XAMPP security concept

Problems with the Windows version of XAMPP, questions, comments, and anything related.

XAMPP security concept

Postby piandcompany » 29. August 2010 05:08

Hello Apache Friends,

My name is Jason and i am running XAMPP as a testing environment on my home server. I have been working on accessing most parts of it from outside my network so i can access it from anywhere i go. I do know about the idea of security and wish to be able to access root properties such as /htdocs/xampp/... and phpmyadmin from outside the local network.

NOTE: All ports to the specific machine are currently OPEN.

Here are the current files that may help with allowing me to access from outside the network.

http://w**s.r*dir***m*.***/xampp
Code: Select all
Access forbidden!

New XAMPP security concept:

Access to the requested object is only available from the local network.

This setting can be configured in the file "httpd-xampp.conf".

If you think this is a server error, please contact the webmaster.

Error 403


---

C:\xampp\apache\conf\extra\httpd-xampp.conf
Code: Select all
#
# XAMPP settings
#
 
<IfModule env_module>
    SetEnv MIBDIRS "/xampp/php/extras/mibs"
    SetEnv MYSQL_HOME "\\xampp\\mysql\\bin"
    SetEnv OPENSSL_CONF "/xampp/apache/bin/openssl.cnf"
    SetEnv PHP_PEAR_SYSCONF_DIR "\\xampp\\php"
    SetEnv PHPRC "\\xampp\\php"
    SetEnv TMP "\\xampp\\tmp"
    UnsetEnv PERL5LIB
</IfModule>
 
#
# PHP-Module setup
#
LoadFile "/xampp/php/php5ts.dll"
LoadModule php5_module modules/php5apache2_2.dll
 
<IfModule php5_module>
    <FilesMatch "\.php$">
        SetHandler application/x-httpd-php
    </FilesMatch>
    <FilesMatch "\.phps$">
        SetHandler application/x-httpd-php-source
    </FilesMatch>
 
    PHPINIDir "/xampp/php"
</IfModule>
 
#
# PHP-CGI setup
#
<IfModule !php5_module>
    <FilesMatch "\.php$">
        SetHandler application/x-httpd-php-cgi
    </FilesMatch>
    <IfModule actions_module>
        Action application/x-httpd-php-cgi "/php-cgi/php-cgi.exe"
    </IfModule>
</IfModule>
 
 
<IfModule mime_module>
    AddType text/html .php .phps
</IfModule>
 
ScriptAlias /php-cgi/ "/xampp/php/"
<Directory "/xampp/php">
    AllowOverride None
    Options None
    Order deny,allow
    Deny from all
    <Files "php-cgi.exe">
        Allow from all
    </Files>
</Directory>
 
<Directory "/xampp/cgi-bin">
    <FilesMatch "\.php$">
        SetHandler cgi-script
    </FilesMatch>
    <FilesMatch "\.phps$">
        SetHandler None
    </FilesMatch>
</Directory>
 
<Directory "/xampp/htdocs/xampp">
    <IfModule php5_module>
        <Files "status.php">
                php_admin_flag safe_mode off
        </Files>
    </IfModule>
    AllowOverride AuthConfig
</Directory>
 
<IfModule alias_module>
    Alias /security "/xampp/security/htdocs/"
    <Directory "/xampp/security/htdocs">
        <IfModule php5_module>
                <Files "xamppsecurity.php">
                        php_admin_flag safe_mode off
                </Files>
        </IfModule>
        AllowOverride AuthConfig
   </Directory>
 
    Alias /licenses "/xampp/licenses/"
    <Directory "/xampp/licenses">
        Options +Indexes
        <IfModule autoindex_color_module>
            DirectoryIndexTextColor  "#000000"
            DirectoryIndexBGColor "#f8e8a0"
            DirectoryIndexLinkColor "#bb3902"
            DirectoryIndexVLinkColor "#bb3902"
            DirectoryIndexALinkColor "#bb3902"
        </IfModule>
   </Directory>
 
    Alias /phpmyadmin "/xampp/phpMyAdmin/"
    <Directory "/xampp/phpMyAdmin">
        AllowOverride AuthConfig
    </Directory>
 
    Alias /webalizer "/xampp/webalizer/"
    <Directory "/xampp/webalizer">
        <IfModule php5_module>
                <Files "webalizer.php">
                        php_admin_flag safe_mode off
                </Files>
        </IfModule>
        AllowOverride AuthConfig
    </Directory>
</IfModule>
 
#
# New XAMPP security concept
#
<LocationMatch "^/(?i:(?:xampp|security|licenses|phpmyadmin|webalizer|server-status|server-info))">
    Order deny,allow
    Deny from all
    Allow from ::1 127.0.0.0/8 192.168.1.1/8 192.168.1.106/8 \
               fc00::/7 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 \
               fe80::/10 169.254.0.0/16
 
    ErrorDocument 403 /error/HTTP_XAMPP_FORBIDDEN.html.var
</LocationMatch>


-Jason
piandcompany
 
Posts: 1
Joined: 29. August 2010 04:55

Re: XAMPP security concept

Postby JonB » 29. August 2010 15:00

Jason -

You SHOULD be getting an error 404.

You will either need to secure those resources one of two ways -

with a .htaccess file placed in the roor of the folders you want to be able to access remotely.
then remove those folder names from the LocationMatch argument list \xampp\apache\conf\extra\httpd-xammp.conf

or

If you want to be able to access them from a few fixed IP locations,
Comment out the current 'Allow from' lines at the end of \xampp\apache\conf\extra\httpd-xammp.conf
now add those IP addresses to a new 'Allow from' line
Code: Select all
Allow from xxx.xxx.xxx.xyz xxx.xxx.xxx.xta ::1 127.0.0.1


Good luck
8)
User avatar
JonB
AF Moderator
 
Posts: 3210
Joined: 12. April 2010 16:41
Location: Land of the Blazing Sun
Operating System: Windows XP/7 - Fedora 15 1.7.7


Return to XAMPP for Windows

Who is online

Users browsing this forum: No registered users and 68 guests