MAMP Forum

[Eric Kiel]

I have written an article on how to secure MAMP - it includes changing the default MySQL password and the files you need to modify to keep everything working smoothly. Let me know if there are any additions or corrections you have.

http://machinaproject.dyndns.org/2006/02/19/how-to-secure-mamp/

[striderdm1]

Eric this is a fantastic document and you have my thanks for this.
I'd just like to cover what we talked about over the pm :

.htpasswd of course this goes in: /Applications/MAMP/
and .htaccess goes here: /Applications/MAMP/bin/ (it's just not to clearly mentioned in the doc. imho).

Now my site is far far more secure thanks to you!

Thanks very much,
Strider

[Guddler]

I'm not sure if you guys are running a different version to me or not, but i just downloaded and installed MAMP and by default, for all the admin sections (the mamp page, phpmyadmin etc, etc) the Directory directives in the httpd.conf were set to "AllowOverride None", so the solution of using the .htaccess file wasn't going to work.

To restrict access to my admin pages i changed the directive in each of the relevent sections of httpd.conf to read:

Code: Select all

AllowOverride None
Order deny,allow
Allow from 192.168.1.
Deny from all


Which suits my setup (deny to the outside world, allow from any local IP address). Seems to work fine for me - i imagine you can put whatever you were going to put in .htaccess in there (usernames and passwords), or change the AllowOverride line to All or Limit, whatever does it for you!

Point is, by default after installation, my setup was set to ignore .htaccess files in anything but the htdocs root and below.

Hope someone finds this useful (and hello from a new user! )

[moshisushi]

Great HOWTO!

Too bad the directory layout of MAMP has changed a bit since it was written. Maybe it's possible to make a quick rev of it?

(yes i know you can find the correct paths in the comments thread).

It was really helpful anyway.. thanks alot!

[Tim Duffin]

"http://machinaproject.dyndns.org/2006/02/19/how-to-secure-mamp/" <-- Not working; to get my hands on this very document would render me once again sane.

Would one be so kind as to rerepost it some where.

Oh, by the way, MAMP's an amazing piece of kit.

Thanks,

Tim D.
www.timduffin.com for the moment, blank...

[bugsmi0]

To restrict access to my admin pages i changed the directive in each of the relevent sections of httpd.conf to read:

Code: Select all

AllowOverride None
Order deny,allow
Allow from 192.168.1.
Deny from all


Which suits my setup (deny to the outside world, allow from any local IP address). Seems to work fine for me

I tried this but it didn't work what sections in httpd.conf did you add to ?

I only get a forbidden message even though its set to allow from local ip

[dmurphy]

"http://machinaproject.dyndns.org/2006/02/19/how-to-secure-mamp/" <-- Not working;
www.timduffin.com for the moment, blank...

I second that! I'd love to access that document somehow.

I love MAMP!

[leono1]

The site with information on how to secure mamp is back online again:

http://machinaproject.dyndns.org/2006/0 ... cure-mamp/

[nrenfree]

When I click the link, I get the following message:

"Welcome to machina! nothing is currently served up here."

PLEASE put this information where we can get to it.

Thank you,

Nancy

[dafydd]

When I click the link, I get the following message:

"Welcome to machina! nothing is currently served up here."

PLEASE put this information where we can get to it.

Thank you,

Nancy

Seconded!

dafydd

[leono1]

it WAS back online for a short time,
but it was written for an older version of Mamp.
There are several tutorials about how to secure Apache on the web.
I used .htaccess files (they are hidden - use the option show hidden files in transmit of ftp-client to show them). You have to make them first of course! when you place them somewhere in a folder they wil ask for a password. It works for me. I can't write more on this subject as i'm not an expert.
As long as if you use port 8888 it is safer in the outside word than port 8080. (think of it as a village; crime is less there ;-)

[leono1]

I had a back up of this article. I will place it here but there are no guarantees or what soever. Nor will i guarantee that is stays here.
I will not answer questions regarding this article as i'm not the writer.
It was written by Eric and i've included the first few posts:

Machina Project
How-To19 Feb 2006 06:17 pm
How To Secure MAMP


Note: This tutorial is for MAMP 1.1. I plan on doing an update to this tutorial so please be patient as I need to figure it out again.
MAMP is a great package for testing and developing websites locally on your Mac. It is extremely easy to use and very stable. While MAMP is not designed to be used in a production environment, and is not recommended by the developers, but with some careful modfication, MAMP can be secured sufficiently to be used in a public development environment. MAMP, out of the box, includes the following software:
* Apache 2.0.54
* MySQL 4.1.12
* PHP 4.4 & 5.0.4
* eAccelerator 0.9.3
* phpMyAdmin 2.6.3-pl1
* Zend Optimizer 2.5.10
* SQLite 2.8.14
* Freetype 2.1.9
* t1lib 5.1.0
* bzip2 1.0.3
* curl 7.14.0
* jpeg 6b
* libpng-1.2.5
* gd 2.0.28
This makes it a viable solution for users who do not want to install, upgrade or modify the built in Apache and PHP.
-
Installing MAMP
To install MAMP, download the latest disk image file and mount the image and copy the “MAMP” folder to your Applications folder. Note that MAMP MUST be installed in the Applications folder to work properly. Once the copy is complete, the installation is complete and ready to use. MAMP in a freshly installed state is not safe to use in a production environment. The next few sections will explain how to secure your installation of MAMP.
Securing MySQL
If you are going to install a PHP/MySQL based application, the first thing to change is the MySQL root password. Open the terminal and type the following:
/Applications/MAMP/bin/mysql4/bin/mysqladmin -u root -p password NEWPASSWORD
Instead of NEWPASSWORD use the new password you want.
Afterwards, you also need to change the password for phpMyAdmin and other scripts which are running under MAMP. You can change the password for phpMyAdmin in the following file:
‘/Applications/MAMP/bin/phpMyAdmin-X.X.X/config.inc.php’
Be sure to edit this file in a plain text editor such as BBEdit or TextWrangler.
The password is set on line 86 of the document and by default is set to “root”.
$cfg['Servers'][$i]['password'] = 'root';
Change ‘root‘ to the password set previously in the terminal. Now you can close and save config.inc.php and phpMyAdmin is now using the new MySQL password you set.
The next script we will change is located at /Applications/MAMP/bin/mamp/index.php
$link = @mysql_connect(’:/Applications/MAMP/tmp/mysql/mysql.sock’, ‘root’, ‘root’);
The second instance of root is the password the script is providing to MySQL. Change this to your new root password. Once that is changed, you can save and close the file. Thanks for the catch Alexandre!
The next thing we will change is the stop MySQL script MAMP uses to stop the MySQL process. The file we are going to modify is located at ‘/Applications/MAMP/bin/stopMysql.sh’. The contents of the file is as follows:
# /bin/sh
/Applications/MAMP/bin/mysql4/bin/mysqladmin -u root -proot --socket=/Applications/MAMP/tmp/mysql/mysql.sock shutdown
You will notice that the script saves the MySQL user id and password in the file as -u root for the userid and -proot for the password. We are just going to change the password for the script so when we quit MAMP, MySQL will also quit.
In order to change the password, in the section that is -proot change this to -pNEWPASSWORD where 'NEWPASSWORD' is the password set previously in the terminal. Close and save this file.
If MAMP is running, go to the phpMyAdmin page and see if you can access the databases. If you are able to, then phpMyAdmin is configured correctly to use the new password. Now try to Stop the servers for MAMP, if successful, both servers should stop. If MySQL does not stop, check the stopMysql.sh script again and check the password.
Securing the Admin section of MAMP
You may have noticed that the ’start page’ for MAMP is located at ‘http://localhost/MAMP/’ and this is where you can administer your databases and other settings for MAMP. If anyone figures out you are running MAMP, (identifiable by the favicon), they would be able to go straight to the phpMyAdmin section and drop entire databases. This is a security hole that needs to be fixed. For this solution, we will use .htaccess and an .htpasswd file to secure the folder. The .htpasswd file is what will hold the encrypted password for Apache to authenticate. The .htaccess file is what tells Apache to look at the .htpasswd file to authenticate against. Go to Dynamic Drive’s online .htpasswd tool to create an .htpasswd file and corresponding .htaccess.
The first section wants a username that you will use to access the protected folder. This can be anything you want. The second box will want a password that is valid for the user you just input. This can also be anything you want. In the second section, this is requesting the path to the .htpasswd file. We will put these files in ‘/Applications/MAMP’. Once these file are in place if you try to navigate to http://localhost/MAMP/ you will be presented with a dialog box requesting userid and password. Type in your corresponding userid and password and you should then be granted access to the start page where you can then administrate your databases.
I hope you find this tutorial useful and if there are any corrections or additions you would like to see added, feel free to leave a comment or send me an email.
UPDATE 02-23-06
I’ve added Alexandre’s tip to the article and have fixed an encoding error which made the code bits messy and incorrect. Hat tip to Joshua! Thanks for the tips!
-

-You can also bookmark this on del.icio.us or check the cosmos
RSS feed for comments on this post. | TrackBack URI
-
13 Responses
-Alexandre Girard Says:
-February 21st, 2006 at 6:41 am
Hi,
Thanks for your article, MAMP is a little too open at first install, hope they will solve this issue quickly.
I use MAMP v1.1.1 and I had this message after following your steps: Error: Could not connect to MySQL server!
So I found on the bug forum that there’s a another place where to change MySql password:
/MAMP/bin/mamp/index.php
You’ll find there:
$link = @mysql_connect(’:/Applications/MAMP/tmp/mysql/mysql.sock’, ‘root’, ‘root’);
Where you’ve to change the second ‘root’ by your password.
Thanks again for your article,
Alx
-Eric Says:
-February 21st, 2006 at 2:58 pm
Thanks for the catch! I do recall editing this file- I just forgot to put it in the article. I’ll fix it today. Thanks!
-Joshua Says:
-February 24th, 2006 at 1:58 am
Eric,
Thanks for this page. You have a minor problem in the display of the page; you have unencoded left angle brackets in the code samples. It was quite confusing until I looked at the page source.
Use the HTML “entities” (ampersand-lt-semicolon and ampersand-gt-semicolon) and it will display as you intend.
-mulan Says:
-March 12th, 2006 at 2:06 pm
So are you saying if we follow the above instructions, MAMP will be secure enough to use as a live server ?
are there any necessary adjustments to php.ini and apache file ?
-Eric K Says:
-March 18th, 2006 at 7:53 pm
Mulan, I do believe that this is secure to run as a live server. I used this setup for a few months before I switched to OS X Server. As far as I know, there are not any changes needed to php.ini or httpd.conf. However, please note that if your user account is an administrator, Apache is also running as administrator.

I think this is a potential risk.

[ScienceMan]

The above post appears to be at

http://www.network0.org/2006/09/23/how-to-secure-mamp/

Looking at the setup MAMP starts with, however, it would appear to me to be better to alter the conf/apache/httpd.conf file to change the protections for the http-accessible configuration php script directories to limit access to localhost.

To do this, edit the above file and change the indicated sections to be as follows:

Code: Select all

<Directory "/Applications/MAMP/bin/phpMyAdmin">
    Options Indexes MultiViews
    AllowOverride None
    Order allow,deny
# Was: Allow from all
    Allow from localhost
</Directory>

Alias /SQLiteManager "/Applications/MAMP/bin/SQLiteManager"

<Directory "/Applications/MAMP/bin/SQLiteManager">
    Options Indexes MultiViews
    AllowOverride None
    Order allow,deny
# Was: Allow from all
    Allow from localhost
</Directory>

Alias /MAMP "/Applications/MAMP/bin/mamp"

<Directory "/Applications/MAMP/bin/mamp">
    Options Indexes MultiViews
    AllowOverride None
    Order allow,deny
# Was: Allow from all
    Allow from localhost
</Directory>


This will allow you to reach these pages from your own computer but not advertise these pages to the outside world. Of course, if you actually want to be able to edit them from elsewhere you can use .htaccess files, but the above approach is easier, cleaner and safer by default.