Re: Remote MySQL connect

To: debian-user@lists.debian.org
Subject: Re: Remote MySQL connect
From: marc <gmane@auxbuss.com>
Date: Tue, 12 Dec 2006 20:20:17 -0000
Message-id: <[🔎] MPG.1fe91f4176b8f6c698996d@news.gmane.org>
References: <[🔎] MPG.1fe90e2e1b839abd98996c@news.gmane.org> <[🔎] eln0md$bf9$1$8300dec7@news.demon.co.uk>

Joe said...
> marc wrote:
> > What is the 'correct' way to configure MySQL for remote connections?
> > 
> > The db in question is running fine and can be accessed via phpmyadmin, 
> > amongst other things.
> > 
> > The default my.cnf has:
> > 
> >   bind-address - 127.0.0.1
> > 
> > When I comment this out (and restart the db), I can connect remotely - 
> > so user/password and privs are fine) but this leaves the db wide open.
> > 
> > Say I want to provide remote access to 192.168.0.1. Can this be done via 
> > MySQL's config or must it be done via the firewall and removing bind-
> > address?
> > 
> > The machine is not on a fixed IP.
> > 
> 
> I'd do it with the firewall, but MySQL has built-in provision for
> client IP addresses. If you use phpmyadmin to look at privileges,
> you'll see the users are all user@address entries, where address
> is usually either localhost or %, the wildcard. It's possible to
> create users that only have privileges from particular IP addresses,
> where fred@192.168.0.1 has read privileges on all or just certain
> databases, or just certain fields of certain tables of certain
> databases, if you want to go that fine. fred@192.168.0.1 is a
> completely separate user from fred@localhost, and may have a
> different password, and certainly different privileges.

I understand how users and privileges work, but to do what you suggest 
must I remove bind-address from my.cnf?

There is scant documentation on bind-address - the 1,400-page ref has 
six words: "The IP address to bind to", which is neither English nor 
very useful.

If I can safely remove bind-address and manage access via user privs, 
then that's fine, it's just that I can't make head nor tail of it from 
the docs.

> If you're coming in from outside, it's probably safer to tunnel
> it over ssh and accept connections just from localhost, as now.
> That way it doesn't care what IP address you're on, just whether
> you have ssh credentials.

Yes, but for admins coming in via M$ tools that's not yet the main 
priority. But I do concur ;-)

Thanks,

-- 
Best,
Marc

Reply to:

References:
- Remote MySQL connect
  - From: marc <gmane@auxbuss.com>
- Re: Remote MySQL connect
  - From: Joe <joe@jretrading.com>

Prev by Date: Re: Remote MySQL connect
Next by Date: Re: DVDs - err what gives?
Previous by thread: Re: Remote MySQL connect
Next by thread: Re: Remote MySQL connect
Index(es):
- Date
- Thread