Xampp Security concept

Problems with the Windows version of XAMPP, questions, comments, and anything related.

Xampp Security concept

Postby Plomien » 07. April 2015 11:18

Hello,

So i succesfully deployed XAMPP in my local network now i want to set up security concept to :

- Only localhost with XAMPP can have access to all admin stuff IP 192.168.1.101
- All local network can run apps/pages from this XAMPP server. 192.168.1.102 to 110

Right now i'm away from my server, so i can't test my idea, but i want to ask you as more experienced users if it will work.

So in my in my idea, config file should look like this :

#
# New XAMPP security concept
#
<LocationMatch "^/(?i:(?:xampp|security|licenses|phpmyadmin|webalizer|server-status|server-info))">
Allow from 192.168.1.101
ErrorDocument 403 /error/XAMPP_FORBIDDEN.html.var
</LocationMatch>

<LocationMatch "^/(?i:(?:xampp))">
Allow from 192.168.1.96/255.255.255.240
ErrorDocument 403 /error/XAMPP_FORBIDDEN.html.var
</LocationMatch>

What do you guys think?
Plomien
 
Posts: 3
Joined: 07. April 2015 10:55
Operating System: Windows 7/8.1/2012 Server

Re: Xampp Security concept

Postby Altrea » 07. April 2015 17:51

Hi,

Plomien wrote:What do you guys think?

Way too complicated.

Plomien wrote:- Only localhost with XAMPP can have access to all admin stuff IP 192.168.1.101

Is 192.168.1.101 the LAN IP your XAMPP is installed to? Then you don't need to change anything. "Require local" already covers IPv4 (127.0.0.0/8) and IPv6 ([::1]) localhost loopback addresses as well as the LAN IP of the server.
If this IP is additionally, than something like this would be ideal:
Code: Select all
<LocationMatch "^/(?i:(?:xampp|security|licenses|phpmyadmin|webalizer|server-status|server-info))">
    Require local
    Require ip 192.168.1.101
    ErrorDocument 403 /error/XAMPP_FORBIDDEN.html.var
</LocationMatch>


Plomien wrote:- All local network can run apps/pages from this XAMPP server. 192.168.1.102 to 110

By default, all requests not matching the new security concept are requestable from LAN IPs.
So for example http://192.168.1.101/wordpress is not covered by the security concept.
There is no additional configuration needed.

best wishes,
Altrea
We don't provide any support via personal channels like PM, email, Skype, TeamViewer!

It's like porn for programmers 8)
User avatar
Altrea
AF Moderator
 
Posts: 8286
Joined: 17. August 2009 13:05
XAMPP version: several
Operating System: Windows 10 Pro x64

Re: Xampp Security concept

Postby Plomien » 08. April 2015 08:32

Altrea wrote:Hi,
.......
Altrea



Thank you for your advice.
The result i wanted to achive is that all modules like security, server-status, phpmyadmin are reachable only from server which is 192.168.1.101.
Will it work as i intended with your setup?
Plomien
 
Posts: 3
Joined: 07. April 2015 10:55
Operating System: Windows 7/8.1/2012 Server

Re: Xampp Security concept

Postby JJ_Tagy » 08. April 2015 12:47

Perhaps you missed it, but he already answered exactly what you are asking.

Altrea wrote:Is 192.168.1.101 the LAN IP your XAMPP is installed to? Then you don't need to change anything. "Require local" already covers IPv4 (127.0.0.0/8) and IPv6 ([::1]) localhost loopback addresses as well as the LAN IP of the server.
JJ_Tagy
 
Posts: 678
Joined: 30. January 2012 13:44
Operating System: Windows 10 Pro x64

Re: Xampp Security concept

Postby Nobbie » 08. April 2015 14:02

JJ_Tagy wrote:
Altrea wrote:Is 192.168.1.101 the LAN IP your XAMPP is installed to? Then you don't need to change anything. "Require local" already covers IPv4 (127.0.0.0/8) and IPv6 ([::1]) localhost loopback addresses as well as the LAN IP of the server.


Anyway, this is NOT quite right. The original documentation says:

Require local

The local provider allows access to the server if any of the following conditions is true:

the client address matches 127.0.0.0/8
the client address is ::1
both the client and the server address of the connection are the same

This allows a convenient way to match connections that originate from the local host:


So the LAN IP is not a criteria in any way. But (for example) if a client browser request "localhost" but uses 192.168.1.101 as REMOTE_ADDR, "Require local" is FALSE. Same if the PCs has two different LAN IPs and it request from one IP to the other IP. Probably in many or most cases the request is sent by the same LAN IP as the Server IP, but there are execptions. Anyway, the IP needs not be a LAN IP.

And (finally and most important), if you have XAMPP on one LAN PC, a client on another LAN PC, a HTTP Request does not satisfy the "Require local" rule, this will be FALSE.
Nobbie
 
Posts: 8759
Joined: 09. March 2008 13:04

Re: Xampp Security concept

Postby Altrea » 08. April 2015 15:27

Nobbie wrote:So the LAN IP is not a criteria in any way. But (for example) if a client browser request "localhost" but uses 192.168.1.101 as REMOTE_ADDR, "Require local" is FALSE.

:?:
Image
We don't provide any support via personal channels like PM, email, Skype, TeamViewer!

It's like porn for programmers 8)
User avatar
Altrea
AF Moderator
 
Posts: 8286
Joined: 17. August 2009 13:05
XAMPP version: several
Operating System: Windows 10 Pro x64

Re: Xampp Security concept

Postby Nobbie » 08. April 2015 15:55

*gähn*
Nobbie
 
Posts: 8759
Joined: 09. March 2008 13:04

Re: Xampp Security concept

Postby Plomien » 08. April 2015 20:33

Required local worked.

Sorry for confusion i was messing up privilages between allow and require.

Thank you for your help and explanation :)
Plomien
 
Posts: 3
Joined: 07. April 2015 10:55
Operating System: Windows 7/8.1/2012 Server


Return to XAMPP for Windows

Who is online

Users browsing this forum: No registered users and 43 guests