NGINX Server Configuration Guide

Section 18: phpMyAdmin Installation & Log Rotation Management

๐Ÿ“‹ Overview

This comprehensive guide covers the installation and secure configuration of phpMyAdmin on your NGINX server, along with implementing proper log rotation policies to prevent disk space issues. These procedures are essential for maintaining a secure, efficient, and well-managed server environment.

๐Ÿ” Part 1: phpMyAdmin Installation & Security Configuration

1Generate Random Passwords

First, we'll generate secure random passwords for database access:

cat /dev/urandom | tr -dc 'a-za-z0-9' | fold -w 12 | head -n 3
Command Breakdown:
  • cat /dev/urandom - Reads random data from the system's random number generator
  • tr -dc 'a-za-z0-9' - Filters to keep only alphanumeric characters
  • fold -w 12 - Creates 12-character segments
  • head -n 3 - Displays the first 3 passwords generated

2Create Database Administrator User

Access MySQL and create a privileged user for phpMyAdmin:

sudo mysql
GRANT ALL ON *.* TO 'dbadmin'@'localhost' IDENTIFIED BY 'Cb7VogmHUwn6' WITH GRANT OPTION; flush privileges;
โš ๏ธ Security Note: Replace 'Cb7VogmHUwn6' with your own generated password. Never use example passwords in production environments.

3Verify NGINX Configuration

Test and reload NGINX to ensure proper operation:

sudo nginx -t
sudo systemctl reload nginx

4Create HTTP Authentication Password

Navigate to the NGINX includes directory and create an encrypted password:

cd /etc/nginx/includes
openssl passwd
Password: w9sv5hu98q0i Verifying - Password: $1$lSmswTO8$tv.unS.4n68fH.yrV0WHR0
The output hash ($1$lSmswTO8$tv.unS.4n68fH.yrV0WHR0) will be used for HTTP basic authentication.

5Create Authentication File

Store the username and encrypted password:

sudo nano pma_userpass
andrew:$1$lSmswTO8$tv.unS.4n68fH.yrV0WHR0

6Install phpMyAdmin

Update package lists and install phpMyAdmin:

sudo apt update
sudo apt install phpmyadmin

7Create Symbolic Link with Random Path

For security, create a symbolic link with a random, hard-to-guess path:

sudo ln -s /usr/share/phpmyadmin /var/www/html/V2th1pchBI71
Security Benefit: Using a random path (V2th1pchBI71) instead of the default /phpmyadmin makes it much harder for attackers to find your phpMyAdmin installation.

8Configure NGINX Access Rules

Create a configuration file with multi-layered security:

sudo nano /etc/nginx/includes/pma.conf
location ^~ /V2th1pchBI71 { # CONDITIONS satisfy all; # HTTP AUTHENTICATION auth_basic "Sign In"; auth_basic_user_file /etc/nginx/includes/pma_username_password; # IP BASED ACCESS # if your IP changes, ssh to your server and use the last command # last -n3 (still logged in) is your IP address you need to add to allow allow your_IP_ADDRESS; deny all; try_files $uri $uri/ =404; location ~ \.php$ { include snippets/fastcgi-php.conf; fastcgi_pass unix:/run/php/php8.3-fpm.sock; include /etc/nginx/includes/fastcgi_optimize.conf; } }

๐Ÿ”’ Security Layers Diagram

1. Random URL Path
(V2th1pchBI71)
โ†’
2. IP Whitelist
(Your IP Only)
โ†’
3. HTTP Auth
(Username/Password)
โ†’
4. MySQL Login
(Database Credentials)

Four layers of security protect your phpMyAdmin installation

Important: Replace your_IP_ADDRESS with your actual IP address. To find your current IP when logged into the server, use: last -n3

9Include Configuration in Default Server Block

Add the phpMyAdmin configuration to your main NGINX configuration:

cd /etc/nginx/sites-available/
sudo nano default

Add this line inside the server block:

include /etc/nginx/includes/pma.conf;

10Test and Apply Configuration

sudo nginx -t
sudo systemctl reload nginx
โœ… Access phpMyAdmin: Open your browser and navigate to:
http://server_ip/V2th1pchBI71/

๐Ÿ“Š Part 2: Log Rotation Configuration

Why Log Rotation Matters

Your server uses log files to record all activity, from login attempts to file serving operations. Without proper management, these logs will grow indefinitely and eventually consume all available disk space, causing your server to crash. Log rotation is the automated process of managing these files through rotation, compression, and deletion.

๐Ÿ“ˆ Log Growth Problem & Solution

Without Log Rotation With Log Rotation
โœ— Logs grow continuously โœ“ Logs are rotated daily
โœ— Disk space fills up โœ“ Old logs are compressed
โœ— Server crashes โœ“ Logs deleted after 7 days
โœ— Difficult to find recent logs โœ“ Organized and manageable

Understanding Log Rotation Terms

1Configure Global Log Rotation Settings

Navigate to the configuration directory:

cd /etc/

Create a backup before making changes:

sudo cp logrotate.conf logrotate.conf.back

Edit the main configuration file:

sudo nano logrotate.conf
# CHANGE FROM: weekly rotate 4 #compress # CHANGE TO: daily rotate 7 compress
Configuration Changes Explained:
  • weekly โ†’ daily: Rotate logs every day instead of weekly
  • rotate 4 โ†’ rotate 7: Keep 7 days of logs instead of 4 weeks
  • Uncomment compress: Enable compression to save disk space
  • create: Automatically create new empty log files after rotation

2Configure Service-Specific Log Rotation

Navigate to the service-specific configurations:

cd /etc/logrotate.d/
ls

You'll see individual configuration files for various services. We'll modify these key files:

Service Purpose Recommended Settings
fail2ban Security log for blocked IPs daily, rotate 3
nginx Web server access and error logs daily, rotate 3
rsyslog System logging daemon daily, rotate 3
ufw Firewall logs daily, rotate 3

Edit Individual Service Files

For each service file, change weekly to daily and set rotate to 3:

sudo nano fail2ban
sudo nano nginx
sudo nano rsyslog
sudo nano ufw
Override Behavior: These service-specific configurations will override the global settings in logrotate.conf. This allows you to customize retention periods for different services. For example, you might want to keep NGINX logs longer than UFW firewall logs.

3Verify Configuration

Test your log rotation configuration without actually rotating files:

sudo logrotate -d /etc/logrotate.conf
The -d flag runs in debug mode, showing what would happen without making actual changes.

๐Ÿงน Part 3: Clean Up Default NGINX Configuration

Optimize Default Server Block

Edit the default NGINX configuration to improve security and performance:

cd /etc/nginx/sites-available/
sudo nano default

Recommended Changes:

server { listen 80 default_server; root /var/www/html; index index.php; server_name _; location / { try_files $uri $uri/ =404; return 444; } }
Security Enhancement: The return 444; directive closes the connection without sending a response when someone tries to access your server directly via IP address. This helps prevent reconnaissance attacks and reduces unwanted traffic.

Apply Changes

sudo nginx -t
sudo systemctl reload nginx

๐Ÿ“š Summary & Best Practices

Configuration Checklist

Component Status Key Features
phpMyAdmin โœ“ Configured 4-layer security, random URL, IP whitelisting
Log Rotation โœ“ Configured Daily rotation, 7-day retention, compression enabled
NGINX Default โœ“ Optimized Clean config, IP access blocked

โœ… What You've Accomplished

  • Installed and secured phpMyAdmin with multiple authentication layers
  • Implemented proper log rotation to prevent disk space issues
  • Configured service-specific log retention policies
  • Optimized NGINX default configuration for better security
  • Set up automated log compression and cleanup

โš ๏ธ Important Reminders

  • Keep your phpMyAdmin URL path (V2th1pchBI71) confidential
  • Update the IP whitelist when your IP address changes
  • Regularly change database and HTTP authentication passwords
  • Monitor disk space usage even with log rotation enabled
  • Review log files periodically for security incidents

๐Ÿ”„ Next Steps

With phpMyAdmin secured and log rotation configured, your server is ready to host additional sites. The next section will cover hosting multiple sites using domain names and subdomains on your NGINX server.