Page 1 of 1

Can I run xampp 1.70 on the server ?

PostPosted: 10. January 2009 04:22
by voocoo
My friend has a website. Every day about 100,000 independent IP flow.

IIS used to run asp, is now ready to switch to php.

Is XAMPP can withstand the flow of this Web site ?

Thank you for your answers!!

Re: Can I run xampp 1.70 on then server ?

PostPosted: 10. January 2009 04:32
by Izzy
XAMPP is designed to be used on localhost (127.0.0.1) for development purposes only.

It is possible, with some security configurations, to run a small production server from your PC but it is still not advisable in today's script kiddie environment, as they keep coming up with new ways of compromising a server and indeed a PC that is open to the Internet.

AFAIK (ss far as I know), you can run an instance of PHP with IIS and a Google search may come up with how you can do this, as it is beyond the scope of these XAMPP forums to help with IIS related issues.

Good luck.
readme_en.txt file wrote:A matter of security (A MUST READ!)

As mentioned before, XAMPP is not meant for production use but only for developers in a development environment. The way XAMPP is configured is to be open as possible and allowing the developer anything he/she wants. For development environments this is great but in a production environment it could be fatal.

Re: Can I run xampp 1.70 on the server ?

PostPosted: 10. January 2009 06:38
by voocoo
Izzy, thanks for your answer!

The new program use Apache's rewrite function, So My frined don't want to use the IIS!

Re: Can I run xampp 1.70 on the server ?

PostPosted: 10. January 2009 06:54
by Izzy
voocoo wrote:...The new program use Apache's rewrite function, So My frined don't want to use the IIS!...
Then give XAMPP a go and see how it performs but read the readme file mentioned above about setting up some security.

You may have to do some other performance tweaks once they are defined by using it.

Good luck and read the log files often and if you see an IP that is playing up then block it in your PC's firewall.

BTW it is possible to set up a stand alone Apache PHP and MySQL server based on the individual components but some have had configuration issues having them all work together where XAMPP should work "out of the box".

Good luck with it and post a new topic if you have XAMPP issues to solve.

Re: Can I run xampp 1.70 on the server ?

PostPosted: 10. January 2009 18:24
by dmphotography
Ya know something,
I've been curious about the security thing. Beyond doing the things outlined in that readme file, what are the other primary vulnerabilities? I've put index.php files in my subdirectories so if they try viewing the content of a folder by going to it, it redirects them back to where they're suppose to be. This keeps them from roaming the content on my site and exploring subdirectories where things like login panels can be found, etc.

I've set my phpadmin to only be connectable on a LAN, so it can't be accessed over the net. That might be a step most won't want to take, but I can login to my server remotely if I need to create a database.

So beyond that, what else are my main risks?

I see it mentioned so many times how "insecure" XAMPP is and it's not made for production use, but have you tried installing Apache without XAMPP? That thing is wide open, worse than XAMPP with no security settings.

I'm just trying to understand the difference and why XAMPP is always said to be a lot less secure.

Re: Can I run xampp 1.70 on the server ?

PostPosted: 10. January 2009 23:32
by Izzy
Take a look at this post it might help:
viewtopic.php?p=81350#p81350

Any web server whether on Windows or a *nix OS is open and vulnerable to those who may wish to exploit it even with some of the best procedures to harden a server (link) - some are more vulnerable than others and a good server firewall as mentioned in the above post may go a long way to helping secure XAMPP a little bit more.

Google is your best friend on this server security subject as they will have the latest exploits and solutions perhaps.

I am sure that script kiddies do their home work on how to exploit a web server and so you must always be vigilant if administering a web server - part of the head pain involved in being a server admin, unfortunately.

You may also want to research log file utilities and a log watcher that will warn when certain activity is spotted in the server's log files.

Make sure that safe mode is ON in the php.ini file if exposed to the Internet - can be switched OFF if only developing.
Safe mode is a must!
My friend just gave me a simple demonstration of the great time a user can have running with safe_mode disabled.


Investigate the use of a web server anti-virus script if users will be uploading files also investigate a root kit script.

Most of the processes to harden a server are *nix based but quite a few are also relevant to Windows Apache servers.

Stay lucky. :)

Re: Can I run xampp 1.70 on the server ?

PostPosted: 12. January 2009 13:21
by Jasin
Actually safe mode isn't really that safe, and they are removing it in 6.0 because it never really helped. It locked some stuff down but they can't fix everything, You should rely more on the OS for locking down directorys.

Re: Can I run xampp 1.70 on the server ?

PostPosted: 13. January 2009 01:45
by Izzy
Jasin wrote:Actually safe mode isn't really that safe, and they are removing it in 6.0 because it never really helped. It locked some stuff down but they can't fix everything, You should rely more on the OS for locking down directorys.
This IMHO is very much like using the Windows Internet Firewall - half a firewall is better than no firewall at all.

So having safe mode ON is better than having safe mode OFF - at least until some of the safety issues are addressed in v6 that will warrant it's exclusion from that version.

Until you have v6 in your system then safe mode should be ON, that is, if you intend running a web server that is connected and accessible to all from the Internet - it may be turned ON and OFF on a directory by directory basis if required to overcome any issues with a script.

If it interferes with your development progress and your web server is not connect to the Internet, only via localhost, then by all means turn it OFF.