How to Restrict phpMyAdmin Access to a Specific Virtual Host in Apache Configuration


2 views

When managing multiple virtual hosts with phpMyAdmin installed globally, we often need to restrict access to only one designated subdomain while blocking others. The default Apache configuration makes phpMyAdmin accessible across all virtual hosts sharing the same DocumentRoot.

The cleanest approach is modifying your Apache virtual host configurations. Here's how to implement it properly:


# For your general virtual hosts (one.domain.com, two.domain.com)

    ServerName one.domain.com
    DocumentRoot /var/www/one
    Alias /phpmyadmin /dev/null  # This effectively blocks access
    
        Require all denied
    


# For your phpMyAdmin dedicated virtual host

    ServerName onlyphpmyadmin.domain.com
    DocumentRoot /var/www/phpmyadmin
    
    Alias /phpmyadmin /usr/share/phpmyadmin
    
    
        Options FollowSymLinks
        DirectoryIndex index.php
        Require all granted
        
        
            php_admin_value open_basedir /usr/share/phpmyadmin/:/etc/phpmyadmin/:/var/lib/phpmyadmin/

If you prefer not to modify main Apache configs, create an .htaccess file in phpMyAdmin's root:


# /usr/share/phpmyadmin/.htaccess

    RewriteEngine On
    RewriteCond %{HTTP_HOST} !^onlyphpmyadmin\.domain\.com$ [NC]
    RewriteRule ^ - [F,L]

Combine host restriction with additional security measures:



    # IP restriction example
    Require ip 192.168.1.0/24
    
    # HTTP authentication example
    AuthType Basic
    AuthName "Restricted Access"
    AuthUserFile /etc/phpmyadmin/.htpasswd
    Require valid-user

After making changes, always test configuration syntax and reload Apache:


sudo apache2ctl configtest
sudo systemctl reload apache2
  • Ensure no conflicting Alias directives exist in main Apache config
  • Verify mod_rewrite is enabled if using .htaccess method
  • Check SELinux/AppArmor permissions if access issues persist

When working with multiple virtual hosts in Apache, you might want to restrict sensitive tools like phpMyAdmin to specific domains only. The default installation typically makes phpMyAdmin accessible from any configured virtual host, which poses security risks.

In your current configuration with three virtual hosts:

one.domain.com
two.domain.com
onlyphpmyadmin.domain.com

phpMyAdmin is accessible via all three domains, which isn't ideal for security. We want to limit access to only onlyphpmyadmin.domain.com.

Instead of using PHP checks, we can solve this at the Apache level with virtual host configurations. Here's how:

<VirtualHost *:80>
    ServerName one.domain.com
    DocumentRoot /var/www/one
    # Other configurations for one.domain.com
    
    <Directory "/usr/share/phpmyadmin">
        Require all denied
    </Directory>
</VirtualHost>

<VirtualHost *:80>
    ServerName two.domain.com
    DocumentRoot /var/www/two
    # Other configurations for two.domain.com
    
    <Directory "/usr/share/phpmyadmin">
        Require all denied
    </Directory>
</VirtualHost>

<VirtualHost *:80>
    ServerName onlyphpmyadmin.domain.com
    DocumentRoot /usr/share/phpmyadmin
    
    <Directory "/usr/share/phpmyadmin">
        Options FollowSymLinks
        DirectoryIndex index.php
        Require all granted
        
        <IfModule mod_php5.c>
            AddType application/x-httpd-php .php
            php_flag magic_quotes_gpc Off
            php_flag track_vars On
            php_flag register_globals Off
            php_admin_flag allow_url_fopen Off
            php_value include_path .
            php_admin_value upload_tmp_dir /var/lib/phpmyadmin/tmp
            php_admin_value open_basedir /usr/share/phpmyadmin/:/etc/phpmyadmin/:/var/lib/phpmyadmin/
        </IfModule>
    </Directory>
    
    # Restrict access to setup and libraries
    <Directory "/usr/share/phpmyadmin/setup">
        Require all denied
    </Directory>
    
    <Directory "/usr/share/phpmyadmin/libraries">
        Require all denied
    </Directory>
</VirtualHost>

If you prefer keeping the phpMyAdmin configuration separate, you can use Location directives:

Alias /phpmyadmin /usr/share/phpmyadmin

<Location /phpmyadmin>
    Require host onlyphpmyadmin.domain.com
    Require ip 192.168.1.0/24  # Optional: allow from local network
    
    <IfModule mod_php5.c>
        # Your PHP configurations here
    </IfModule>
</Location>

After applying these changes:

  1. Restart Apache: sudo systemctl restart apache2
  2. Test access from all three domains
  3. Check error logs if any issues occur: tail -f /var/log/apache2/error.log

For enhanced security, consider:

  • Implementing HTTPS for the phpMyAdmin host
  • Setting up HTTP authentication
  • Restricting access by IP address
  • Regularly updating phpMyAdmin