An earlier version of this tutorial was written by Brennan Bearnes.

该教程的早期版本由Brennan Bearnes编写 。

介绍 (Introduction)

While many users need the functionality of a database management system like MySQL, they may not feel comfortable interacting with the system solely from the MySQL prompt.

尽管许多用户需要像MySQL这样的数据库管理系统的功能，但他们可能不满意仅从MySQL提示符与系统进行交互。

phpMyAdmin was created so that users can interact with MySQL through a web interface. In this guide, we’ll discuss how to install and secure phpMyAdmin so that you can safely use it to manage your databases on an Ubuntu 20.04 system.

创建了phpMyAdmin ，以便用户可以通过Web界面与MySQL进行交互。 在本指南中，我们将讨论如何安装和保护phpMyAdmin，以便您可以安全地使用它来管理Ubuntu 20.04系统上的数据库。

先决条件 (Prerequisites)

In order to complete this guide, you will need:

为了完成本指南，您将需要：

• An Ubuntu 20.04 server. This server should have a non-root user with administrative privileges and a firewall configured with ufw. To set this up, follow our initial server setup guide for Ubuntu 20.04.

  Ubuntu 20.04服务器。 该服务器应具有具有管理特权的非root用户，并应使用ufw配置防火墙。 要进行设置，请遵循我们针对Ubuntu 20.04的初始服务器设置指南 。

• A LAMP (Linux, Apache, MySQL, and PHP) stack installed on your Ubuntu 20.04 server. If this is not completed yet, you can follow this guide on installing a LAMP stack on Ubuntu 20.04.

  在Ubuntu 20.04服务器上安装的LAMP(Linux，Apache，MySQL和PHP)堆栈。 如果尚未完成，则可以按照本指南在Ubuntu 20.04上安装LAMP堆栈 。

Additionally, there are important security considerations when using software like phpMyAdmin, since it:

此外，使用phpMyAdmin之类的软件时，还有一些重要的安全注意事项，因为它：

• Communicates directly with your MySQL installation
  与您MySQL安装直接通信
• Handles authentication using MySQL credentials
  使用MySQL凭证处理身份验证
• Executes and returns results for arbitrary SQL queries
  执行并返回任意SQL查询的结果

For these reasons, and because it is a widely-deployed PHP application which is frequently targeted for attack, you should never run phpMyAdmin on remote systems over a plain HTTP connection.

由于这些原因，并且由于它是经常被攻击的广泛使用PHP应用程序，因此您永远不要通过纯HTTP连接在远程系统上运行phpMyAdmin。

If you do not have an existing domain configured with an SSL/TLS certificate, you can follow this guide on securing Apache with Let’s Encrypt on Ubuntu 20.04. This will require you to register a domain name, create DNS records for your server, and set up an Apache Virtual Host.

如果您没有使用SSL / TLS证书配置的现有域，则可以按照本指南在Ubuntu 20.04上使用Let's Encrypt来保护Apache 。 这将要求您注册一个域名 ， 为您的服务器创建DNS记录 ，并设置一个Apache虚拟主机 。

第1步-安装phpMyAdmin (Step 1 — Installing phpMyAdmin)

You can use APT to install phpMyAdmin from the default Ubuntu repositories.

您可以使用APT从默认的Ubuntu存储库安装phpMyAdmin。

As your non-root sudo user, update your server’s package index:

作为您的非root用户sudo用户，更新服务器的软件包索引：

Following that you can install the phpmyadmin package. Along with this package, the official documentation also recommends that you install a few PHP extensions onto your server to enable certain functionalities and improve performance.

接下来，您可以安装phpmyadmin软件包。 与此软件包一起， 官方文档还建议您在服务器上安装一些PHP扩展，以启用某些功能并提高性能。

If you followed the prerequisite LAMP stack tutorial, several of these modules will have been installed along with the php package. However, it’s recommended that you also install these packages:

如果您遵循了前提条件LAMP堆栈教程 ，那么其中的一些模块将与php软件包一起安装。 但是，建议您还安装以下软件包：

• php-mbstring: A module for managing non-ASCII strings and convert strings to different encodings

  php-mbstring ：用于管理非ASCII字符串并将字符串转换为不同编码的模块

• php-zip: This extension supports uploading .zip files to phpMyAdmin

  php-zip ：此扩展支持将.zip文件上传到phpMyAdmin

• php-gd: Enables support for the GD Graphics Library

  php-gd ：启用对GD图形库的支持

• php-json: Provides PHP with support for JSON serialization

  php-json ：为PHP提供对JSON序列化的支持

• php-curl: Allows PHP to interact with different kinds of servers using different protocols

  php-curl ：允许PHP使用不同的协议与不同类型的服务器进行交互

Run the following command to install these packages onto your system. Please note, though, that the installation process requires you to make some choices to configure phpMyAdmin correctly. We’ll walk through these options shortly:

运行以下命令以将这些软件包安装到系统上。 但是请注意，安装过程要求您做出一些选择以正确配置phpMyAdmin。 我们将很快介绍这些选项：

Here are the options you should choose when prompted in order to configure your installation correctly:

这些是当系统提示您时应该选择的选项，以便正确配置安装：

• For the server selection, choose apache2 Warning: When the prompt appears, “apache2” is highlighted, but not selected. If you do not hit SPACE to select Apache, the installer will not move the necessary files during installation. Hit SPACE, TAB, and then ENTER to select Apache.

  对于服务器的选择，选择apache2 警告：出现提示时，“Apache2的”突出显示，但未被选中。 如果未按SPACE键选择Apache，则安装程序将在安装过程中不移动必要的文件。 点击SPACE ， TAB ，然后按ENTER选择Apache。

• Select Yes when asked whether to use dbconfig-common to set up the database

  当询问是否使用dbconfig-common设置数据库时，选择“ Yes

• You will then be asked to choose and confirm a MySQL application password for phpMyAdmin
  然后将要求您选择并确认phpMyAdminMySQL应用程序密码。

Note: Assuming you installed MySQL by following Step 2 of the prerequisite LAMP stack tutorial, you may have decided to enable the Validate Password plugin. As of this writing, enabling this component will trigger an error when you attempt to set a password for the phpmyadmin user:

注意 ：假设您已按照前提条件LAMP堆栈教程的步骤2安装了MySQL，则可能已决定启用Validate Password插件。 在撰写本文时，启用此组件将在您尝试为phpmyadmin用户设置密码时触发错误：

To resolve this, select the abort option to stop the installation process. Then, open up your MySQL prompt:

要解决此问题，请选择中止选项以停止安装过程。 然后，打开您MySQL提示符：

Or, if you enabled password authentication for the root MySQL user, run this command and then enter your password when prompted:

或者，如果您为MySQL 根用户启用了密码身份验证，请运行以下命令，然后在出现提示时输入密码：

From the prompt, run the following command to disable the Validate Password component. Note that this won’t actually uninstall it, but just stop the component from being loaded on your MySQL server:

在提示符下，运行以下命令以禁用“验证密码”组件。 请注意，这实际上不会将其卸载，而只是停止将该组件加载到您MySQL服务器上：

Following that, you can close the MySQL client:

然后，您可以关闭MySQL客户端：

Then try installing the phpmyadmin package again and it will work as expected:

然后尝试再次安装phpmyadmin软件包，它将按预期工作：

Once phpMyAdmin is installed, you can open the MySQL prompt once again with sudo mysql or mysql -u root -p and then run the following command to re-enable the Validate Password component:

安装phpMyAdmin后，您可以使用sudo mysql或mysql -u root -p再次打开MySQL提示符，然后运行以下命令以重新启用Validate Password组件：

The installation process adds the phpMyAdmin Apache configuration file into the /etc/apache2/conf-enabled/ directory, where it is read automatically. To finish configuring Apache and PHP to work with phpMyAdmin, the only remaining task in this section of the tutorial is to is explicitly enable the mbstring PHP extension, which you can do by typing:

安装过程将phpMyAdmin Apache配置文件添加到/etc/apache2/conf-enabled/目录中，在该目录中将自动读取该文件。 要完成配置Apache和PHP以使其与phpMyAdmin一起使用，本教程本节中剩下的唯一任务是显式启用mbstring PHP扩展，您可以通过键入以下内容进行操作：

Afterwards, restart Apache for your changes to be recognized:

之后，重新启动Apache以使您的更改被识别：

phpMyAdmin is now installed and configured to work with Apache. However, before you can log in and begin interacting with your MySQL databases, you will need to ensure that your MySQL users have the privileges required for interacting with the program.

phpMyAdmin现在已安装并配置为可与Apache一起使用。 但是，在登录并开始与MySQL数据库进行交互之前，需要确保MySQL用户具有与程序进行交互所需的特权。

第2步-调整用户身份验证和特权 (Step 2 — Adjusting User Authentication and Privileges)

When you installed phpMyAdmin onto your server, it automatically created a database user called phpmyadmin which performs certain underlying processes for the program. Rather than logging in as this user with the administrative password you set during installation, it’s recommended that you log in as either your root MySQL user or as a user dedicated to managing databases through the phpMyAdmin interface.

将phpMyAdmin安装到服务器上后，它将自动创建一个名为phpmyadmin的数据库用户，该用户将对该程序执行某些基础过程。 建议不要以root用户MySQL或专用于通过phpMyAdmin界面管理数据库的用户身份登录，而不是使用在安装过程中设置的管理密码以此用户身份登录。

为MySQL根帐户配置密码访问 (Configuring Password Access for the MySQL Root Account)

In Ubuntu systems running MySQL 5.7 (and later versions), the root MySQL user is set to authenticate using the auth_socket plugin by default rather than with a password. This allows for some greater security and usability in many cases, but it can also complicate things when you need to allow an external program — like phpMyAdmin — to access the user.

在运行MySQL 5.7(及更高版本)的Ubuntu系统中，默认情况下，MySQL 根用户设置为使用auth_socket插件而不是使用密码进行身份验证。 在许多情况下，这可以提高安全性和可用性，但是当您需要允许外部程序(例如phpMyAdmin)访问用户时，也会使事情复杂化。

In order to log in to phpMyAdmin as your root MySQL user, you will need to switch its authentication method from auth_socket to one that makes use of a password, if you haven’t already done so. To do this, open up the MySQL prompt from your terminal:

为了以MySQL的root用户身份登录phpMyAdmin，您需要将其身份验证方法从auth_socket到使用密码的身份验证方法(如果尚未这样做)。 为此，请从终端打开MySQL提示符：

Next, check which authentication method each of your MySQL user accounts use with the following command:

接下来，使用以下命令检查每个MySQL用户帐户使用的身份验证方法：

   

    Output
   
+------------------+-------------------------------------------+-----------------------+-----------+
| user             | authentication_string                     | plugin                | host      |
+------------------+-------------------------------------------+-----------------------+-----------+
| root             |                                           | auth_socket           | localhost |
| mysql.session    | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE | caching_sha2_password | localhost |
| mysql.sys        | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE | caching_sha2_password | localhost |
| debian-sys-maint | *8486437DE5F65ADC4A4B001CA591363B64746D4C | caching_sha2_password | localhost |
| phpmyadmin       | *5FD2B7524254B7F81B32873B1EA6D681503A5CA9 | caching_sha2_password | localhost |
+------------------+-------------------------------------------+-----------------------+-----------+
5 rows in set (0.00 sec)

In this example, you can see that the root user does in fact authenticate using the auth_socket plugin. To configure the root account to authenticate with a password, run the following ALTER USER command. Be sure to change password to a strong password of your choosing:

在此示例中，您可以看到root用户实际上使用auth_socket插件进行了身份验证。 要将根帐户配置为使用密码进行身份验证，请运行以下ALTER USER命令。 确保将password更改为您选择的强密码：

Note: The previous ALTER USER statement sets the root MySQL user to authenticate with the caching_sha2_password plugin. Per the official MySQL documentation, caching_sha2_password is MySQL’s preferred authentication plugin, as it provides more secure password encryption than the older, but still widely used, mysql_native_password.

注意 ：前面的ALTER USER语句将MySQL 根用户设置为使用caching_sha2_password插件进行身份验证。 根据MySQL的官方文档 ， caching_sha2_password是MySQL首选的身份验证插件，因为它提供比旧的但仍被广泛使用的mysql_native_password更安全的密码加密。

However, some versions of PHP don’t work reliably with caching_sha2_password. PHP has reported that this issue was fixed as of PHP 7.4, but if you encounter an error when trying to log in to phpMyAdmin later on, you may want to set root to authenticate with mysql_native_password instead:

但是，某些版本PHP不能与caching_sha2_password可靠地配合caching_sha2_password 。 PHP已报告此问题 mysql_native_password PHP 7.4开始修复 ，但是如果以后尝试登录phpMyAdmin时遇到错误，则可能需要设置root来使用mysql_native_password进行身份验证：

Then, check the authentication methods employed by each of your users again to confirm that root no longer authenticates using the auth_socket plugin:

然后，再次检查每个用户使用的身份验证方法，以确认root不再使用auth_socket插件进行身份验证：

   

    Output
   
+------------------+-------------------------------------------+-----------------------+-----------+
| user             | authentication_string                     | plugin                | host      |
+------------------+-------------------------------------------+-----------------------+-----------+
| root             | *DE06E242B88EFB1FE4B5083587C260BACB2A6158 | caching_sha2_password | localhost |
| mysql.session    | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE | caching_sha2_password | localhost |
| mysql.sys        | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE | caching_sha2_password | localhost |
| debian-sys-maint | *8486437DE5F65ADC4A4B001CA591363B64746D4C | caching_sha2_password | localhost |
| phpmyadmin       | *5FD2B7524254B7F81B32873B1EA6D681503A5CA9 | caching_sha2_password | localhost |
+------------------+-------------------------------------------+-----------------------+-----------+
5 rows in set (0.00 sec)

You can see from this output that the root user will authenticate using a password. You can now log in to the phpMyAdmin interface as your root user with the password you’ve set for it here.

您可以从此输出中看到root用户将使用密码进行身份验证。 现在，您可以使用您在此处设置的密码以root用户身份登录phpMyAdmin界面。

为专用MySQL用户配置密码访问 (Configuring Password Access for a Dedicated MySQL User)

Alternatively, some may find that it better suits their workflow to connect to phpMyAdmin with a dedicated user. To do this, open up the MySQL shell once again:

另外，有些人可能会发现它更适合他们的工作流程，以便与专用用户连接到phpMyAdmin。 为此，请再次打开MySQL Shell：

If you have password authentication enabled for your root user, as described in the previous section, you will need to run the following command and enter your password when prompted in order to connect:

如果您已如上节所述为root用户启用了密码认证，则需要运行以下命令并在出现提示时输入密码以进行连接：

From there, create a new user and give it a strong password:

从那里，创建一个新用户并为其设置一个强密码：

Note: Again, depending on what version of PHP you have installed, you may want to set your new user to authenticate with mysql_native_password instead of caching_sha2_password:

注意 ：同样，根据您所安装PHP版本，您可能希望将新用户设置为使用mysql_native_password而不是caching_sha2_password进行身份验证：

Then, grant your new user appropriate privileges. For example, you could grant the user privileges to all tables within the database, as well as the power to add, change, and remove user privileges, with this command:

然后，授予您的新用户适当的特权。 例如，您可以使用以下命令向数据库内的所有表授予用户特权，以及添加，更改和删除用户特权的能力：

Following that, exit the MySQL shell:

之后，退出MySQL Shell：

You can now access the web interface by visiting your server’s domain name or public IP address followed by /phpmyadmin:

现在，您可以通过访问服务器的域名或公共IP地址(后跟/phpmyadmin来访问Web界面：

https://your_domain_or_IP/phpmyadmin

Log in to the interface, either as root or with the new username and password you just configured.

以root用户身份或使用刚配置的新用户名和密码登录到界面。

When you log in, you’ll see the user interface, which will look something like this:

登录时，您将看到用户界面，该界面类似于以下内容：

Now that you’re able to connect and interact with phpMyAdmin, all that’s left to do is harden your system’s security to protect it from attackers.

现在您可以连接phpMyAdmin并与之交互，剩下要做的就是增强系统的安全性，以保护其免受攻击者的攻击。

步骤3 —保护您的phpMyAdmin实例 (Step 3 — Securing Your phpMyAdmin Instance)

Because of its ubiquity, phpMyAdmin is a popular target for attackers, and you should take extra care to prevent unauthorized access. One way of doing this is to place a gateway in front of the entire application by using Apache’s built-in .htaccess authentication and authorization functionalities.

由于phpMyAdmin无处不在，因此它是攻击者的首选目标，因此应格外小心，以防止未经授权的访问。 一种方法是使用Apache内置的.htaccess身份验证和授权功能，将网关放置在整个应用程序的前面。

To do this, you must first enable the use of .htaccess file overrides by editing your phpMyAdmin installation’s Apache configuration file.

为此，必须首先通过编辑phpMyAdmin安装的Apache配置文件来启用.htaccess文件替代。

Use your preferred text editor to edit the phpmyadmin.conf file that has been placed in your Apache configuration directory. Here, we’ll use nano:

使用首选的文本编辑器来编辑已放置在Apache配置目录中的phpmyadmin.conf文件。 在这里，我们将使用nano ：

Add an AllowOverride All directive within the <Directory /usr/share/phpmyadmin> section of the configuration file, like this:

在配置文件的<Directory /usr/share/phpmyadmin>部分中添加AllowOverride All指令，如下所示：

<Directory /usr/share/phpmyadmin>
    Options FollowSymLinks
    DirectoryIndex index.php
    AllowOverride All
    . . .

When you have added this line, save and close the file. If you used nano to edit the file, do so by pressing CTRL + X, Y, and then ENTER.

添加此行后，保存并关闭文件。 如果您使用nano编辑文件，请按CTRL + X ， Y ，然后按ENTER 。

To implement the changes you made, restart Apache:

要实现您所做的更改，请重新启动Apache：

Now that you have enabled the use of .htaccess files for your application, you need to create one to actually implement some security.

现在您已经为应用程序启用了.htaccess文件的使用，您需要创建一个文件来实际实现某种安全性。

In order for this to be successful, the file must be created within the application directory. You can create the necessary file and open it in your text editor with root privileges by typing:

为了使此操作成功，必须在应用程序目录中创建文件。 您可以创建必需的文件，并通过输入以下内容以root用户权限在文本编辑器中将其打开：

Within this file, enter the following information:

在此文件中，输入以下信息：

AuthType Basic
AuthName "Restricted Files"
AuthUserFile /etc/phpmyadmin/.htpasswd
Require valid-user

Here is what each of these lines mean:

这些行的含义如下：

• AuthType Basic: This line specifies the authentication type that you are implementing. This type will implement password authentication using a password file.

  AuthType Basic ：此行指定要实现的身份验证类型。 此类型将使用密码文件实现密码验证。

• AuthName: This sets the message for the authentication dialog box. You should keep this generic so that unauthorized users won’t gain any information about what is being protected.

  AuthName ：设置身份验证对话框的消息。 您应该保留此通用名称，以便未经授权的用户不会获得任何有关受保护内容的信息。

• AuthUserFile: This sets the location of the password file that will be used for authentication. This should be outside of the directories that are being served. We will create this file shortly.

  AuthUserFile ：这将设置用于身份验证的密码文件的位置。 这应该在正在提供的目录之外。 我们将很快创建此文件。

• Require valid-user: This specifies that only authenticated users should be given access to this resource. This is what actually stops unauthorized users from entering.

  Require valid-user ：这指定仅应向经过身份验证的用户授予对此资源的访问权限。 这实际上是阻止未经授权的用户进入的原因。

When you are finished, save and close the file.

完成后，保存并关闭文件。

The location that you selected for your password file was /etc/phpmyadmin/.htpasswd. You can now create this file and pass it an initial user with the htpasswd utility:

您为密码文件选择的位置是/etc/phpmyadmin/.htpasswd 。 现在，您可以创建此文件，并使用htpasswd实用程序将其传递给初始用户：

You will be prompted to select and confirm a password for the user you are creating. Afterwards, the file is created with the hashed password that you entered.

系统将提示您选择并确认要创建的用户的密码。 然后，使用您输入的哈希密码创建文件。

If you want to enter an additional user, you need to do so without the -c flag, like this:

如果要输入其他用户，则需要不带 -c标志，例如：

Now, when you access your phpMyAdmin subdirectory, you will be prompted for the additional account name and password that you just configured:

现在，当您访问phpMyAdmin子目录时，将提示您输入刚刚配置的其他帐户名和密码：

https://domain_name_or_IP/phpmyadmin

After entering the Apache authentication, you’ll be taken to the regular phpMyAdmin authentication page to enter your MySQL credentials. By adding an extra set of non-MySQL credentials, you’re providing your database with an additional layer of security. This is desirable, since phpMyAdmin has been vulnerable to security threats in the past.

输入Apache身份验证后，将带您到常规phpMyAdmin身份验证页面输入MySQL凭据。 通过添加额外的一组非MySQL凭据，可以为数据库提供额外的安全性。 这是可取的，因为phpMyAdmin在过去一直容易受到安全威胁。

结论 (Conclusion)

You should now have phpMyAdmin configured and ready to use on your Ubuntu 20.04 server. Using this interface, you can create databases, users, and tables, as well as perform the usual operations like deleting and modifying structures and data.

现在，您应该已经配置了phpMyAdmin，并且可以在Ubuntu 20.04服务器上使用了。 使用此界面，您可以创建数据库，用户和表，以及执行常规操作，例如删除和修改结构和数据。

翻译自: https://www.digitalocean.com/community/tutorials/how-to-install-and-secure-phpmyadmin-on-ubuntu-20-04