Access forbidden! New XAMPP security concept fix

by Jay Jonas

XAMPP is a great tool for developers running Windows. But if you are using virtual hosts and maybe you are stuck on  this error message:

Access forbidden! New XAMPP security concept

Open httpd-xampp.conf which is at  <xampp_path>/apache/conf/extra/

Comment this section:

 #
 # New XAMPP security concept
 #
 #<LocationMatch "^/(?i:(?:xampp|security|licenses|phpmyadmin|webalizer|server-status|server-info))">
 # Order deny,allow
 # Deny from all
 #
 # Allow from ::1 127.0.0.0/8 \
 # fc00::/7 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 \
 # fe80::/10 169.254.0.0/16 192.168.1.0/16
 #
 # ErrorDocument 403 /error/XAMPP_FORBIDDEN.html.var
 #</LocationMatch>

And insert these sections as  following:

#
# New XAMPP security concept
#

 # Close XAMPP security section here
 <LocationMatch "^/(?i:(?:security))">
     Order deny,allow
     Deny from all
     Allow from ::1 127.0.0.0/8
     ErrorDocument 403 /error/HTTP_XAMPP_FORBIDDEN.html.var
 </LocationMatch>

# Close XAMPP sites here
 <LocationMatch "^/(?i:(?:xampp|licenses|phpmyadmin|webalizer|server-status|server-info))">
     Order deny,allow
     Deny from all
     Allow from ::1 127.0.0.0/8
     ErrorDocument 403 /error/HTTP_XAMPP_FORBIDDEN.html.var
 </LocationMatch>

#
# My VHosts security concept
#
# if you are using virtual hosts
# stored outside of xampp folders
#
<DirectoryMatch "D:/dev/wwwroots/(.*)/wwwroot/*">
    Order deny,allow
    Deny from all
    Allow from 127.0.0.0/8

    ErrorDocument 403 /error/HTTP_XAMPP_FORBIDDEN.html.var
</DirectoryMatch>

Then now open http-vhosts.conf that is into the same location.

Add this section:

<VirtualHost *:80>
     DocumentRoot "D:/path/to/xampp/htdocs"

     ServerName localhost:80
     <Directory "D:/path/to/xampp/htdocs">
         IndexOptions +FancyIndexing NameWidth=*
         Options Includes FollowSymLinks Indexes ExecCGI
         AllowOverride All
         Require all granted
     </Directory>
 </VirtualHost>

Finally a sample for setting a virtual host stored in a different folder:

<VirtualHost *:80>
     ServerAdmin webmaster@dev.sample.com
     DocumentRoot D:/dev/wwwroots/dev.sample.com/wwwroot

     ServerName dev.sample.com
     ServerAlias dev.sample.com *.dev.sample.com

     ErrorLog D:/dev/wwwroots/dev.sample.com/logs/error_log.txt
     CustomLog D:/dev/wwwroots/dev.sample.com/logs/access_log.txt common

     <Directory "D:/dev/wwwroots/dev.sample.com/wwwroot">
         IndexOptions +FancyIndexing NameWidth=*
         Options Includes FollowSymLinks Indexes ExecCGI
         AllowOverride All
         Require all granted
     </Directory>
 </VirtualHost>
Advertisements

2 Comments to “Access forbidden! New XAMPP security concept fix”

  1. Good job!

    I am indeed using vhosts, and without your config everything was pretty much locked up.

    Thanks.

    By the way: on XAMPP 1.8.2 (win7) just modifying my vhosts by adding the Directory directive and the “Require all granted” bit is enough to put the whole installation up and running! Very difficult to understand why a misconfigured vhost would make the XAMPP installation unusable.

    The catch all vhost (put before any other vhost) is also necessary to access the XAMPP page at localhost, as you wrote above:

    DocumentRoot “C:\xampp\htdocs”
    ServerName localhost:80

    IndexOptions +FancyIndexing NameWidth=*
    Options Includes FollowSymLinks Indexes ExecCGI
    AllowOverride All
    Require all granted

    All the best.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: