Apache Friends Support Forum

[cdelorm]

I am trying to set up xampp to allow me to access the application from other computers. I think I am close to having things set up properly...however, I am running into an issue.

When I try to access xampp from another computer using the IP address for the computer with xmapp installed, I get the access forbidden error many others also get (below).

New XAMPP security concept:

Access to the requested directory is only available from the local network.

This setting can be configured in the file "httpd-xampp.conf".

I was also getting the same error when trying to access xampp using the IP address on the computer where I installed xampp.

To allow access from anything, someone recommended that I delete everything below from the \xampp\conf\extra\httpd-xampp.conf file:

#
# New XAMPP security concept
#

# Close XAMPP security section here
<LocationMatch "^/(?i:(?:security))">
Order deny,allow
#Deny from all
Allow from ::1 127.0.0.0/8
ErrorDocument 403 /error/HTTP_XAMPP_FORBIDDEN.html.var
</LocationMatch>


# Close XAMPP sites here
<LocationMatch "^/(?i:(?:xampp|licenses|phpmyadmin|webalizer|server-status|server-info))">
Order deny,allow
#Deny from all
Allow from ::1 127.0.0.0/8
ErrorDocument 403 /error/HTTP_XAMPP_FORBIDDEN.html.var
</LocationMatch>

This worked when I did it, however, I am concerned about security vulnerability. So, my next thought was to try to enable access to the IP address as well...so I added (see red)

#
# New XAMPP security concept
#

# Close XAMPP security section here
<LocationMatch "^/(?i:(?:security))">
Order deny,allow
#Deny from all
Allow from ::1 127.0.0.0/8
ErrorDocument 403 /error/HTTP_XAMPP_FORBIDDEN.html.var
</LocationMatch>


# Close XAMPP sites here
<LocationMatch "^/(?i:(?:xampp|licenses|phpmyadmin|webalizer|server-status|server-info))">
Order deny,allow
#Deny from all
Allow from ::1 127.0.0.0/8
Allow from ::1 xxx.xxx.x.xxx (the computer's IP address)
ErrorDocument 403 /error/HTTP_XAMPP_FORBIDDEN.html.var
</LocationMatch>

When I did this, I was able to open xampp by typing either localhost or the IP address from the computer where xampp is installed. However, I still get the forbidden access error from another computer.

What do you recommend I do to allow access from another computer while limiting security risks?

Thank you!

Caprice

[cdelorm]

One update...I changed the following:

Allow from ::1 xxx.xxx.x.xxx (the computer's IP address...I changed this line from using the xampp installed IP address to the remote computer IP address)

This worked. I can now access xampp from the remote computer when I type the IP address of the computer with xampp in the address bar.

Is this the recommended way to make this work so that security is as strong as possible?

Thanks!

Caprice

[Altrea]

Hi cdelorm,

Thank you for the detailed description. This is really helpful

To allow access from anything, someone recommended that I delete everything below from the \xampp\conf\extra\httpd-xampp.conf file:

Don't follow everything which "someone" recommended. The security concept is not implemented for nuts. The sense behind this concept is to protect the very sensitive parts of your XAMPP from others. If you have full access to the server XAMPP is running on, there is no reason to deactivate or change the security concept.
All folders and files you place inside htdocs are NOT affected by the security concept, just the XAMPP Administration page (XAP), where all security relevant changes are made.

This worked when I did it, however, I am concerned about security vulnerability.

correct. Security is an important thing for servers i think

So, my next thought was to try to enable access to the IP address as well...so I added (see red)
#
# New XAMPP security concept
#

# Close XAMPP security section here
<LocationMatch "^/(?i:(?:security))">
Order deny,allow
#Deny from all
Allow from ::1 127.0.0.0/8
ErrorDocument 403 /error/HTTP_XAMPP_FORBIDDEN.html.var
</LocationMatch>


# Close XAMPP sites here
<LocationMatch "^/(?i:(?:xampp|licenses|phpmyadmin|webalizer|server-status|server-info))">
Order deny,allow
#Deny from all
Allow from ::1 127.0.0.0/8
Allow from ::1 xxx.xxx.x.xxx (the computer's IP address)
ErrorDocument 403 /error/HTTP_XAMPP_FORBIDDEN.html.var
</LocationMatch>

three things:
1) you don't need to place ::1 before your IP-Address. ::1 is just the short notation for the IPv6 self loopback
2) if you want to add more than 1 IP addresse to the Allow from rule, just add them with a space right after the last one, or end a line with a backslash "\" and you can write directly in the next line.
3) Why is your Deny from all rule commented out by a #?
4) Why two blocks? is the security part so much more sensitive from your own IP then the other parts?

Is this the recommended way to make this work so that security is as strong as possible?

Follow my four hints and we will get a step further
So why not this simple block:

Code: Select all

<LocationMatch "^/(?i:(?:xampp|licenses|phpmyadmin|security]webalizer|server-status|server-info))">
Order deny,allow
Deny from all
Allow from ::1 127.0.0.0/8 xxx.xxx.x.xxx
ErrorDocument 403 /error/HTTP_XAMPP_FORBIDDEN.html.var
</LocationMatch>

[Sharley]

4) Why two blocks? is the security part so much more sensitive from your own IP then the other parts?

In the default 1.7.7 httpd-xampp.conf that section is now split in to 2 separate sections so that 127.0.0.1 only has access to the security folder and denies access from the LAN.
The second section will allow access to those other server sensitive folders from the LAN only.

[cdelorm]

Thank you both for your replies. I apologize, I made one error. The Deny All did not have the "#" in front in what I ended up doing. What I currently have is below:

# Close XAMPP security section here
<LocationMatch "^/(?i:(?:security))">
Order deny,allow
Deny from all
Allow from ::127.0.0.0/8
ErrorDocument 403 /error/HTTP_XAMPP_FORBIDDEN.html.var
</LocationMatch>

# Close XAMPP sites here
<LocationMatch "^/(?i:(?:xampp|licenses|phpmyadmin|webalizer|server-status|server-info))">
Order deny,allow
Deny from all
Allow from ::1 127.0.0.0/8
Allow from ::1 xxx.xxx.x.xxx (IP address of computer with xampp)
Allow from ::1 yyy.yyy.y.yyy (IP address of computer with xampp)
ErrorDocument 403 /error/HTTP_XAMPP_FORBIDDEN.html.var
</LocationMatch>

I believe the recommended solution is:


# Close XAMPP security section here
<LocationMatch "^/(?i:(?:security))">
Order deny,allow
Deny from all
Allow from ::127.0.0.0/8
ErrorDocument 403 /error/HTTP_XAMPP_FORBIDDEN.html.var
</LocationMatch>

# Close XAMPP sites here
<LocationMatch "^/(?i:(?:xampp|licenses|phpmyadmin|webalizer|server-status|server-info))">
Order deny,allow
Deny from all
Allow from ::1 127.0.0.0/8 xxx.xxx.x.xxx yyy.yyy.y.yyy (x & y being the IP addresses of computer with xampp and remote computer)
ErrorDocument 403 /error/HTTP_XAMPP_FORBIDDEN.html.var
</LocationMatch>

Did I follow your recommendations as intended? Is what I had in place basically the same (just curious for learning purposes...I tested putting all of the IP addresses on one line and it works)? Would I need to add another IP if we add another computer to the network and want to connect to xampp from there?

Thank you!

Caprice

[Sharley]

Hello Caprice.
You could replace that last section with this part which covers all the bases using CIDR (Classless Inter-Domain Routing) then you should not have to add any future local addresses.

Code: Select all

    Order deny,allow
    Deny from all
    Allow from ::1 127.0.0.0/8 \
               fc00::/7 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 \
               fe80::/10 169.254.0.0/16

A useful online calculator can be found here:
http://www.subnet-calculator.com/cidr.php

Best wishes.

[Altrea]

n the default 1.7.7 httpd-xampp.conf that section is now split in to 2 separate sections so that 127.0.0.1 only has access to the security folder and denies access from the LAN.
The second section will allow access to those other server sensitive folders from the LAN only.

Thank you Sharley, didn't see that before

[cdelorm]

Thank you for the additional information Sharley, and for the link. Much appreciated!

~ Caprice

[Sharley]

Caprice, your most welcome and thanks for the feedback.

Best wishes.