Apache Friends Support Forum

Hello,

So i succesfully deployed XAMPP in my local network now i want to set up security concept to :

- Only localhost with XAMPP can have access to all admin stuff IP 192.168.1.101
- All local network can run apps/pages from this XAMPP server. 192.168.1.102 to 110

Right now i'm away from my server, so i can't test my idea, but i want to ask you as more experienced users if it will work.

So in my in my idea, config file should look like this :

#
# New XAMPP security concept
#
<LocationMatch "^/(?i:(?:xampp|security|licenses|phpmyadmin|webalizer|server-status|server-info))">
Allow from 192.168.1.101
ErrorDocument 403 /error/XAMPP_FORBIDDEN.html.var
</LocationMatch>

<LocationMatch "^/(?i:(?:xampp))">
Allow from 192.168.1.96/255.255.255.240
ErrorDocument 403 /error/XAMPP_FORBIDDEN.html.var
</LocationMatch>

What do you guys think?

Hi,

Plomien wrote:What do you guys think?

Way too complicated.

Plomien wrote:- Only localhost with XAMPP can have access to all admin stuff IP 192.168.1.101

Is 192.168.1.101 the LAN IP your XAMPP is installed to? Then you don't need to change anything. "Require local" already covers IPv4 (127.0.0.0/8) and IPv6 ([::1]) localhost loopback addresses as well as the LAN IP of the server.
If this IP is additionally, than something like this would be ideal:

Code: Select all

<LocationMatch "^/(?i:(?:xampp|security|licenses|phpmyadmin|webalizer|server-status|server-info))">
    Require local
    Require ip 192.168.1.101
    ErrorDocument 403 /error/XAMPP_FORBIDDEN.html.var
</LocationMatch>

Plomien wrote:- All local network can run apps/pages from this XAMPP server. 192.168.1.102 to 110

By default, all requests not matching the new security concept are requestable from LAN IPs.
So for example http://192.168.1.101/wordpress is not covered by the security concept.
There is no additional configuration needed.

best wishes,
Altrea

Altrea wrote:Hi,
.......
Altrea

Thank you for your advice.
The result i wanted to achive is that all modules like security, server-status, phpmyadmin are reachable only from server which is 192.168.1.101.
Will it work as i intended with your setup?

Perhaps you missed it, but he already answered exactly what you are asking.

Altrea wrote:Is 192.168.1.101 the LAN IP your XAMPP is installed to? Then you don't need to change anything. "Require local" already covers IPv4 (127.0.0.0/8) and IPv6 ([::1]) localhost loopback addresses as well as the LAN IP of the server.

JJ_Tagy wrote:

Altrea wrote:Is 192.168.1.101 the LAN IP your XAMPP is installed to? Then you don't need to change anything. "Require local" already covers IPv4 (127.0.0.0/8) and IPv6 ([::1]) localhost loopback addresses as well as the LAN IP of the server.

Anyway, this is NOT quite right. The original documentation says:

Require local

The local provider allows access to the server if any of the following conditions is true:

the client address matches 127.0.0.0/8
the client address is ::1
both the client and the server address of the connection are the same

This allows a convenient way to match connections that originate from the local host:

So the LAN IP is not a criteria in any way. But (for example) if a client browser request "localhost" but uses 192.168.1.101 as REMOTE_ADDR, "Require local" is FALSE. Same if the PCs has two different LAN IPs and it request from one IP to the other IP. Probably in many or most cases the request is sent by the same LAN IP as the Server IP, but there are execptions. Anyway, the IP needs not be a LAN IP.

And (finally and most important), if you have XAMPP on one LAN PC, a client on another LAN PC, a HTTP Request does not satisfy the "Require local" rule, this will be FALSE.

Nobbie wrote:So the LAN IP is not a criteria in any way. But (for example) if a client browser request "localhost" but uses 192.168.1.101 as REMOTE_ADDR, "Require local" is FALSE.

*gähn*

Required local worked.

Sorry for confusion i was messing up privilages between allow and require.

Thank you for your help and explanation