How to Install phpMyAdmin with Nginx on Debian 11 Bullseye

One of the most popular tools for managing databases is called phpMyAdmin. It’s an easy-to-use, free web interface that allows you to manage your MySQL or MariaDB database from anywhere with just a browser! The best thing about this software? You don’t need any special knowledge on how servers work because it does all the heavy lifting behind the scenes, so users can access them easily without getting lost in the command line terminal.

Most times, developers prefer to use phpMyAdmin to interact with a database server because of its ease of use and advanced SQL editor, making it easy to build and test complex SQL queries. On the other hand, admins of webservers install phpMyAdmin besides their CMS system such as WordPress to fix problems or give access to someone else (a developer of a plugin, for example) access investigate an issue.

In the following tutorial, you will learn how to install the LEMP stack quickly using Nginx, MariaDB, and PHP (PHP-FPM) using the standard Debian 11 Bullseye repositories or alternative upgraded repositories then download and configure phpMyAdmin manually by creating an Nginx server block and a free Let’s Encrypt TLS certificate.

Update Debian

Before proceeding with the tutorial, it is good to ensure your system is up-to-date with all existing packages to avoid any conflicts during the installation.

sudo apt update && sudo apt upgrade -y

Install Dependecies

Use the following command to install or check if the packages are installed.

sudo apt install software-properties-common curl apt-transport-https -y

Install Nginx – LEMP Stack

After installing either stable or mainline Nginx PPA, use the following command to install Nginx:

sudo apt install nginx-core nginx-common nginx nginx-full -y

Once installed, the service should be enabled by default; however, it is good to check this and operate correctly.

systemctl status nginx

Example output:

How to Install phpMyAdmin with LEMP on Debian 11 Bullseye

If the server has not been activated, use the following command to do this and have Nginx started on reboot.

sudo systemctl enable nginx --now

Alternative Nginx Installation

Another method is to install the latest Nginx mainline or stable from the Ondřej Surý repository to have the most updated software. Many Ubuntu users would know his PPA, and you can do the same in Debian.

Option 1 – Import Mainline Repository (Recommended by Nginx)

curl -sSL https://packages.sury.org/nginx-mainline/README.txt | sudo bash -x

Option 2 – Import Stable Repository

curl -sSL https://packages.sury.org/nginx/README.txt | sudo bash -x

Update your repository to reflect the new change:

sudo apt update

Now that you have installed the Nginx repository and updated the list, install Nginx with the following.

sudo apt install nginx-core nginx-common nginx nginx-full -y

Note that you may be prompted to keep or replace your existing /etc/nginx/nginx.conf configuration file during the installation. It is recommended to keep your current configuration file by pressing (n).

Installing Nginx with the custom repository comes with additional modules compiled, one of the most sorts after and recommended modules to enable is the Brotli module.

To install brotli, open your nginx.conf configuration file:

nano /etc/nginx/nginx.conf

Now add the additional lines before in the HTTP{} section.

Below is an example for you to tweak into your configuration file.

brotli on;
brotli_comp_level 6;
brotli_static on;
brotli_types application/atom+xml application/javascript application/json application/rss+xml
   application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype
   application/x-font-ttf application/x-javascript application/xhtml+xml application/xml
   font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon
   image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml;

The brotli_comp_level can be set between 1 (lowest) and 11 (highest). Typically, most servers sit in the middle, but if your server is a monster, set to 11 and monitor CPU usage levels.

Next, test to make sure the changes are working correctly before making it live:

sudo nginx -t

If the changes are working correctly, you should see the following:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Now make the changes live by restarting your server:

sudo systemctl restart nginx

Next, enable Nginx on system boot:

sudo systemctl enable nginx --now

Install MariaDB – LEMP Stack

In the second part of the installation, you will need to install the database part. LEMP stack typically associates itself with MariaDB over MySQL for many reasons, mainly due to performance.

In your terminal, execute the following command.

sudo apt install mariadb-server mariadb-client -y

Once installed, verify the same as you did with the Nginx service that it is enabled and working without any errors.

systemctl status mariadb

If the server has not been activated, use the following command to do this and have MariaDB started on reboot.

sudo systemctl enable mariadb --now

Alternative MariaDB Installation (MariaDB.org Repository)

For those that would like to use the latest 10.5 LTS, 10.6 LTS, or the newer 1-year releases such as 10.7 or 10.8, etc., until the next LTS version, import the official repository to match your desired version.

NOTE IF YOU INSTALL THE LATEST BLEEDING EDGE MARIADB SUCH AS 10.7/10.8 AT THE TIME OF THIS TUTORIAL, YOU WILL NEED TO MAKE SURE YOU HAVE EITHER THE RC VERSION (BETA) OR LATEST phpMyAdmin AT ALL TIMES.

Option 1 – Import MariaDB 10.5

curl -LsS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup | sudo bash -s -- --mariadb-server-version=10.5

Option 2 – Import MariaDB 10.6

curl -LsS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup | sudo bash -s -- --mariadb-server-version=10.6

Option 3 – Import MariaDB 10.7

curl -LsS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup | sudo bash -s -- --mariadb-server-version=10.7

Option 4 – Import MariaDB 10.8

curl -LsS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup | sudo bash -s -- --mariadb-server-version=10.8

Example if imported successfully (Example with MariaDB 10.7):

How to Install phpMyAdmin with LEMP on Debian 11 Bullseye

The best recommendation is to import MariaDB 10.6 LTS with MariaDB.org for the latest features and the best compatibility/stability.

For users who have already installed MariaDB, you will notice that upgrades will now be available. If not, run the standard installation command.

sudo apt install mariadb-server mariadb-client -y

Do not upgrade; run the installation command to ensure all dependencies are installed.

For users that have upgraded from a different version of MariaDB, for example, 10.5 to 10.7, make sure to upgrade your database using the following command.

sudo mariadb-upgrade

In time newer release versions will no doubt be available, check here and use the same command as above and change mariadb-server-version={version} to what you would like, for example, 10.9, 10.10, etc.

Lastly, make sure MariaDB is working correctly by checking its status just as you did with Nginx.

sudo systemctl status mariadb

Example output (With MariaDB 10.7):

How to Install phpMyAdmin with LEMP on Debian 11 Bullseye

Run MariaDB Security Script

When installing MariaDB fresh, default settings are considered weak by most standards and cause concern for potentially allowing intrusion or exploiting hackers. A solution is to run the installation security script with the MariaDB installation.

First, use the following command to launch the (mysql_secure_installation):

sudo mysql_secure_installation

Next, follow below:

  • Setting the password for root accounts.
  • Removing root accounts that are accessible from outside the local host.
  • Removing anonymous-user accounts.
  • Removing the test database, which by default can be accessed by anonymous users.

Note, you use (Y) to remove everything.

Example:

[joshua@debian-11 ~]$ sudo mariadb-secure-installation

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
haven't set the root password yet, you should just press enter here.

Enter current password for root (enter for none): 
OK, successfully used password, moving on...

Setting the root password or using the unix_socket ensures that nobody
can log into the MariaDB root user without the proper authorisation.

You already have your root account protected, so you can safely answer 'n'.

Switch to unix_socket authentication [Y/n] Y <---- Type Y then press the ENTER KEY.
Enabled successfully!
Reloading privilege tables..
 ... Success!


You already have your root account protected, so you can safely answer 'n'.

Change the root password? [Y/n] Y <---- Type Y then press the ENTER KEY.
New password: 
Re-enter new password: 
Password updated successfully!
Reloading privilege tables..
 ... Success!


By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] Y <---- Type Y then press the ENTER KEY.
 ... Success!

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] Y <---- Type Y then press the ENTER KEY.
 ... Success!

By default, MariaDB comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] Y <---- Type Y then press the ENTER KEY.
 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] Y <---- Type Y then press the ENTER KEY.
 ... Success!

Cleaning up...

All done!  If you've completed all of the above steps, your MariaDB
installation should now be secure.

Thanks for using MariaDB!

Install PHP – LEMP Stack

Lastly, install the PHP service for the LEMP stack, which will act as the middle man between Nginx and MariaDB. PHP archives this with the PHP-FPM service and some additional modules required by phpMyAdmin.

Debian users can install the standard PHP version. However, for PHP, I would strongly recommend installing similar to Nginx Ondrey Sury repository, which is the maintainer for PHP for Debian, this way, you will get the latest version with not just security updates but performance improvements.

The first step is to import and install the GPG key and repository, which can be done using an automated script initiated by the curl command. In your terminal, use the following command.

Import PHP Repository & GPG Key

curl -sSL https://packages.sury.org/php/README.txt | sudo bash -x

Next, refresh your APT repository list to reflect the changes.

sudo apt update

After running the update command, you may notice some packages require updating, make sure to do this before continuing.

sudo apt upgrade

Install PHP (PHP-FPM)

The next step is to install PHP and PHP-FPM and the required modules. Currently, I suggest installing PHP 8.0 or 8.1 as 7.4 is considered very old. However, three options will be presented.

If unsure, for now, choose 8.0 as is my recommendation; however, I personally use 8.1 with my phpMyAdmin without an issue.

Option 1 – Install PHP 7.4

sudo apt install php7.4-fpm php7.4-mbstring php7.4-bcmath php7.4-xml php7.4-mysql php7.4-common php7.4-gd php7.4-cli php7.4-curl php7.4-zip php7.4-gd -y

Option 2 – Install PHP 8.0 (Recommended)

sudo apt install php8.0-fpm php8.0-mbstring php8.0-bcmath php8.0-xml php8.0-mysql php8.0-common php8.0-gd php8.0-cli php8.0-curl php8.0-zip php8.0-gd -y

Option 3 – Install PHP 8.1 (Recommended)

sudo apt install php8.1-fpm php8.1-mbstring php8.1-bcmath php8.1-xml php8.1-mysql php8.1-common php8.1-gd php8.1-cli php8.1-curl php8.1-zip php8.1-gd -y

Just be aware if unsure, you can install all three PHP versions side by side, and just the Nginx server block, which I will show you later on. Just make sure to disable any php-fpm services not needed for performance and security purposes.

Once installed, verify the same as you did with the MariaDB service that it is enabled and working without any errors.

systemctl status php{version}-fpm

Example output (With PHP 8.1-FPM:

How to Install phpMyAdmin with LEMP on Debian 11 Bullseye

If the server has not been activated, use the following command to do this and have MariaDB started on reboot.

sudo systemctl enable php{version}-fpm --now

Install phpMyAdmin

By default, Debian 11 repository comes with phpMyAdmin and the required dependencies. However, as often with Debian are LTS releases, the version and build are far behind what is currently available from the source, and you cannot install the upstream release candidate/beta releases.

So as you would have gathered by now, the tutorial will install the latest version as follows.

Create phpMyAdmin Username SuperUser

By default, you can log in with the root user on phpMyAdmin. However, it is always better to create a superuser; just like you would for Linux, sudo users are preferred over using root, so it’s the same sort of logic.

First, log in to the terminal interface.

sudo mysql -u root

Next, create a database in the MariaDB terminal:

CREATE USER PMAUSER IDENTIFIED BY 'password here change';

Now you need to create a user and grant permissions as follows:

GRANT ALL PRIVILEGES ON *.* TO 'PMAUSER'@'localhost' IDENTIFIED BY 'password here change' WITH GRANT OPTION;

Remember to change the ‘password here change,’ do not blindly copy, please.

To finish off, flush the privileges for changes to take effect.

FLUSH PRIVILEGES;

Now exit with the following command.

QUIT;

Download phpMyAdmin Latest Source Version

Downloading the latest version of phpMyAdmin is straightforward; visit the phpMyAdmin downloads page to find the newest version number.

Next, execute the following codes to automatically download all language’s latest versions.

At the time of the tutorial, 5.1.3 is the latest version, so this should be in the downloaded output; remember, in time, this version will change; however, the command will be the same!

DATA="$(wget https://www.phpmyadmin.net/home_page/version.txt -q -O-)"
URL="$(echo $DATA | cut -d ' ' -f 3)"
VERSION="$(echo $DATA | cut -d ' ' -f 1)"
wget https://files.phpmyadmin.net/phpMyAdmin/${VERSION}/phpMyAdmin-${VERSION}-all-languages.tar.gz

Example output:

How to Install phpMyAdmin with LEMP on Debian 11 Bullseye

If you want to download the English version, substitute the end line with the following:

wget https://files.phpmyadmin.net/phpMyAdmin/${VERSION}/phpMyAdmin-${VERSION}-english.tar.gz

Next, extract the archive using the following command:

tar xvf phpMyAdmin-${VERSION}-all-languages.tar.gz

Configure phpMyAdmin

The next step is to move all the extracted files to their final destination, in the standard /var/www/ directory location using the mv command.

sudo mv phpMyAdmin-*/ /var/www/phpmyadmin

By default, phpMyAdmin does not come with a TMP directory when installing from source, and you need to create this manually:

sudo mkdir -p /var/www/phpmyadmin/tmp

In the phpMyAdmin directory, a default configuration-example file is included. You will need to rename this file for phpMyAdmin to recognize the configuration.

However, for backup, you will use the CP command to create a copy and keep the default as a backup if any mistakes are made in the location /var/www/phpmyadmin/ directory.

Copy config.sample.inc.php to config.inc.php with the following command:

sudo cp /var/www/phpmyadmin/config.sample.inc.php /var/www/phpmyadmin/config.inc.php

Next, open this file using your preferred text editor. For the tutorial, the nano text editor is used.

sudo nano /var/www/phpmyadmin/config.inc.php

phpMyAdmin uses a Blowfish cipher. Scroll down to the line that begins with $cfg[‘blowfish_secret’].

The lines will look like for example:

$cfg['blowfish_secret'] = ''; /* YOU MUST FILL IN THIS FOR COOKIE AUTH! */

You will need to assign a string of 32 random characters between the single quote marks. The easiest way to achieve this is using the program pwgen.

To install the pwgen package, use the following terminal command:

sudo apt install pwgen -y

Once installed, run the following command:

pwgen -s 32 1

You will then get your 32 random characters for the blowfish secret, example output:

How to Install phpMyAdmin with LEMP on Debian 11 Bullseye

Example of adding the cipher to the configuration file (Do not copy):

$cfg['blowfish_secret'] = 'K8ZEWW6NZ6OhLFbs5m19YqDB932EyGRq'

Example in the configuration file:

How to Install phpMyAdmin with LEMP on Debian 11 Bullseye

The rest of the default settings should work for most users.

If your da is located on another server located in your network, find and change the line $cfg[‘Servers’][$i][‘host’] = to that of the private IP address. Example below:

$cfg['Servers'][$i]['host'] = '192.168.55.101';

Change 192.168.55.101 to the IP address of the host server of your external host server.

Set phpMyAdmin File Permissions

Next, you must set the directory owner permissions to www-user for compatibility and security.

Set chown permission (important):

sudo chown -R www-data:www-data /var/www/phpmyadmin/

Set chmod permission (important):

sudo find /var/www/phpmyadmin/ -type d -exec chmod 755 {} \;
sudo find /var/www/phpmyadmin/ -type f -exec chmod 644 {} \;

Create Nginx Server Block for phpMyAdmin

To access the phpMyAdmin web interface, you must create an Nginx server block. It is highly recommended to keep this separate, and on a sub-domain, you can name it anything you like to help with security and brute force attacks.

First, create and open your server block using nano text editor as follows:

sudo nano /etc/nginx/sites-available/phpmyadmin.conf

Next, you can paste the below text into the file. Note, you must replace the domain URL with your own:

server {
  listen 80;
  listen [::]:80;
  server_name pma.example.com;
  root /var/www/phpmyadmin/;
  index index.php index.html index.htm index.nginx-debian.html;

  access_log /var/log/nginx/phpmyadmin_access.log;
  error_log /var/log/nginx/phpmyadmin_error.log;

  location / {
    try_files $uri $uri/ /index.php;
  }

  location ~ ^/(doc|sql|setup)/ {
    deny all;
  }

  location ~ \.php$ {
    fastcgi_pass unix:/run/php/php8.1-fpm.sock;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    include fastcgi_params;
    include snippets/fastcgi-php.conf;
  }

  location ~ /\.ht {
    deny all;
  }
}

Some notes down on the above example.

  • /run/php/php8.1-fpm.sock; – This must be changed to 8.0, 7.4 etc if using a different PHP-FPM version.
  • root /var/www/phpmyadmin/; – This is the path set in the tutorial, change this if you set phpMyAdmin elsewhere.

If you are the only one accessing this from a static IP address, you can add the following code above the first location entry. An example of this is below:

  allow <your ip address>;
  deny all; 

  location / {
    try_files $uri $uri/ /index.php;
  }
...........................................

This will naturally block anyone visiting the page with a 403 error unless allowed by your IP address. This, by nature, can stop all brute attacks in their tracks, but maybe not viable for some setups.

Now save using (CTRL+O) and exit with (CTRL+X).

Next, create a symlink from sites-available where the configuration file is contained to link then sites-enabled.

sudo ln -s /etc/nginx/sites-available/phpmyadmin.conf /etc/nginx/sites-enabled/

Before you restart the Nginx service, always do a dry run test, especially in live environments, to ensure the server block or whatever changes you have made to your configuration files do not cause Nginx to error.

sudo nginx -t

If you have no errors, you should get the following output:

How to Install phpMyAdmin with LEMP on Debian 11 Bullseye

Now restart your Nginx service for changes to take effect:

sudo systemctl restart nginx

Accessing the phpMyAdmin Web UI

To access the Web Interface, open your preferred Internet Browser and type in pma.example.com with (example) your domain. You should come to the login screen of phpMyAdmin as follows:

Use the PMAUSER superuser you created, or if you skipped that, use the root account.

Example (Click Image To Expand):

How to Install phpMyAdmin with LEMP on Debian 11 Bullseye

Enter your login details, then go forward into your phpMyAdmin dashboard.

Example (Click Image To Expand):

How to Install phpMyAdmin with LEMP on Debian 11 Bullseye

And that is it, and you have successfully installed the latest version of phpMyAdmin using LEMP. Alternatively, you can highly customize this installation. For instance, you can grab the latest beta or install different variations of LEMP with newer or older releases of Nginx, MariaDB, and PHP-FPM.

Some other things worth noting for users fresh to phpMyadmin is the stats page.

Example (Click Image To Expand):

How to Install phpMyAdmin with LEMP on Debian 11 Bullseye

Example of Advisor (Click Image To Expand):

How to Install phpMyAdmin with LEMP on Debian 11 Bullseye

Note, the advisor recommends 24 hours, I believe this should be 72 hours at minimum and do not take the advisor page as word of it and implement changes and walk away, fine-tuning any MySQL or MariaDB configuration file takes time, and much editing/testing to get the perfect optimization.

Secure phpMyAdmin with Let’s Encrypt SSL Free Certificate

Ideally, you would want to run your Nginx on HTTPS using an SSL certificate. The best way to do this is to use Let’s Encrypt, a free, automated, and open certificate authority run by the nonprofit Internet Security Research Group (ISRG).

First, install the certbot package as follows:

sudo apt install python3-certbot-nginx -y

Once installed, run the following command to start the creation of your certificate:

sudo certbot --nginx --agree-tos --redirect --hsts --staple-ocsp --email you@example.com -d www.example.com

During the certificate installation, you will get a notice to receive emails from EFF(Electronic Frontier Foundation). Choose either Y or N then your TLS certificate will be automatically installed and configured for you.

This ideal setup includes force HTTPS 301 redirects, a Strict-Transport-Security header, and OCSP Stapling. Just make sure to adjust the e-mail and domain name to your requirements.

Now your URL will be HTTPS://www.example.com instead of HTTP://www.example.com.

If you use the old HTTP URL, it will automatically redirect to HTTPS.

Optionally, you can set a cron job to renew the certificates automatically. Certbot offers a script that does this automatically, and you can first test to make sure everything is working by performing a dry run.

sudo certbot renew --dry-run

If everything is working, open your crontab window using the following terminal command.

sudo crontab -e

Next, please specify the time when it should auto-renew. This should be checked daily at a minimum, and if the certificate needs to be renewed, the script will not update the certificate. If you need help finding a good time to set, use the crontab.guru free tool.

00 00 */1 * * /usr/sbin/certbot-auto renew

That’s it, and you have installed SSL on your phpMyAdmin area. A great idea will be to test using a free SSL test such as DigiCert or SSL Labs.

Comments and Conclusion

In the tutorial, you have learned how to install the required software dependencies and download and create the correct directories for phpMyAdmin from the source on Debian 11 Bullseye.

Overall, using phpMyAdmin is an excellent tool for any database management. You can easily create databases, users, tables and perform the usual operations like deleting and modifying structures and data in a clean Web UI interface instead of the default terminal.

Please be careful with using phpMyadmin; you can do some severe damage and, if not secured, can cause a significant security problem. To find more information, visit the official documentation.



Follow LinuxCapable.com!

Like to get automatic updates? Follow us on one of our social media accounts!