XAMPP for production use(need to be secure)?

Problems with the Windows version of XAMPP, questions, comments, and anything related.

XAMPP for production use(need to be secure)?

Postby iExchange » 20. October 2011 04:03

I heard that XAMPP is for development and testing uses only, but what if I want to use it for real production uses? How can I make it secure for this case?
Please give me some directions and pointings, thank you!
iExchange
 
Posts: 2
Joined: 20. October 2011 03:59
Operating System: win server 2008 r2

Re: XAMPP for production use(need to be secure)?

Postby Altrea » 20. October 2011 05:33

The question is, why you want to use XAMPP for that.

To administrate a public webserver some knowledge is nedded.
If you have this knowledge, you will be able to install Apache, PHP and MySQL as separated installations on your own.
Or you use a Stack which is made for production environments like Zend Server (CE) - see my signature.
Or you rent a webhost for that. That just cost you a few bucks, they take all the work for security and accessibility for you and you can concentrate on the important things.

XAMPP is not the correct Stack for this.
We don't provide any support via personal channels like PM, email, Skype, TeamViewer!

It's like porn for programmers 8)
User avatar
Altrea
AF Moderator
 
Posts: 11926
Joined: 17. August 2009 13:05
XAMPP version: several
Operating System: Windows 11 Pro x64

Re: XAMPP for production use(need to be secure)?

Postby Sharley » 20. October 2011 05:57

XAMPP has been designed for developers to get on with developing at localhost and not to have the worry about the security mechanics of the server suite and so security has been set in the configuration files as a low priority because the servers have no need to be open to the Internet - your PC firewall correctly configured will block most intruders.

Even if you are familiar with hardening the Apache and MySQL servers then in XAMPP you would still have issues with security.

Even using server suits and individual component installations designed for production the closing of all the security holes (hardening) is still a hit and miss exercise and those wishing to exploit your server seem to always find a new method - though they usually only target and exploit servers where the content aides their cause or those sites that the exploiters deem fair game, normally the average web site is not affected but not always as a general rule.

XAMPP is definitely not recommended and you should find a suggested alternative as all we can do here is pass on our qualified advice with your best interest, and those other innocent Internet users that you may affect, at heart.

Good luck ;)
User avatar
Sharley
AF Moderator
 
Posts: 3316
Joined: 03. October 2008 05:10
Location: Yeppoon, Australia Time Zone: GMT/UTC+10
Operating System: Win 7 Pro 32bit/XP Pro SP3

Re: XAMPP for production use(need to be secure)?

Postby str1 » 20. February 2012 15:04

I've been searching about this same thing and I'm sorry but I dont see any good argument who not to use XAMPP for production. Everyone is talking about security, but its kinda obvious that if you are going to put up an production environment, you will anyways update all root passwords etc. Only concern is the safety of the windows platform itself (more viruses), but if all is fine on that side, my opinion is that XAMPP is (almost) as good as LAMP if all neccessary configurations are done properly.
str1
 
Posts: 1
Joined: 20. February 2012 14:59
Operating System: Windows/Linux

Re: XAMPP for production use(need to be secure)?

Postby JonB » 20. February 2012 15:58

Well, as long as you aren't counting on anyone to answer your questions, I almost agree with you.

8)
User avatar
JonB
AF Moderator
 
Posts: 3210
Joined: 12. April 2010 16:41
Location: Land of the Blazing Sun
Operating System: Windows XP/7 - Fedora 15 1.7.7

Re: XAMPP for production use(need to be secure)?

Postby Altrea » 20. February 2012 19:30

Hi str1,

str1 wrote:if all is fine on that side, my opinion is that XAMPP is (almost) as good as LAMP if all neccessary configurations are done properly.

I don't agree with that for one reason:
You can't update any of the main single components of the XAMPP bundle. If a big security issue will be found in Apache HTTPD, you are fully dependend in a new XAMPP version to be released. And if you look into the last XAMPP releases for Windows, in most of the last ones there is no update function implemented, so a full new install was needed.

That's a dependency i don't want to have in a production environment. But maybe you want to.

If you have the knowledge to harden your XAMPP components for production environments feel free to use XAMPP for this. But any problems you will have with that will not be supported by the active supporters here.

best wishes,
Altrea
We don't provide any support via personal channels like PM, email, Skype, TeamViewer!

It's like porn for programmers 8)
User avatar
Altrea
AF Moderator
 
Posts: 11926
Joined: 17. August 2009 13:05
XAMPP version: several
Operating System: Windows 11 Pro x64

Re: XAMPP for production use(need to be secure)?

Postby cristianpark » 16. August 2012 15:25

Hi guys, a customer said the same thing (XAMPP is not for production environment) and got me thinking. I thought that /opt/lampp/lampp security was made for securying XAMPP so you can use it in real scenario, I disable MySQL too as I don't need it. In production, software updates are low (at least they are security related, even though, mostly security updates sadly are also ignored) so I think that if there isn't any big major security related patch, you can skip that, and correct me if I'm wrong, but you can recompile PHP (with the same version but with bug fixes) bundled with XAMPP (as you do for install extensions like PECL). Talking about updates, if you are using GNU/Linux and install from repos, you'll face the same because the versions depends on your S.O version (let's say Ubuntu 11.10 have PHP 5.3.6-13), if you compile manually PHP/Apache, you have to do new compile new version again (as far as I know) and you end in the same situation.

I like to know if there are other reasons for not to use XAMPP on production environments because I have it in two servers and no trouble so far (about 4 years in one)

Thanks in advance
cristianpark
 
Posts: 5
Joined: 29. April 2010 17:33

Re: XAMPP for production use(need to be secure)?

Postby Altrea » 16. August 2012 16:25

Hi cristianpark,

cristianpark wrote:HI thought that /opt/lampp/lampp security was made for securying

The XAMPP security script will make parts of XAMPP components more secure but it is not meant to be an entire security patch.
There are still maybe not needed ports/modules/functions activated, some settings are not setted as they should be for production environments (signatures, etc) and so on. And that is just the security part. A production server should be performant and stable too, so you need to configure the components to fit your needs and hardware equipment. All that changes cost that much time that you could install and configure the single components itself with all the benefit XAMPP could not provide (up to date components, upgradable, integrated into OS with its PATH variables and registry settings).

cristianpark wrote:In production, software updates are low (at least they are security related, even though, mostly security updates sadly are also ignored) so I think that if there isn't any big major security related patch, you can skip that

Simply take a look into the Apache/MySQL/PHP changelogs for security or stability related updates. On a live webserver updates are very important.

cristianpark wrote:correct me if I'm wrong, but you can recompile PHP (with the same version but with bug fixes) bundled with XAMPP (as you do for install extensions like PECL). Talking about updates, if you are using GNU/Linux and install from repos, you'll face the same because the versions depends on your S.O version (let's say Ubuntu 11.10 have PHP 5.3.6-13), if you compile manually PHP/Apache, you have to do new compile new version again (as far as I know) and you end in the same situation.

You are talking of XAMPP for Linux, but this here is XAMPP for Windows. This can be very different.

cristianpark wrote:I like to know if there are other reasons for not to use XAMPP on production environments because I have it in two servers and no trouble so far (about 4 years in one)

If you have the knowledge or simply don't want to listen the recommandation from the developers or supporters, you can use XAMPP for any environment you want.
At the end it's like driving a Ferrari up and down the Sahara: It is not recommend by the designers, but it is technically possible. It is your software and your server, so you can do whatever you want (but we will not provide any support for in production environment running XAMPP installations).

Personally I don't understand why people don't use the correct tool for their tasks, especially if they are available for free (Zend Server CE is certified and tested for production environments, and nearly as easy to install as XAMPP).

best wishes,
Altrea
We don't provide any support via personal channels like PM, email, Skype, TeamViewer!

It's like porn for programmers 8)
User avatar
Altrea
AF Moderator
 
Posts: 11926
Joined: 17. August 2009 13:05
XAMPP version: several
Operating System: Windows 11 Pro x64

Re: XAMPP for production use(need to be secure)?

Postby cristianpark » 16. August 2012 17:06

Hi Altrea, thanks for your quick and complete reply, sorry for the question but are you a XAMPP Developer?
Altrea wrote:Simply take a look into the Apache/MySQL/PHP changelogs for security or stability related updates. On a live webserver updates are very important.
I know, but they aren't applyed mostly on enterprises, they aren't updating/upgrading on regular basis. I know it shouldn't happen, but in my experience, it does
Altrea wrote:It is your software and your server, so you can do whatever you want (but we will not provide any support for in production environment running XAMPP installations).
How will you know wether I'm asking for support on a production or development environment? :D :D. Just kidding but in fact you can't
Altrea wrote:Personally I don't understand why people don't use the correct tool for their tasks, especially if they are available for free (Zend Server CE is certified and tested for production environments, and nearly as easy to install as XAMPP).

best wishes,
Altrea
Zend Server CE has deb/rpm packages but it's no easy install on any distro that uses another package system, also, if you install the package like that, you have to upgrade when needed and so on, just like the problem with XAMPP IMHO. I can read between lines (when you talk about Windows version) that in a GNU/Linux OS, XAMPP is usable on production environment with the changes of services unwanted, am I wrong?

The OS optimization is what I think is the deal breaker, manual compilation will be better for that, but for practical purposes, one need tools that integrate the individual packages and I think XAMPP fits that well (on Linux particulary) but I will take your advice and give Zend Server CE a try.
cristianpark
 
Posts: 5
Joined: 29. April 2010 17:33

Re: XAMPP for production use(need to be secure)?

Postby Altrea » 16. August 2012 18:05

cristianpark wrote:sorry for the question but are you a XAMPP Developer?

No, i am not. I am a volunteer supporter

cristianpark wrote:I know, but they aren't applyed mostly on enterprises, they aren't updating/upgrading on regular basis.

I do have both sides, clients that want to have their environment up to date (which means have at least the minor branch of the components up to date and just use active and still supported branches of used single components) and clients which want to stay on an installation as long it is running (never touch a running system). None of them do a better job then the other, but if you want to do serious professional webserver work, the first type of clients will have some advantages in my opinion (if you want to buy a security system for your house you will not choose the company with the old holey wooden fences, do you?).

cristianpark wrote:How will you know wether I'm asking for support on a production or development environment? :D :D. Just kidding but in fact you can't

Okay, let me be more specific: We will not provide any support for production environment topics (like "my server isn't fast/stable/secure enough, my server is under attack", etc).

cristianpark wrote:I can read between lines (when you talk about Windows version) that in a GNU/Linux OS, XAMPP is usable on production environment with the changes of services unwanted, am I wrong?

Yes, you are wrong. I would never say that (not even between the lines).

best wishes,
Altrea
We don't provide any support via personal channels like PM, email, Skype, TeamViewer!

It's like porn for programmers 8)
User avatar
Altrea
AF Moderator
 
Posts: 11926
Joined: 17. August 2009 13:05
XAMPP version: several
Operating System: Windows 11 Pro x64

Re: XAMPP for production use(need to be secure)?

Postby cristianpark » 16. August 2012 20:31

I got your point and I agree with you that you should upgrade on regular basis as the new updates fixes bugs and security issues (that's why I use another distros instead of Debian/Ubuntu)

But I just keep with the same idea. In web development localhost tests are good but are quickly insufficient, you start LAN tests, etc. If you use a tool for development, you want to mime your production environment the best you can. I see pointless then fixing the XAMPP related problems in your local scenario if production will be different and you shouldn't even face the same problems. i.e: I got a problem with XAMPP+Graphviz because XAMPP uses it's own version of libjpeg and libz, I solved in my local environment and in my own servers, if I won't have XAMPP on production, why should I care about fix this problem since with Apache+PHP (manually compiled/installed from the repos) I won't have this issue.
cristianpark
 
Posts: 5
Joined: 29. April 2010 17:33

Re: XAMPP for production use(need to be secure)?

Postby kashif0747 » 16. April 2013 14:07

Isn't it possible to give options for passwords etc. while installing xampp or make another version for production purpose?
kashif0747
 
Posts: 1
Joined: 16. April 2013 14:02
Operating System: Windows

Re: XAMPP for production use(need to be secure)?

Postby Altrea » 16. April 2013 17:31

kashif0747 wrote:Isn't it possible to give options for passwords etc. while installing xampp or make another version for production purpose?

Isn't it possible to bang in a nail with a shoe? Sure, it is.
Why aren't there any Boots especially for banging in nails on the market?
Why do i need a shoe AND additionally a hammer if one product can fit it all?

The answer is easy: Use the correct tool for the specific purpose.
There are already webserver stacks available tested for production purposes.
XAMPP is designed for environment purposes.

Fitting multiple purposes costs multiple development and testing time for the XAMPP developers
Just take a look at the release counts of XAMPP. They already gets longer and longer because of missing time.
We don't provide any support via personal channels like PM, email, Skype, TeamViewer!

It's like porn for programmers 8)
User avatar
Altrea
AF Moderator
 
Posts: 11926
Joined: 17. August 2009 13:05
XAMPP version: several
Operating System: Windows 11 Pro x64


Return to XAMPP for Windows

Who is online

Users browsing this forum: No registered users and 147 guests