Re: Remote MySQL connect
Joe said...
> marc wrote:
> > What is the 'correct' way to configure MySQL for remote connections?
> >
> > The db in question is running fine and can be accessed via phpmyadmin,
> > amongst other things.
> >
> > The default my.cnf has:
> >
> > bind-address - 127.0.0.1
> >
> > When I comment this out (and restart the db), I can connect remotely -
> > so user/password and privs are fine) but this leaves the db wide open.
> >
> > Say I want to provide remote access to 192.168.0.1. Can this be done via
> > MySQL's config or must it be done via the firewall and removing bind-
> > address?
> >
> > The machine is not on a fixed IP.
> >
>
> I'd do it with the firewall, but MySQL has built-in provision for
> client IP addresses. If you use phpmyadmin to look at privileges,
> you'll see the users are all user@address entries, where address
> is usually either localhost or %, the wildcard. It's possible to
> create users that only have privileges from particular IP addresses,
> where fred@192.168.0.1 has read privileges on all or just certain
> databases, or just certain fields of certain tables of certain
> databases, if you want to go that fine. fred@192.168.0.1 is a
> completely separate user from fred@localhost, and may have a
> different password, and certainly different privileges.
I understand how users and privileges work, but to do what you suggest
must I remove bind-address from my.cnf?
There is scant documentation on bind-address - the 1,400-page ref has
six words: "The IP address to bind to", which is neither English nor
very useful.
If I can safely remove bind-address and manage access via user privs,
then that's fine, it's just that I can't make head nor tail of it from
the docs.
> If you're coming in from outside, it's probably safer to tunnel
> it over ssh and accept connections just from localhost, as now.
> That way it doesn't care what IP address you're on, just whether
> you have ssh credentials.
Yes, but for admins coming in via M$ tools that's not yet the main
priority. But I do concur ;-)
Thanks,
--
Best,
Marc
Reply to: