Restrict access to MySQL DB through localhost, not through IP?

Question

I'm using MySQL and a web-service connect to the database to read some values.
The web-service and the database are on the same server.
I want to deny access to the database through the public static IP of the server and the port of MySQL. That means only allow access to the database through localhost, so that only the web-service can connect to it, How to do so ? What configuration for example in MySQL should i do ?

Answer 1

You can also limit traffic to your MySQL database from only the localhost at the TCP layer. I'm not sure the pros and cons of this method versus using the MySQL database permissions.

https://www.thegeekdiary.com/understanding-tcp-wrappers-in-linux/

In the /etc/hosts.allow, add:

mysqld: LOCAL

This whitelists the localhost to have access to the database daemon. You can use a comma separated list of IP addresses and hostnames that are also allowed.

In the /etc/hosts.deny, add:

mysqld: ALL

This denies access to the daemon to anything that was not whitelisted.

Answer 2

There is no way to restrict access to only the web-service. You can restrict it to just applications running on the same host. To do this, create a new user with a host of either 127.0.0.1, or localhost should also work. You can either do this graphically or through the command line:

CREATE USER 'webservice'@'localhost' IDENTIFIED BY 'webservicepassword';
// Grant privileges here... 
// For example, GRANT ALL PRIVILEGES ON *.* TO 'webservice'@'localhost' - but it's a far better idea to restrict access to only what it needs...

Answer 3

It's not possible to restrict access to mySQL to specific applications as such.

You can, however, create a user account (e.g. named webservice) that is restricted to connect from 127.0.0.1 - that's the best you can do as far as I know, and should be totally sufficient.