Apache Friends Support Forum

[heywood]

Hi!

Xampp is a very nice package, although I have some problems making it secure.

Here's what I want:
• Make ALL pages Apache serves only accessible by localhost

That is, turn off all "outside" network traffic.
So I've edited httpd.conf like so:

Code: Select all

<Directory "/Applications/XAMPP/xamppfiles/htdocs">
    Options Indexes FollowSymLinks ExecCGI Includes
    AllowOverride All
    Order allow,deny
    Allow from 127.0.0.1, localhost
</Directory>

This seems to work! Yey! When I access my computers IP from another box I get a access denied screen. Good. Then I did this in httpd.conf :

Code: Select all

<Directory "/Applications/XAMPP/xamppfiles/phpmyadmin">
    AllowOverride None
    Options None
    Order allow,deny
    Allow from 127.0.0.1, localhost
</Directory>

This doesn't work though! :( I can still access http:x.x.x.x/phpmyadmin from another box! Can anyone help with this?

Then also, I commented out the user-folder-config file, as that was accessible from another box too. Anything else i need to turn off to make my dev server completely inaccessible from the network?

(Quite frankly, being able to have password-protected pages is nice and all, but really, if you're using XAMPP as a local dev server you're never going to access the computer from outside, so why even risk a password-attack by opening up authenticated access, right? It would be really awesome if XAMPP could come with a "xampp-private.conf" or something, for those of us who just use it as a local server. (Also, it's kind of a drag to have to type in passwords all the time when working locally. If a person gets access to my computer they can find passwords in php-files etc anyway. Right?)

[Izzy]

For phpMyAdmin take a look in apache\conf\extra\httpd-xampp.conf file and make your changes there perhaps instead of in the httpd.conf file as httpd-xampp.conf file will always override the httpd.conf file entries.

In httpd.conf have Apache Listen 127.0.0.1:80

[heywood]

Thanks!

Of course, doh! I reverted all the other edits. The

Listen 127.0.0.1:80

is enough. Also added

bind-address=127.0.0.1

in my.cnf for MySQL. Ok thanks I'm all set! : )

[heywood]

(The only annoying thing now is that the /security-page claims my pages are visible on the network.. I'll survive ^^ )

[Izzy]

(The only annoying thing now is that the /security-page claims my pages are visible on the network.. I'll survive ^^ )

You may be able to get rid of that message by setting a password for MySQL's root user and for a user/pass for XAMPP both in the Security pages, as the passwords are stored encrypted in an inaccessible from the net directory.