How to secure PhpMyAdmin on your local network
If you're developing web applications on a *AMP stack then you may well have PhpMyAdmin installed, even if you're not using it to manage your databases. Unlike your deployed websites, your local ones are not advertising their existence, but they may still contain sensitive data. When did you last take an SQL dump from a production website to debug on your development machine?
How secure is your local MySQL server?
Let's test how accessible that data is. First, get the IP address of your computer on the local network. I'm on linux so I did that by running the ifconfig
program. Armed with that IP address, you can then try using it from another computer, but you don't have to.
I tried connecting to the local MySQL server as the root user through the command line:
$ mysql -uroot -p
Enter password:
Welcome to the MySQL monitor...
Yep, that worked. Then I tried it through the "loopback" interface:
$ mysql -h127.0.0.1 -uroot -p
Enter password:
Welcome to the MySQL monitor...
Yep, that worked too. Finally I tried it through my computer's IP address on the local network (192.168.0.1 in this example):
$ mysql -h192.168.0.1 -uroot -p
Enter password:
ERROR 2003 (HY000): Can't connect to MySQL server on '192.168.0.1' (111)
Nope. It looks like MySql is secured against remote login on my computer. Good.
How secure is your local PhpMyAdmin?
Unlike database servers, web servers are generally intended to be visible to the world. That means that remote login to your MySql server may still be possible. You are probably used to pointing your web browser at:
localhost/phpmyadmin
Or, if you're more of a numbers person:
127.0.0.1/phpmyadmin
But try again using your IP address on the local network and you'll probably get exactly the same result:
192.168.0.1/phpmyadmin
I'm on a large network shared with other business units so I wasn't keen on this behaviour. I might rarely use my laptop in a public network and I definitely wouldn't want my database management login screen to be accessible then.
I very quickly found a solution on the Ubuntu forums and modified the Apache configuration for PhpMyAdmin. On my Ubuntu based computer, that's:
/etc/apache2/conf.d/phpmyadmin.conf
Here I added the emboldened lines:
<Directory /usr/share/phpmyadmin>
Order Deny,Allow
Deny from All
Allow from 127.0.0.1
Options Indexes FollowSymLinks
DirectoryIndex index.php
After reloading my Apache configuration, navigating to 192.168.0.1/phpmyadmin
gives me a very satisfying 403
error.
--
Edit: I recently upgraded to Apache 2.4, which meant that I needed to change the config file. It now looks like this:
<Directory /usr/share/phpmyadmin>
Require ip 127.0.0.1
Options Indexes FollowSymLinks
DirectoryIndex index.php