HOW TO SECURE XAMPP ADMINISTRATION?
Ok, folks here it goes. Step by step instruction. Words in all caps (i.e. CAPITAL LETTERS) are instructions or things you should pay special attention to.
------------------------------------------------
1. MAKE A PASSWORD FILE FOR USERS
-----------------------------------------------
GO TO YOUR XAMPP/APACHE/BIN DIRECTORY AND LOOK FOR A ROGRAM CALLED htpasswd.exe, THIS IS THE LITTLE EXECUTABLE WHICH MAKES USER/PASSWORD COMBINATIONS AND STORES THEM ENCRYPTED IN YOUR DESIGNATED FILE. YOU MUST USE IT IN COMMAND CONSOLE (start>run> command), THEN CHANGE DIRECTORY TO WHERE YOU HAVE XAMPP/APACHE/BIN. IN MY COMPUTER I TYPE:
cd c:\xampp\apache\bin
YOU CAN TYPE "htpasswd.exe /?" TO LEARN MORE ABOUT htpasswd.exe OPTIONS. IMPORTANT: THE "-c" OPTION CREATES THE PASSWORD FILE. USE IT ONLY ONCE FOR YOUR FIRST USER. EXAMPLE:
htpasswd.exe -c C:\xampp\apache\bin\passwords USERNAME
TO ADD USERS TO THE FILE, DON'T USE THE "-c" OPTION. EXAMPLE:
htpasswd.exe C:\xampp\apache\bin\passwords USERNAME
CHANGE "USERNAME" TO WHATEVER NAME YOU WANT AS YOUR XAMPP ADMINISTRATOR. THE CONSOLE WILL ASK FOR PASSWORD (CHANGE "MYPASSWORD" TO WHATEVER YOU WANT).
New password: MYPASSWORD
Re-type new password: MYPASSWORD
Adding password for user username
FOR REFERENCE, SEE
http://httpd.apache.org/docs-2.0/howto/auth.html
------------------------------------------------------------------
2. ADD NAME BASED VHOSTS IN xampp/apache/conf/httpd.conf
------------------------------------------------------------------
# To secure xampp admin files located at xampp/htdocs,
# add these directives to bottom of your httpd.conf file located
# at \xampp\apache\config
### Note: in apache config files, lines starting with "#" are ignored
### used as comments. "#" must be the first character of the line.
NameVirtualHost *:80
NameVirtualHost *:443
<VirtualHost *:80>
# Change the DocumentRoot path to your own path to htdocs
DocumentRoot "C:/xampp/htdocs"
# Change the ServerName to your own domain, or the name
# you use to reach your xampp installation from the internet
ServerName YOUR.DOMAIIN.COM
RedirectMatch /* "https://YOUR.DOMAIN.COM"
</VirtualHost>
<VitrualHost *:443>
# Change the DocumentRoot path to your own path to htdocs:
DocumentRoot "C:/xampp/htdocs"
# YOUR.DOMAIN.COM must be the same as what you put above VirtualHost at port 80:
ServerName YOUR.DOMAIIN.COM
# If you want to track your logs on who has accessed your xampp,
# change the bleow filenames for the logs to whatever you want. and
# uncomment (i.e. delete "#") for ErrorLog and TransferLog
# ErrorLog logs/YOURDOMAIN_ADMIN_sslerror.log
# TransferLog logs/YOURDOMAIN_ADMIN_sslaccess.log:
SSLEngine on
# Server Certificate, change path to the correct one on your machine:
SSLCertificateFile "C:/xampp/apache/conf/ssl.crt/server.crt"
# Server Private Keym, change path to the correct one on your machine:
SSLCertificateKeyFile "C:/xampp/apache/conf/ssl.key/server.key"
# HERE IS THE PASSWORD PROTECTION PART.
# Change path to your own htdocs folder:
<Directory "C:/xampp/htdocs">
AuthType Basic
AuthName "Welcom to my XAMPP admin area"
# Change "passwords" file to your own passwords file:
AuthUserFile "C:/xampp/apache/bin/passwd/passwords"
# Change USERNAME to the user having access to this directory:
Require user USERNAME
</Directory>
</VirtualHost>
### to learn more about VirtualHosts, see
http://httpd.apache.org/docs-2.0/vhosts/
----------------------------------------------------
3. CHECK YOUR WORK AND RESTART APACHE
-----------------------------------------------------
NOW THOROUGHLY CHECK YOUR httpd.conf FILE, TO MAKE SURE THERE ARE NO DUPLICATE CONFLICTING DIRECTIVES, AND YOU HAVE NOT MADE ANY ERRORS, THEN GO TO "xampp/apache/bin" AND IN CONSOLE WINDOW TYPE:
apache.exe -S
THIS CHECKS YOUR httpd.conf FILE FOR YNTAX AND VITUAL HOSTS... IF ALL IS OK, THEN RESTART APACHE GRACEFULLY BY TYPING:
apache.exe -k restart
THIS FORCES APACHE TO RESTART GRACEFULLY, AND TO REREAD AND IMPLEMENT THE 'httpd.conf" CONFIG FILE.
GOOD LUCK.
P.S> if you want to use your own SSL cert/key combination, you can. Just change the SSLCertificateFile and SSLCertificateKey paths. To make your own certificate/key combinations, read the openSSL docs at
http://www.openssl.org/docs/HOWTO. the openSSL.exe executable is also in the apache/bin directory.