We have a cluster that includes a dedicated database server. Trying to publish it to the internet so clients can get to phpmyadmin. The site responds to http requests, but https is refused, as 443 is not responding. Although this is not a web server, how does Apache need to be configured through the CP to allow https but not http? I can block port 80 at the firewall but for testing, it's still open.
I think PMA config can be modified so that you can access other server(s) from one install but I can't remember if ISPConfig has that kind of setup built in.
Redirect http -> https? But i'm a bit confused. Where is phpmyadmin running? On the database server itself?
Yes, phpmyadmin runs on the database server to allow users access to their database. now that i've been able to dig a bit deeper, I should have been clearer that I'm not looking for http => https. The issue is that once a cert is installed on the database server, it breaks phpmyadmin. It's my understanding that this is because phpmyadmin is a webapp that will not respond to https requests. So, what I'm actually looking for is how to secure phpmyadmin with an SSL cert. I've seen numerous posts on how to secure phpmyadmin through basic auth or restricting by IP, but that requires manually creating a user/password and knowing their IP, which is not a reasonable solution. And I do not see how to lock a user down to their own database. A messy solution, at best.
You just configure your apache correctly and can use phpmyadmin with SSL. There should be a "ForceSSL" option in phpmyadmin itself too. I would not install phpmyadmin on the database server itself anyways.
This is always the case and done automatically by MySQL. The user logs into phpmyadmin with his MySQL user, and he will only be able to access and see the database that is accessible by this MySQL user. No manual user creation or knowing any IP needed here.
Thanks Till and pyte. I understand the user will be locked to their own mysql db if they login. The problem was that I could not get phpmyadmin to work with a cert and did not want to need to create the user again using basic auth, as the user would already exist with the correct permissions. My fear was that i would break the config with a user created manually. I wanted to rely on the user created through CP, as it works flawlessly. I'll try pyte's suggestion regarding teh "ForceSSL" in phpmyadmin.
To change PMA web access to use https, you need to modify apps.vhost file. To make it permanent, copy apps.vhost template file to conf-custom and modify that accordingly as well.
The apps vhost is using https on any recent installation by default with the systems SSL cert. I guess his problem is that he uses port 443, which is not the apps vhost. Apps vhost is port 8081.
Thanks, Till and ahrasis. I did not have a default vhost in /etc/apache2 sites-available or sites-enabled, so I created a domain.conf file with the server and alias names, specifying port 443 (I was not aware of port 8081 being used for this type of connection). I then created a Let's Encrypt cert for testing and it added the appropriate entries in the file. I also specified "ForcsSSL = true" per pyte's recommendation in config.inc.php. I opened ports on our firewall and ran a tcpdump to verify all access was fully encrypted, which it was. When logging in as a db user with their db passwd, they are locked down to their own database, so all looks to be working. Till, is here any reason not to leave it as is? Will what's been done break anything within ISPConfig CP or the db?
This is a completely standard setup and will not interfere with any ISPConfig specific configurations.
