There is no indication that the phpMyAdmin login screen is secure.

[IT_Architect]

When you type: http://mydomain.com/phpmyadmin and it pops up the login screen, the browser does not indicate it is secure until AFTER you cancel and it pops back to the page when it says it failed. I do not see any procedures here on site to secure it, but it does need it, so I added custom and a .htaccess as well as placing the $cfg['ForceSSL'] = true at the bottom of config.inc.php. Judging by the behavior and DA's option to have it exposed publicly, I'm guessing that DA intercepts the call and you never make it to phpMyAdmin and why the browser never shows a lock, but I don't know that nor do I find that documented anywhere, nor do I find any documentation to secure phpMyAdmiin like you see with RoundCube.

Thanks!

 

[Richard G]

That is odd.

I do not see any procedures here on site to secure it, but it does need it, so I added custom and a .htaccess as well as placing the $cfg['ForceSSL'] = true at the bottom of config.inc.php

There is no need for any custom configuration for that or changing .htaccess in the phpmyadmin directory (I would stay off that anyway).

If the Letsencrypt is installed correctly, also for the domain and hostname, you might only need to set in DA's domain setup for the domain the option "Force SSL with https redirect" or use a ssl redirect in the .htaccess of the domains public_html.

 

[IT_Architect]

My problems with that are I don't know if I want to "Force SSL with https redirect". If I don't, then I rely on the user. If I force it on the apps and login to the CP, then that information is protected. DirectAdmin has procedures for RoundCube for exactly this situation. I would think that should be the case for phpMyAdmin as well. If I put in the browser httpS//.mydomain.com/phpmyadmin, there will be no lock on the browser when the login screen pops up. So it doesn't mater if the site has a .htaccess in the root or "Force SSL with https redirect". The lock will not show. Thus, we need to know what is going on there, and whether they recommend we secure that like they tell us to secure RoundCube, and if not, why not.

 

[Richard G]

Seems something is wrong in your case. You have to study logs and see if you can find something there.
If there is an ssl certificate present for the domain then with https it should work
If not or you don't force it, then also with roundcube, you will not get a lock and you will not get a https connection when visiting via the browser.

Securing or not is a choice. If you want to do it for the user, you have to force them to use the hostname for roundcube and phpmyadmin. There is an option for that in directadmin.conf.

 

[IT_Architect]

Seems something is wrong in your case. You have to study logs and see if you can find something there.
If there is an ssl certificate present for the domain then with https it should work
If not or you don't force it, then also with roundcube, you will not get a lock and you will not get a https connection when visiting via the browser.

Securing or not is a choice. If you want to do it for the user, you have to force them to use the hostname for roundcube and phpmyadmin. There is an option for that in directadmin.conf.

- If you go to https://domain.com, you will get a lock and it will show a certificate.
- If you go to https://domain.com/phpmyadmi, you will not get a lock no matter if the domain has a certificate and whether or not you add ssl directly to phpmyadmin, and whether or not you typed https://. It won't work on your machines either. That login screen pops up before. If you enter your user name and password, when the login box disappears, it will load phpmyadmin with the lock. The question is, where does the login screen come from and how do I know it is secure?
- RoundCube works exactly as expected on the same domain. Even if you type http://domain.com/webmail, RoundCube will pop up with a lock from the get go so the user cannot sidestep the security by typing http:// like he can if you don't specifically set up RoundCube to require SSL.

 

[Richard G]

- If you go to https://domain.com/phpmyadmi, you will not get a lock no matter if the domain has a certificate and whether or not you add ssl directly to phpmyadmin, and whether or not you typed https://.

There is going something wrong. But I can't pinpoint it or reproduce it on any of the servers I administer. Have you tried with another browser already? Because it's odd that the lock does appear when entering the username and password.
Did you revert the config.php changes you made for phpmyadmin?

If all is well, the login screen comes from phpmyadmin itself which is installed in the /var/www/html directory.

Since Roundcube does work exactly as expected on the same domain, it seems a local problem or configuration issue to me. Or some bug somewhere. However, I can't reproduce your issue at this moment.

I will have another look if I can find another domain which does have the force https redirect in effect to see if I can reproduce it there. I will come back to you after testing (can take a while).

Maybe somebody else have a clue. But also try with another browser to see if that makes any difference.