Apache Friends Support Forum

[memilanuk]

Hello all,

It looks like this is a little different twist on the usual question here (i.e. how to make XAMPP available to the network) - instead I'm interested in how to lock it down (as simply as possible) so that the various servers listen *only* on the loopback interface i.e. 127.0.0.1 or 'localhost'.

I've read through the security blurb in the readme*.txt file, and I've gone to the page @ http://localhost/security/xamppsecurity.php and did the steps provided there (passwords for mysql users 'root' and 'pma' and secured directory access for 'xampp').

So... now what? I'm not at a spot (right this minute) where I can wantonly start poking/prodding to see if the apache/mysql servers respond on the external NIC interface. What I have in mind (way down the road) is having a pre-canned htdocs folder and mysql database that I can somehow provide to end-users (volunteer project) as part of a web-browser based app that they can host on their own machines. Some (many) may not have anything suitable installed on their computer (most likely older hardware, possibly laptops, most likely stand-alone un-networked) so I thought XAMPP (lite) might be able to provide a relatively simple way to setup a basic webserver/sql database for them to use. I'd like to be able to outline how to at least do a simple closing of windows and doors so to speak, so if they do end up using a networked machine the web & database servers aren't a blatant security risk on an external interface...

If someone could point me in the right direction I'd greatly appreciate it.

TIA,

Monte

[Nobbie]

servers listen *only* on the loopback interface i.e. 127.0.0.1 or 'localhost'.

For Apache:

Edit httpd.conf and supply

Listen 127.0.0.1


For MySQL:

Edit my.ini (or my.cnf - depends on your installation):

Look for section [mysqld] and supply

bind_address 127.0.0.1

or supply

skip_networking
(mysqld will not listen to any TCPIP port but will work via sockets locally only)

[memilanuk]

Thanks!

Another simple (and probably silly) question... if I went the route of 'skip_networking', how would it affect calling/connecting from php commands, if at all?

Edited to add: the line for httpd.conf does not work as shown above; 'Listen 127.0.0.1:80' does.

[memilanuk]

Hello... having some problems here with the mysql part.

If I add the lines as mentioned above to the mysql config file, mysqld will not start. Or more precisely it starts, and then exits.

Any other ideas?

TIA,

Monte

[Izzy]

...Or more precisely it starts, and then exits.

Any clues in the \xampp\mysql\data\mysql.err file?

Try bind_address = 127.0.0.1


The skip-networking reference only requires your remove the comment # at the start of the line not adding it again in the [mysqld] section also the reference is an or not an and - so just use one or the other.

[memilanuk]

Excerpt from mysql.err:

Code: Select all

100102 16:06:30 [ERROR] E:\xampplite\mysql\bin\mysqld.exe: unknown option '--bind_address 127.0.0.1'
100102 16:06:30 [ERROR] Aborting


Looking at the mysql manual it shows the command line option as '--bind_address=' and the config file option as 'bind_address'. I guess between that and the original example provided I thought I wasn't supposed to supply an '=' in between, but taking a look at the rest of my.ini, *everything* that has a value assigned to it uses an '='. Whoops.

The skip-networking reference only requires your remove the comment # at the start of the line not adding it again in the [mysqld] section also the reference is an or not an and - so just use one or the other.

Sorry for not being more clear in that last post - I was just referring to the bind-address line. But I am curious about the 'skip-networking' bit... you're saying its an either/or with 'bind_address'?

The big question I have with 'skip-networking' is this: if I comment out 'bind_address' and uncomment 'skip-networking'... will I be able to connect to the local database via web pages on the local machine - things like phpmyadmin, scripts from my web pages, etc.?

Thanks,

Monte

[Wiedmann]

Looking at the mysql manual it shows the command line option as '--bind_address=' and the config file option as 'bind_address'.

Maybe you want read the MySQL manual a second time:
http://dev.mysql.com/doc/refman/5.1/en/server-options.html#option_mysqld_bind-address

[memilanuk]

Command Line Format: --bind-address=name
Config File Format: bind-address

Guess I would expect it to read 'Config File Format: bind-address=name' if thats what they meant.