Apache Friends Support Forum


https://community.apachefriends.org/f/

XAMPP Security

https://community.apachefriends.org/f/viewtopic.php?f=16&t=70805

Page 1 of 1

XAMPP Security

PostPosted: 20. May 2015 16:17
by banberry
I went to the security page from the XAMPP admin and plugged in a User and Password. It replied it saved info to a couple directories. However, I expected a login screen whenever I access from other computers. It doesn't stop anything. The XAMPP admin says XAMPP is secure but I cannot tell. How can I test it's security.

Re: XAMPP Security

PostPosted: 20. May 2015 23:12
by glitzi85
What do you see when you access the XAMPP Host from another computer? The XAMPP site?
Does the file C:\xampp\htdocs\xampp\.htaccess exist? If yes, please post it.

Re: XAMPP Security

PostPosted: 28. May 2015 05:14
by banberry
When I type in localhost I see the XAMPP Admin page. My htaccess in htdocs/xampp says...
AuthName "xampp user"
AuthType Basic
AuthUserFile "C:\xampp\security\xampp.users"
require valid-user

The AuthUserFile houses the credentials. I have two XAMPP setups. One at home and one at work. The one at home behaves differently. If I type in localhost/xampp directly I get the login dialog. However, if I just type in localhost it goes to the xampp admin page w/o a login. The work one doesnt ever show the login dialog no matter what I type. I would expect a login when you type localhost.

Is there a set of best practices on how to lock down xampp?

Also, I would like to turn off directory browsing.

Re: XAMPP Security

PostPosted: 28. May 2015 07:07
by gsmith
banberry wrote:If I type in localhost/xampp directly I get the login dialog. However, if I just type in localhost it goes to the xampp admin page w/o a login. The work one doesnt ever show the login dialog no matter what I type. I would expect a login when you type localhost.

OK, I have a hard time believing this because this IS strange. That said http://localhost is redirected to http://localhost/xampp by the index.php file in /xampp/htdocs. So it's landing in the same place. If you've already logged in to http://localhost/xampp then it should not ask you again whichever URL you use.

Why one works differently than the other could be due to simply it's configured differently. It may be a very subtle difference at that.

banberry wrote:Also, I would like to turn off directory browsing.

http://httpd.apache.org/docs/2.4/mod/core.html#options

Re: XAMPP Security

PostPosted: 29. May 2015 03:29
by gsmith
I should probably also mention that understanding how the config sections are merged and what overrides what is probably not a bad idea either.
http://httpd.apache.org/docs/2.4/mod/mo ... uthmerging
All times are UTC + 1 hour
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/