phpmyadmin Question posted in
The official documentation can be found here.

Allow access to phpmyadmin from localhost only

I am trying to config my server phpmyadmin to access only from the localhost and not from the remote. Below is the configuration on server /etc/phpmyadmin/apache.conf

 Alias /phpmyadmin /usr/share/phpmyadmin

 <Directory /usr/share/phpmyadmin>
   Order deny,allow
   Deny from all
   Allow from 127.0.0.1

   Options FollowSymLinks
   DirectoryIndex index.php

</Directory>

So, while I access phpmyadmin from remote I am getting 403 forbidden which is good but when I access phpmyadmin from localhost (that is from server using remote desktop), I am still getting 403 while I think this should give access to phpmyadmin from localhost. Anything I am missing here?

Thank you

Tags:

3

Answers


  1. 0

    My guess is you are using Apache 2.4.x. The syntax for access control changed between 2.2 and 2.4. The Order and Deny syntax you’re using is for Apache 2.2, but won’t work for 2.4. In 2.4 it would be something like:

    <Directory /usr/share/phpmyadmin>
    Require ip 127.0.0.1
    Options FollowSymLinks
    DirectoryIndex index.php
</Directory>

    Reference from Apache upgrade doc, and Access Control docs.

    Login or Signup to reply.
  2. 0

    I think this should work, and make it so that you can only access it locally, it should be something like this mostly, but :

    <Directory /usr/share/phpmyadmin>
    Require local
    #......otherthings (also, only copy the line Require local)
    Login or Signup to reply.
  3. 0

    Logical mistake

    You make one big mistake, every one of you.

    PhpMyAdmin is NOT a server, it’s just a client written as a PHP script and served by some HTTP server (Apache in this case).

    That what you want(ed) and others suggested doing is trying to disable access for phpmyadmin vhost of the HTTP server, but it will be still possible to log in into the base with any other client from terminal’s mysql command, to GUI client like MySQL Workbench or IDE’s build in DB clients. Where’s the logic?

    Of course, you can join both techniques (HTTP securing and MySQL securing) however without the second your database will be still unsafe. PhpMyAdmin is just a client! It has even own mechanics for controlling access, but if someone will use any other client (mentioned above) your effort will be absolutely worthless).

    Solution:

    To maintain your case you should create a dedicated MySQL account with localhost access (I can bed, that at the moment of writing this post it is/was % which means global), then MySQL will control all incoming connections to check if they are from local machine or from the world.

    Just don’t forget to remove the account with global access (%) and flush the privileges after all changes.

    Also, I always suggest creating exactly one user with all privileges to exactly one dedicated database (ofc, other than root). That way, even if you are only admin who works at the many databases, you minimize the risk of accidental changes in other databases. (Pro-tip, good password manager will be your friendly ghost-guard).

    I’d suggest googling it and get overall knowledge over this topic, as it’s quite crucial for DB security, however that’ll be also enough if you’ll implement simple solution from very first answer found. Using localhost restriction on MySQL, preferably with setting blocking of 3306 port on the firewall side, is a perfect solution to access your data with locally installed PhpMyAdmin script 100% securely(if that’s possible at all).

    Below cite answer from another post

    GRANT ALL PRIVILEGES ON *.* TO db_user @'localhost' IDENTIFIED BY 'db_passwd';
GRANT ALL PRIVILEGES ON *.* TO db_user @'127.0.0.1' IDENTIFIED BY 'db_passwd';

    [mysqld]
bind-address = 127.0.0.1

    P.S. You dont need even to write SQL command for this, you can change it for each user with… PhpMyAdmin.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search