Install LAMP phpMyAdmin and MariaDB into CentOS7
-
So this is a work in progress to setup a Syslog server for XenServer with a graphical interface to use and browse the logs. I'm getting tripped up at a specific point with getting access to the http://ip_addr/phpMyAdmin where I'm receiving an error "403 Forbidden".
Below is the stock configuation.
# phpMyAdmin - Web based MySQL browser written in php # # Allows only localhost by default # # But allowing phpMyAdmin to anyone other than localhost should be considered # dangerous unless properly secured by SSL Alias /phpMyAdmin /usr/share/phpMyAdmin Alias /phpmyadmin /usr/share/phpMyAdmin <Directory /usr/share/phpMyAdmin/> AddDefaultCharset UTF-8 <IfModule mod_authz_core.c> # Apache 2.4 <RequireAny> Require ip 127.0.0.1 Require ip ::1 </RequireAny> </IfModule> <IfModule !mod_authz_core.c> # Apache 2.2 Order Deny,Allow Deny from All Allow from 127.0.0.1 AllowOverride None Options None Require all granted </IfModule> </Directory> <Directory /usr/share/phpMyAdmin/setup/> <IfModule mod_authz_core.c> # Apache 2.4 <RequireAny> Require ip 127.0.0.1 Require ip ::1 </RequireAny> </IfModule> <IfModule !mod_authz_core.c> # Apache 2.2 Order Deny,Allow Deny from Ally Allow from 127.0.0.1 Allow from ::1 </IfModule> </Directory> # These directories do not require access over HTTP - taken from the original # phpMyAdmin upstream tarball # <Directory /usr/share/phpMyAdmin/libraries/> Order Deny,Allow Deny from All Allow from None </Directory> <Directory /usr/share/phpMyAdmin/setup/lib/> Order Deny,Allow Deny from All Allow from None </Directory> <Directory /usr/share/phpMyAdmin/setup/frames/> Order Deny,Allow Deny from All Allow from None </Directory> # This configuration prevents mod_security at phpMyAdmin directories from # filtering SQL etc. This may break your mod_security implementation. # #<IfModule mod_security.c> # <Directory /usr/share/phpMyAdmin/> # SecRuleInheritance Off # </Directory> #</IfModule>
-
This person has tried the same things I've tried...
-
The only computer allowed to access http://ip_addr/phpMyAdmin is the localhost.... you'd have to be running a web browser on the server to get access to that page. That's what all those 'Deny from All', 'Allow from 172.0.0.1', and 'Allow from ::1' are doing. Easiest thing to do is add an 'Allow from my_ip' to each section, assuming you have a fixed ip address on your workstation.
-
@travisdh1 said in Install LAMP phpMyAdmin and MariaDB into CentOS7:
The only computer allowed to access http://ip_addr/phpMyAdmin is the localhost.... you'd have to be running a web browser on the server to get access to that page. That's what all those 'Deny from All', 'Allow from 172.0.0.1', and 'Allow from ::1' are doing. Easiest thing to do is add an 'Allow from my_ip' to each section, assuming you have a fixed ip address on your workstation.
You could also keep it set as localhost and make an SSH tunnel to access the page. I do that with some of my servers that I don't want the web interface to be completely open.
-
When I put my IP address in the "allow from" fields replacing localhost the page completely fails to load.
-
I'm comfortable with the phpMyAdmin being accessible on the LAN. I have no issues with that.
But all of the documentation I'm able to find seems to not go this route. For security reasons I assume.
-
@DustinB3403 You're not getting a "You don't have permission to access this page." error now?
Since you don't mind it being available on the LAN, change all the 'Order Deny,Allow' to 'Order Allow,Deny' and each 'Deny from All' to 'Allow from All'.
I've never actually used a separate .conf file for phpmyadmin. You could probably make this work, but you'd need to configure proxy and reverse proxy to get that setup working correctly. It's like they went and locked it down to the point of being unusable.
-
Ok I got that resolved and now I'm signed in. Followed this here to get it going.
-
@DustinB3403 said in Install LAMP phpMyAdmin and MariaDB into CentOS7:
Ok I got that resolved and now I'm signed in. Followed this here to get it going.
Looks like a much better guide.
-
Forward progress!
-
phpMyAdmin is just another website, there isn't anything unique about it. Don't think of it as something special.
-
Stalled... it appears CentOS has some restrictions in place that don't allow the website to get updated.
So investigating this issue now..
-
@DustinB3403 At least that error tells you how to go fix things.
-
@travisdh1 said in Install LAMP phpMyAdmin and MariaDB into CentOS7:
@DustinB3403 At least that error tells you how to go fix things.
Kind of, I've set the permissions on the file in question, and no dice.
-
Remember if you have SELinux turned on you're going to need to change the type for all of those files.
-
@stacksofplates said in Install LAMP phpMyAdmin and MariaDB into CentOS7:
Remember if you have SELinux turned on you're going to need to change the type for all of those files.
selinux is on by default.
What do you mean "change the type for all of those files" ?
-
@DustinB3403 said in Install LAMP phpMyAdmin and MariaDB into CentOS7:
@travisdh1 said in Install LAMP phpMyAdmin and MariaDB into CentOS7:
@DustinB3403 At least that error tells you how to go fix things.
Kind of, I've set the permissions on the file in question, and no dice.
Either file permissions in the rest of the phpmyadmin folder, of selinux permissions problems. My first guess is normally selinux in these cases.
semanage fcontext -a -t httpd_sys_rw_content_t '/path/to/phpmyadmin(/.*)?'
-
@DustinB3403 said in Install LAMP phpMyAdmin and MariaDB into CentOS7:
@stacksofplates said in Install LAMP phpMyAdmin and MariaDB into CentOS7:
Remember if you have SELinux turned on you're going to need to change the type for all of those files.
selinux is on by default.
What do you mean "change the type for all of those files" ?
You have to change the SELinux context type for the files in apache directory. By default the context should be httpd_sys_rw_content_t.
If you do an ls -lZ on the directory all of the files are in it will show you the context type.
-
I ran this, and was able to get past the above error.
chcon -R -t httpd_sys_rw_content_t /var/www/html/
-
you can also do a
chcon -R --reference=/var/www/html <directory you need to change>but remember if you just use chcon it can be reversed with restorecon to the bad types. I usually use this as a quick test to make sure it works. Then I'll use semanage to permanently change the context.
-
Just turn of SELinux and make sure it all works before you change contexts.
setenforce 0then if it all works, change contexts and turn it back on and test.
-
I'm with Jared, turning SELinux off during testing and installation is fine. Just make sure it is there before you start using the box.
-
@scottalanmiller said in Install LAMP phpMyAdmin and MariaDB into CentOS7:
I'm with Jared, turning SELinux off during testing and installation is fine. Just make sure it is there before you start using the box.
And that is why I always say to use
setenforce 0, because it will not survive a reboot in case you forget.
-
@JaredBusch said in Install LAMP phpMyAdmin and MariaDB into CentOS7:
Just turn of SELinux and make sure it all works before you change contexts.
setenforce 0then if it all works, change contexts and turn it back on and test.
I got out of the habit of doing this because if the installer changes something in a diff directory that you didn't expect it can be a pain to troubleshoot. I've had that happen a couple times. But in this scenario it's all http files so I agree.
-
@JaredBusch said in Install LAMP phpMyAdmin and MariaDB into CentOS7:
@scottalanmiller said in Install LAMP phpMyAdmin and MariaDB into CentOS7:
I'm with Jared, turning SELinux off during testing and installation is fine. Just make sure it is there before you start using the box.
And that is why I always say to use
setenforce 0, because it will not survive a reboot in case you forget.Same here.
-
So I've used
sentenforce 0But now I'm getting stopped here
-
You put in the directory name, rather than the log file name.
-
Ah. maybe that is it (it auto fills).
One second, testing
-
So I touched a messages.log file into /var/log/syslog and gave it 666 access.
Still no love.
-
Same with "messages"
No love.
