How to secure PhpMyAdmin on your local network
If you're developing web applications on a *AMP stack then you may well have PhpMyAdmin installed, even if you're not using it to manage your databases. Unlike your deployed websites, your local ones are not advertising their existence, but they may still contain sensitive data. When did you last take an SQL dump from a production website to debug on your development machine?
How secure is your local MySQL server?
Let's test how accessible that data is. First, get the IP address of your computer on the local network. I'm on linux so I did that by running the
ifconfig program. Armed with that IP address, you can then try using it from another computer, but you don't have to.
I tried connecting to the local MySQL server as the root user through the command line:
$ mysql -uroot -p Enter password: Welcome to the MySQL monitor...
Yep, that worked. Then I tried it through the "loopback" interface:
$ mysql -h127.0.0.1 -uroot -p Enter password: Welcome to the MySQL monitor...
Yep, that worked too. Finally I tried it through my computer's IP address on the local network (192.168.0.1 in this example):
$ mysql -h192.168.0.1 -uroot -p Enter password: ERROR 2003 (HY000): Can't connect to MySQL server on '192.168.0.1' (111)
Nope. It looks like MySql is secured against remote login on my computer. Good.
How secure is your local PhpMyAdmin?
Unlike database servers, web servers are generally intended to be visible to the world. That means that remote login to your MySql server may still be possible. You are probably used to pointing your web browser at:
Or, if you're more of a numbers person:
But try again using your IP address on the local network and you'll probably get exactly the same result:
I'm on a large network shared with other business units so I wasn't keen on this behaviour. I might rarely use my laptop in a public network and I definitely wouldn't want my database management login screen to be accessible then.
I very quickly found a solution on the Ubuntu forums and modified the Apache configuration for PhpMyAdmin. On my Ubuntu based computer, that's:
Here I added the emboldened lines:
<Directory /usr/share/phpmyadmin> Order Deny,Allow Deny from All Allow from 127.0.0.1 Options Indexes FollowSymLinks DirectoryIndex index.php
After reloading my Apache configuration, navigating to
192.168.0.1/phpmyadmin gives me a very satisfying
Edit: I recently upgraded to Apache 2.4, which meant that I needed to change the config file. It now looks like this:
<Directory /usr/share/phpmyadmin> Require ip 127.0.0.1 Options Indexes FollowSymLinks DirectoryIndex index.php