0

My phpmyadmin installation is like http://my-IP/phpmyadmin NOT http://mydomain1/phpmyadmin + http://mydomain2/phpmyadmin + http://mydomain3/phpmyadmin

In other words my only phpmyadmin installation make use different domains (very simple site, sure).

Now i have 2 very stupid security controls:

1) Restricted IP access (httpd.conf)

2) Restricted user access with htaccess and htpasswd

Now i want to add SSL but some provider say me:

We do not provide certificates for IP addresses. This is due to the new CA/B Forum guidelines that will make all Certificate Authorities stop issuing trusted certificates for IP addresses and local/internal domain names.

What i have to do to have SSL only on the phpmyadmin ip (like https://my-IP/phpmyadmin and not in one or more domains?

Sven
  • 98,649
  • 14
  • 180
  • 226
Jori Bardill
  • 1
  • 1

2 Answers2

2

The safest would be running it on a (sub)domain you own. This way you could request a CA signed certificate.

If you really want to run phpMyAdmin on an IP over SSL you could install a self-signed certificate. However this means the users will get a warning the first time they visit the page and will need to accept the certificate manually. (This also means that new users/browsers/... are still vulnerable to a MITM attack since they have no verification of the certificate they are accepeting.)

eKKiM
  • 1,540
  • 9
  • 23
  • Thanks! So i understand that run phpMyAdmin on an IP is a bad thing, confirm? If i use SSL on (sub)domain - can i have SSL only in that subdomain OR i need to use it in all domain? – Jori Bardill Sep 14 '15 at 15:56
  • If i use self-signed certificate users need to accept the certificate manually in all the domain or only in https://my-IP/phpmyadmin? – Jori Bardill Sep 14 '15 at 15:58
  • Calling it bad is complicated. It is more secure then using no SSL at all. It depends on your situation. How many and what kind of users will be using phpMyAdmin. The self-signed certificate need to be accepted by the user only once per (sub)domain (The path does not mather). – eKKiM Sep 14 '15 at 16:07
  • Oh no, i'm the only user of phpmyadmin :) We are a 3-person very very small studio :) The self-signed certificate will work only for this url https://my-IP/phpmyadmin? Confirm? It's important that user of the domains see the warning :) – Jori Bardill Sep 14 '15 at 17:20
  • See below digital ocean example please! – Jori Bardill Sep 14 '15 at 17:29
  • If you are the only user of the phpMyAdmin it shouldnt be a problem using a self-signed certificate. However if you visit a domain (pointing to the same IP) over HTTPS, the same warning is given about the self-signed certificate. I would use a non-standard port to let my web-server listen on and use the certificate on that port. – eKKiM Sep 14 '15 at 17:39
0

I would either use a self-signed certificate that is generated for your IP address, or use a certificate that was generated for a domain name but just use it with your IP anyway.

A self-signed certificate will prompt the user with a warning in their browser. A certificate generated for a domain but used for an IP address will prompt the user with a different warning in their browser. But in either case, the user can just accept the warning and use the certificate anyway.

ricksebak
  • 101
  • 1
  • 6
  • This can an example of self-signed certificate? If yes have a big problem! A user say: "Now when I connect to my website like https://www.mywebsite.com chrome alerts me about that SSL I only want to display it when I go to mywebsite.com/phpmyadmin . So if a new user would type in www.mywebsite.com, would he be alerted about that SSL or is it only when he goes to / phpmyadmin?" Another user,: "With this tutorial it seems my website has SSL on every page now" https://www.digitalocean.com/community/tutorials/how-to-set-up-ssl-certificates-with-phpmyadmin-on-an-ubuntu-12-04-vps – Jori Bardill Sep 14 '15 at 17:31