How to Install phpMyAdmin on RHEL 7

phpMyAdmin is a free, open-source web-based tool for administering MySQL and MariaDB databases through a browser interface. Rather than relying on the command line for every operation, phpMyAdmin lets you browse tables, run queries, manage users, import and export data, and monitor server status with a point-and-click UI. On RHEL 7, phpMyAdmin is not available in the default repositories, but it can be installed quickly from the EPEL (Extra Packages for Enterprise Linux) repository. This tutorial walks through installing phpMyAdmin on RHEL 7, securing it with IP-based access restrictions, configuring the Blowfish secret, and ensuring SELinux does not block network connections to MySQL.

Prerequisites

  • RHEL 7 server with root or sudo access
  • Apache HTTP Server installed and running (httpd)
  • MySQL or MariaDB installed and running
  • A registered RHEL subscription or access to EPEL
  • Firewall port 80 (and optionally 443) open

Step 1: Enable the EPEL Repository

phpMyAdmin is packaged in the EPEL repository. Install the EPEL release package to make it available to yum:

sudo yum install -y epel-release

If your RHEL 7 system does not have access to the standard EPEL release package via subscription, install it directly:

sudo yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

Verify EPEL is enabled:

yum repolist | grep epel

You should see a line similar to epel/x86_64 Extra Packages for Enterprise Linux 7 with a non-zero package count.

Step 2: Install phpMyAdmin

With EPEL enabled, install phpMyAdmin and its dependencies:

sudo yum install -y phpMyAdmin

This will pull in the required PHP packages (php, php-mysql, php-mbstring, php-json) as dependencies if they are not already installed. After installation, the main configuration file is located at /etc/phpMyAdmin/config.inc.php and the Apache alias configuration is at /etc/httpd/conf.d/phpMyAdmin.conf.

Step 3: Generate and Set the Blowfish Secret

phpMyAdmin uses a Blowfish secret to encrypt cookies used for authentication. You must set a strong, unique random string before using the application. Open the phpMyAdmin configuration file:

sudo vi /etc/phpMyAdmin/config.inc.php

Find the line that reads:

$cfg['blowfish_secret'] = '';

Replace the empty string with a random 32-character (or longer) string. You can generate one with OpenSSL:

openssl rand -base64 32

Copy the output and paste it as the value:

$cfg['blowfish_secret'] = 'T8kQz2pXvR9mLwNaYcHsJbGdUeF0oI1n';

Save and close the file.

Step 4: Configure the Apache Alias and Restrict Access by IP

The phpMyAdmin package installs an Apache alias configuration at /etc/httpd/conf.d/phpMyAdmin.conf. By default on newer EPEL builds the /phpmyadmin alias is defined but access may be denied to all hosts. Edit the file to allow only trusted IP addresses:

sudo vi /etc/httpd/conf.d/phpMyAdmin.conf

A typical configuration looks like the following. Replace 192.168.1.50 with your workstation or management IP:

Alias /phpmyadmin /usr/share/phpMyAdmin

<Directory /usr/share/phpMyAdmin/>
    AddDefaultCharset UTF-8

    <IfModule mod_authz_core.c>
        # Apache 2.4
        Require ip 127.0.0.1
        Require ip ::1
        Require ip 192.168.1.50
    </IfModule>
    <IfModule !mod_authz_core.c>
        # Apache 2.2
        Order Deny,Allow
        Deny from All
        Allow from 127.0.0.1
        Allow from ::1
        Allow from 192.168.1.50
    </IfModule>
</Directory>

<Directory /usr/share/phpMyAdmin/setup/>
    Require ip 127.0.0.1
    Require ip ::1
</Directory>

Using Require ip is the Apache 2.4-style directive available on RHEL 7. Only clients matching the listed IP addresses will be able to load the phpMyAdmin login page. This is an important layer of defence for a database administration interface.

Step 5: Configure /etc/phpMyAdmin/config.inc.php for MySQL Connectivity

By default phpMyAdmin connects to MySQL on 127.0.0.1 over TCP port 3306. Verify or adjust the server connection block in /etc/phpMyAdmin/config.inc.php:

$cfg['Servers'][$i]['host']          = '127.0.0.1';
$cfg['Servers'][$i]['connect_type']  = 'tcp';
$cfg['Servers'][$i]['compress']      = false;
$cfg['Servers'][$i]['extension']     = 'mysqli';
$cfg['Servers'][$i]['auth_type']     = 'cookie';

Using auth_type = 'cookie' means phpMyAdmin will present a login page and store the session credentials in an encrypted cookie — this is the most secure option for production use. Avoid auth_type = 'config' which embeds credentials in the configuration file.

Step 6: Configure SELinux to Allow Network Connections

RHEL 7 ships with SELinux in enforcing mode by default. The Apache process needs the httpd_can_network_connect_db boolean set to allow it to connect to MySQL over the network (even on localhost via TCP):

# Allow Apache to connect to database servers
sudo setsebool -P httpd_can_network_connect_db 1

# Verify the boolean is set
getsebool httpd_can_network_connect_db

If you are also using phpMyAdmin to connect to remote MySQL hosts (not just localhost), you also need the general network connect boolean:

sudo setsebool -P httpd_can_network_connect 1

The -P flag makes the change persistent across reboots by writing it to the SELinux policy store.

Step 7: Start and Enable Apache

Restart Apache to load the updated configuration, then ensure it starts automatically on boot:

sudo systemctl restart httpd
sudo systemctl enable httpd
sudo systemctl status httpd

Check that the service is active (running). If the restart fails, check for configuration syntax errors:

sudo apachectl configtest

Step 8: Open the Firewall

If firewalld is running, allow HTTP traffic:

sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --reload
sudo firewall-cmd --list-services

Step 9: Access phpMyAdmin and Connect to MySQL

From a browser on an allowed IP, navigate to:

http://<server-ip>/phpmyadmin

You will see the phpMyAdmin login screen. Log in with a MySQL user account. For initial access you can use the root MySQL user, but for ongoing administration it is best practice to create a dedicated MySQL user with only the privileges required:

-- Run inside MySQL
CREATE USER 'dbadmin'@'127.0.0.1' IDENTIFIED BY 'StrongPass123!';
GRANT ALL PRIVILEGES ON *.* TO 'dbadmin'@'127.0.0.1' WITH GRANT OPTION;
FLUSH PRIVILEGES;

Step 10: Verify phpMyAdmin is Working

After logging in you should see the phpMyAdmin dashboard listing all databases on the server. Test basic functionality by clicking on a database, browsing a table, and running a simple SQL query from the SQL tab. If you encounter a “Cannot log in to the MySQL server” error, double-check the SELinux booleans from Step 6 and confirm MySQL is listening on the expected address.

Installing phpMyAdmin on RHEL 7 from the EPEL repository is straightforward once you understand the moving parts: the Apache alias for /phpmyadmin, IP-based access restrictions with Require ip, the Blowfish secret for cookie encryption, and the SELinux httpd_can_network_connect_db boolean. With these pieces in place you have a functional, reasonably secured database administration interface that is restricted to your management network and backed by SELinux mandatory access controls. For production environments, also consider serving phpMyAdmin exclusively over HTTPS with a valid TLS certificate.