configuration files:
sudo service nginx reload
phpMyAdmin’s configuration file is located at
/etc/phpmyadmin/config.inc.php (this path is set in /usr/share/phpmyadmin/libraries/vendor_config.php).
However, some of the configuration files that are included by
/etc/phpmyadmin/config.inc.php will not be readable if your PHP-FPM pool runs as a user other than www-data. This is because they’re owned by
root:www-data. Fix this:
sudo chown root:pma /var/lib/phpmyadmin/config.inc.php
Force using HTTPS while accessing phpMyAdmin by adding the following to
$cfg['ForceSSL'] = true;
- When configuring your Nginx server, you should take a look at HTML5 Boilerplate’s Nginx Server Configs documentation. It provides some great tips and best practices.
- For SSL/TLS servers, you should test your configuration with SSL Lab’s SSL Server Test. Note that this test will fail if you use a self-signed certificate.
- Your phpMyAdmin installation should be protected with strong passwords. Ideally, you won’t need to expose it to the web.