[Solved] SSH tunnel for phpMyAdmin

I'm really puzzled. I'm trying to do what I've seen recommended in lots of places - to secure phpMyAdmin by restricting its directory to localhost connections and then using as SSH tunnel to access the directory. I believe I had everything set up correctly (normal web access to the directory - example.org/phpmyadmin - was now Forbidden) but I get the same Forbidden response when I try to connect via the SSH tunnel. The tunnel runs from port 8080 on my local machine to port 80 on my virtual server.

I do know (I think) that the tunnel is working correctly, because when I point my local browser at localhost:8080 the main web site on example.org comes up correctly. It's when I then try to go to localhost:8080/phpmyadmin that I get the Forbidden response.

Before I started all this, I was able to access phpMyAdmin correctly at example.com/phpmyadmin.

CentOS 6, Apache 2, server administered with Virtualmin.

What I did:

Inserted the following in the directives for my example.org virtual host

 <directory home="" (useraccount)="" public_html="" phpmyadmin="">Order Deny,Allow
    Deny from All
    Allow from localhost
    Allow from 127.0.0.1</directory> 

Tunnel command, issued on my local machine:

ssh -L 8080:example.org:80 useraccount@my_linode_address

iptables is set to accept incoming traffic on lo and 127.0.0.1

I was using this as a less critical test before trying to do the same thing with Virtualmin itself, but I won't even touch that until I get this one figured out. (I've also been able to unwind my changes and restore normal access to phpMyAdmin via the web.)

Anyone have any ideas?

Thanks!