In this post, I will guide you to install PHPMyAdmin on a Compute Engine VM Instance and connect it to Cloud SQL.
Prerequisites
- Your Compute Engine Instance running.
- For setting up Compute Engine, see the Setting up Compute Engine Instance.
- For installing Nginx and PHP, see how to install LEMP in Compute Engine Instance.
- Google Cloud SQL Setup, see Setup Cloud SQL and connect with Compute Engine.
Make sure your VM Instance IP address is static and authorized for connections in Cloud SQL
Setup your website
Your website will be located in the home directory and have the following structure
Replace yourdomainname.com
with your original domain name.
home
-- yourdomainname.com
---- logs
---- public
The public
directory is your website’s root directory and logs
directory for your error logs
Now we create these directories and set correct permissions
You need to SSH into your VM Instance and run these commands
mkdir -p yourdomainname.com/logs yourdomainname.com/public sudo chmod -R 755 yourdomainname.com
NGINX Set up
Now create a new Nginx configuration for your website in the sites-available
directory
sudo nano /etc/nginx/sites-available/yourdomainname.com
Copy and paste the following configuration, ensure that you change the server_name, error_log and root directives to match your domain name. Hit CTRL+X
followed by Y
to save the changes.
server { listen 80; listen [::]:80; server_name yourdomainname.com www.yourdomainname.com; error_log /home/username/yourdomainname.com/logs/error.log; root /home/username/yourdomainname.com/public/; index index.html index.php; location / { try_files $uri $uri/ /index.php?$args; } location ~ \.php$ { try_files $uri =404; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass unix:/run/php/php7.2-fpm.sock; fastcgi_index index.php; include fastcgi_params; } }
To enable this newly created website configuration, symlink the file that you just created into the sites-enabled
directory.
sudo ln -s /etc/nginx/sites-available/yourdomainname.com /etc/nginx/sites-enabled/yourdomainname.com
Check your configuration and restart Nginx for the changes to take effect
sudo nginx -t sudo service nginx restart
Create SSL certificate and enable HTTP/2
HTTPS
HTTPS is a protocol for secure communication between a server (instance) and a client (web browser). Due to the introduction of Let’s Encrypt, which provides free SSL certificates, HTTPS are adopted by everyone and also provides trust to your audiences.
HTTP/2
HTTP/2 is the latest version of the HTTP protocol and can provide a significant improvement to the load time of your sites. There really is no reason not to enable HTTP/2, the only requirement is that the site must use HTTPS.
sudo add-apt-repository ppa:certbot/certbot sudo apt-get update sudo apt-get install python-certbot-nginx
Now we have installed Certbot by Let’s Encrypt for Ubuntu 18.04, run this command to receive your certificates.
sudo certbot --nginx certonly
Enter your email
and agree to the terms and conditions, then you will receive the list of domains you need to generate SSL certificate.
To select all domains simply hit Enter
The Certbot client will automatically generate the new certificate for your domain. Now we need to update the Nginx config.
Redirect HTTP Traffic to HTTPS with www in Nginx
Open your site’s Nginx configuration file add replace everything with the following. Replacing the file path with the one you received when obtaining the SSL certificate. The ssl_certificate directive
should point to your fullchain.pem file, and the ssl_certificate_key
directive should point to your privkey.pem file.
server { listen [::]:80; listen 80; server_name yourdomainname.com www.yourdomainname.com; # redirect http to https www return 301 https://www.yourdomainname.com$request_uri; } server { listen [::]:443 ssl http2; listen 443 ssl http2; server_name yourdomainname.com; ssl_certificate /etc/letsencrypt/live/yourdomainname.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/yourdomainname.com/privkey.pem; root /home/username/yourdomainname.com/public/; index index.html index.php; # redirect https non-www to https www return 301 https://www.yourdomainname.com$request_uri; } server { listen [::]:443 ssl http2; listen 443 ssl http2; server_name www.yourdomainname.com; ssl_certificate /etc/letsencrypt/live/yourdomainname.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/yourdomainname.com/privkey.pem; error_log /home/username/yourdomainname.com/logs/error.log; root /home/username/yourdomainname.com/public/; index index.html index.php; location / { try_files $uri $uri/ /index.php?$args; } location ~ \.php$ { try_files $uri =404; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass unix:/run/php/php7.2-fpm.sock; fastcgi_index index.php; include fastcgi_params; add_header Content-Security-Policy "img-src * 'self' data: blob: https:; default-src 'self' https://*.googleapis.com https://*.googletagmanager.com https://*.google-analytics.com https://s.ytimg.com https://www.youtube.com https://www.yourdomainname.com https://*.googleapis.com https://*.gstatic.com https://*.gravatar.com https://*.w.org data: 'unsafe-inline' 'unsafe-eval';" always; add_header X-Xss-Protection "1; mode=block" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header Access-Control-Allow-Origin "https://www.yourdomainname.com"; add_header Referrer-Policy "origin-when-cross-origin" always; add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"; } }
The http2
value is all that is needed to enable the HTTP/2 protocol.
Now you have enabled SSL Hardening, created a Content Security Policy, X-XSS-Protection, Clickjacking, MIME Sniffing, Referrer Policy, Access Control Allow Origin.
These are some Nginx security tweaks by closing all areas of attacks.
Hit CTRL+X
followed by Y
to save the changes.
Check your configuration and restart Nginx for the changes to take effect.
sudo nginx -t sudo service nginx restart
Renewing SSL Certificate
Certificates provided by Let’s Encrypt are valid for 90 days only, so you need to renew them often. Now you set up a cronjob to check for the certificate which is due to expire in next 30 days and renew it automatically.
sudo crontab -e
Add this line at the end of the file
0 0,12 * * * certbot renew >/dev/null 2>&1
Hit CTRL+X
followed by Y
to save the changes.
This cronjob will attempt to check for renewing the certificate twice daily.
Download & Install PHPMyAdmin
Go to Compute Engine >> VM Instances and click the SSH button in your Instance to open the terminal in a new browser window
Once you are in SSH execute the following commands to download and install PHPMyAdmin
cd /usr/share wget https://files.phpmyadmin.net/phpMyAdmin/4.8.3/phpMyAdmin-4.8.3-all-languages.zip sudo unzip phpMyAdmin-4.8.3-all-languages.zip sudo mv phpMyAdmin-4.8.3-all-languages phpmyadmin sudo rm -f phpMyAdmin-4.8.3-all-languages.zip sudo mkdir tmp sudo chmod -R 777 tmp
Now PHPMyAdmin is installed and tmp
directory is configured for cache
Configure PHPMyAdmin for Cloud SQL
Now create a configuration file and add the details of your Cloud SQL Instance
cd phpmyadmin sudo cp config.sample.inc.php config.inc.php sudo nano config.inc.php
In your web browser open the blowfish secret generator
Copy the generated blowfish secret (Be careful to copy the generated not the example)
Now paste it in the $cfg['blowfish_secret']
Next, update the Server Configuration with the below. Make sure you replace the CLOUD_SQL_INSTANCE_IP_ADDRESS
with your Cloud SQL Instance IP address
$i++; $cfg['Servers'][$i]['verbose'] = 'Google Cloud SQL'; $cfg['Servers'][$i]['host'] = 'CLOUD_SQL_INSTANCE_IP_ADDRESS'; $cfg['Servers'][$i]['port'] = '3306'; $cfg['Servers'][$i]['socket'] = ''; $cfg['Servers'][$i]['connect_type'] = 'tcp'; $cfg['Servers'][$i]['extension'] = 'mysqli'; $cfg['Servers'][$i]['auth_type'] = 'cookie'; $cfg['Servers'][$i]['AllowNoPassword'] = false; $cfg['Servers'][$i]['ssl'] = true; $cfg['Servers'][$i]['ssl_key'] = '/etc/letsencrypt/live/yourdomainname.com/privkey.pem'; $cfg['Servers'][$i]['ssl_cert'] = '/etc/letsencrypt/live/yourdomainname.com/fullchain.pem'; $cfg['Servers'][$i]['ssl_verify'] = false; $cfg['TempDir'] = '/usr/share/tmp';
Hit Ctrl+X
followed by Y
to save the file
Symlink the phpmyadmin folder to your web root directory
sudo ln -s /usr/share/phpmyadmin /home/username/yourdomainname.com/public
Now visit your domain name in the bowser followed by phpmyadmin (https://www.yourdomainname.com/phpmyadmin/)
.
Enter username as root
and password that you set in Cloud SQL for the root user.
Now you can use PHPMyAdmin to manage your Google Cloud SQL