phpMyAdmin is a web-based graphical administration interface for MySQL and MariaDB databases. It allows developers and DBAs to manage databases, tables, rows, users, and permissions through a browser without needing to use the command-line MySQL client. phpMyAdmin is especially useful for non-technical users who need to browse data, run queries, import/export CSV or SQL files, and manage database users. It is the most widely deployed MySQL admin tool, included in virtually every cPanel/DirectAdmin/Plesk control panel by default. phpMyAdmin is not in RHEL 9’s AppStream and must be installed manually from the EPEL repository or directly from the project’s website. This guide covers installing phpMyAdmin on RHEL 9 with Nginx, securing the installation, and restricting access to trusted IP addresses.
Prerequisites
- Nginx and PHP-FPM installed on RHEL 9
- MySQL or MariaDB installed and running
- EPEL repository enabled
Step 1 — Install phpMyAdmin from EPEL
dnf install -y epel-release
dnf install -y phpMyAdmin
phpMyAdmin --version 2>/dev/null || echo "Installed at /usr/share/phpMyAdmin"Step 2 — Configure Nginx to Serve phpMyAdmin
# /etc/nginx/conf.d/phpmyadmin.conf
server {
listen 443 ssl http2;
server_name dbadmin.example.com;
ssl_certificate /etc/letsencrypt/live/dbadmin.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/dbadmin.example.com/privkey.pem;
# Restrict access to trusted IPs only
allow 203.0.113.10; # Your office IP
allow 10.0.0.0/8; # Internal network
deny all;
root /usr/share/phpMyAdmin;
index index.php;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location ~ .php$ {
fastcgi_pass unix:/run/php-fpm/www.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
# Block access to sensitive phpMyAdmin directories
location ~ ^/phpMyAdmin/(libraries|templates|setup)/ {
deny all;
}
}nginx -t && systemctl reload nginxStep 3 — Configure phpMyAdmin
# /etc/phpMyAdmin/config.inc.php
$cfg['blowfish_secret'] = 'a-32-character-random-secret-key'; # Generate: openssl rand -base64 32
# Allow authentication
$cfg['Servers'][$i]['auth_type'] = 'cookie'; # Secure form-based auth
$cfg['Servers'][$i]['host'] = '127.0.0.1';
$cfg['Servers'][$i]['compress'] = false;
$cfg['Servers'][$i]['AllowNoPassword'] = false;
# Security: allow only specific users
$cfg['Servers'][$i]['AllowRoot'] = false; # Block root login via phpMyAdminStep 4 — Set Correct SELinux Context
chcon -R -t httpd_sys_content_t /usr/share/phpMyAdmin/
setsebool -P httpd_can_network_connect_db 1Step 5 — Access phpMyAdmin
# Access from allowed IP: https://dbadmin.example.com
# Log in with a non-root MySQL user that has appropriate permissions
# Create a limited phpMyAdmin admin user
mysql -u root -p -e "
CREATE USER 'pma_admin'@'127.0.0.1' IDENTIFIED BY 'PmaPassword789!';
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER ON myapp.* TO 'pma_admin'@'127.0.0.1';
FLUSH PRIVILEGES;"Conclusion
phpMyAdmin on RHEL 9 with Nginx provides a convenient browser-based MySQL/MariaDB management interface. Restricting access by IP address at the Nginx level, disabling root login via the phpMyAdmin config, and serving phpMyAdmin over HTTPS only are the minimum security requirements for any internet-facing deployment. For maximum security, consider using an SSH tunnel instead of exposing phpMyAdmin over the network at all.
Next steps: How to Install pgAdmin 4 on RHEL 9, How to Secure MySQL on RHEL 9, and How to Configure MySQL Primary-Replica Replication on RHEL 9.
