- APACHE WINDOWS VIA XAMPP -

I am in no way versed in Apache. Out of sheer necessity I had to install

it to set certain things up. So this tutorial is mainly focused on
settings, tips, security, etc that I did. The installing part is easy.

Windows: I'm using the portable version of 'XAMPP' (xampp-win32-1.7.1.exe)

and love it. It's bundled with lots of goodies all ready to use out of the
box. My XAMPP is: Apache HTTPD 2.2.11 + Openssl 0.9.8i, MySQL 5.1.33, PHP
5.2.9, phpMyAdmin 3.1.3.1, XAMPP CLI Bundle 1.3, FileZilla FTP Server
0.9.31, Mercury Mail Transport System 4.62.
You don't even need to make/install a SSL certificate or enable it; it's
done, your site is ready to go https.

INSTALLING XAMPP WINDOWS

XAMPP NOTES
NAVIGATING
SETTING HOMEPAGE
SETTING HOMEPAGE TO ANOTHER DIRECTORY
TO BAN IPs FROM ACCESSING YOUR SITE
LINKING OTHER AREAS ON BOX TO YOUR WEBSITE
FORCE REDIRECT HTTP TO SSL HTTPS

TO CHANGE SIZE OF FILES ALLOWED TO UPLOAD

SECURITY TIPS
TROUBLE SHOOTING

INSTALLING XAMPP WINDOWS:

`````````````````````````
Their site is HERE, check for the latest versions. They have a very active
forum HERE with very nice, helpful peeps, promise :).
1. Exclude 'xampp-win32-xxx.exe' and its 'installed location' from virus
scanners and disk cleaning utilities.
2. Double click file to extract it. Extract to root of a drive; it must be
run from the root of a drive. If you do move this from one drive to
another the Drive letter must be the same, or you'll need to do some
editing to the configuration files.
3. In your router; forward ports 80 and 443 for https.
4. To test this locally, and/or with your own domain (see my DYNDNS
tutorial to get a free domain for your box) I had to edit my 'hosts' file
which is here:
C:\WINDOWS\system32\drivers\etc\hosts (the name of this file is hosts, no
extension)
Right click on file, select Properties, under Attributes remove Read-only
if checked/OK.
Open file with WordPad, Mine had this:
127.0.0.1

localhost

I changed it to:

127.0.0.1

localhost

192.168.1.2 my.freedomain.com

(192.168.1.2 is my internal IP on my network)

Close that file selecting the red X, select OK; not file / save. Right
click on file, select Properties, under Attributes select 'Read-only' /OK
/ even if it wasn't set earlier (security reasons).

To quickly view your own internal IP on the network double click on the
network icon in your system tray (far right, looks like 2 computer
monitors flashing), Support tab, will state 'IP Address: 192.168.2' or
whatever yours is.

Windows 8 users: If you are using the built-in 'Windows Defender'

antivirus then you must:
1. Exclude the 'hosts' file from being monitored by Windows Defender or it
will remove any changes you make to this file:
Windows key > type in Windows Defender > Enter > Settings tab > Exclude
Files and locations > Browse button > navigate to file > OK > Add > Save
Changes
2. Launch your text editor as Admin to make changes to the hosts file.
Example: Windows key > type in Wordpad > right click Wordpad icon > Run
as administrator > file type box select 'All Files (*.*)'

XAMPP NOTES:

````````````
1. Apache configuration file is here: D:\xampp\apache\conf\httpd.conf
2. When ever you edit a server configuration file you must restart the
server; stop then start Apache not refresh the
Control Panel to have the edits recognized.
3. Error log is here: D:\xampp\apache\logs\error.logs
4. If you get this error: "Warning: include(lang/jp=.php)
[function.include]: failed to open stream: No such file or directory in
D:\xampp\htdocs\xampp\index.php on line 12"
Fix it like this:
Open 'lang.tmp' here: \xampp\htdocs\xampp\lang.tmp in your text editor and
type en on the first line (if your language is English) then
save.
If you don't have this file create a blank file and name it lang.tmp as
XAMPP will ask you for your language again.
5. For convenience I have:
a. mysql_start.bat & xampp-control.exe start at computer startup.
b. Have made a shortcut on my tool bar for D:\xampp\mysql_stop.bat &
D:\xampp\xampp-control.exe. You need to use mysql_stop.bat to properly
shut down mysql, for example every reboot. You'll need xampp-control.exe
often when making changes to config files.

NAVIGATING:
```````````
The root of website is 'htdocs'. Below are example treepaths:

FILE IS HERE

URL IS

D:\xampp\htdocs\
D:\xampp\htdocs\mewbies\

http://localhost/
http://localhost/mewbies/

D:\xampp\htdocs\xampp\mewbies\

http://localhost/xampp/mewbies/

D:\xampp\htdocs\xampp\index.php

http://localhost/xampp/index.php

etc.

SETTING HOMEPAGE:
`````````````````
If you want your homepage to be: http://yoursite.com
1. Copy over to somewhere safe first, and then remove everything in
'htdocs' except the 'xampp' directory.
2. Place your index.html in there; D:\xampp\htdocs\index.html
3. To access your Admin page you will now need to use the default URL:
http://localhost/xampp/index.php. The 'button' on the xampp-control.exe
for the Admin page will no longer be able to access that. Instead the
Admin button will now open your homepage.
If you leave the index.php file in the htdocs dir the control panel
application button will still open the Admin page, but the direct URL will
not open your site, it will open the Admin page. I'm sure you can set that
in apache correctly if you want to leave index.php there so your control
panel button still works on it. I didn't bother, see below for a method.

SETTING HOMEPAGE TO ANOTHER DIRECTORY:

``````````````````````````````````````

For some reason you might want to have http://yoursite.com open a

different directory than the default: D:\xampp\htdocs\
For example you want it to be D:\xampp\htdocs\mewbies\index.htm
Edit httpd.conf (D:\xampp\apache\conf\httpd.conf)
It has this:
DocumentRoot "D:/xampp/htdocs"

Change it to:
DocumentRoot "D:/xampp/htdocs/mewbies"

Below that it is:

<Directory "D:/xampp/htdocs">

Changed it to:
<Directory "D:/xampp/htdocs/mewbies">

Stop and start apache (via control panel button- xampp-control.exe).

Go to: http://localhost (It will open up my
http://localhost/mewbies/index.html, URL will still be http://localhost)

*But your default bookmark for Admin page will not work any longer. You'll
have to either find that path for it and make new bookmark as it will try
to open: D:/xampp/htdocs/mewbies/xampp as that has been set as home.
Or you could edit that file to point correctly. in xampp/htdocs/index.php
Has:

<?php
if (!empty($_SERVER['HTTPS']) && ('on' == $_SERVER['HTTPS'])) {
$uri = 'https://';
} else {
$uri = 'http://';
}
$uri .= $_SERVER['HTTP_HOST'];
header('Location: '.$uri.'/xampp/');
exit;
?>

Change line no. 8: header('Location: '.$uri.'/xampp/');

To correct path, for example: Change line no. 8:
header('Location: '.$uri.'/mewbies/');

TO BAN IPs FROM ACCESSING YOUR SITE:

````````````````````````````````````
Edit 'httpd.conf'
This section for example has this:
<Directory "D:/xampp/htdocs">
Options -Indexes FollowSymLinks Includes ExecCGI
AllowOverride All
Order allow,deny
Allow from all

</Directory>

Change to:
<Directory "D:/xampp/htdocs">
Options -Indexes FollowSymLinks Includes ExecCGI
AllowOverride All
Order allow,deny
Allow from all
deny from 207.226.175.210
deny from 207.226.176.*

</Directory>

That will now deny anyone with that 1st IP and anyone in the 2nd IP's
range. They will receive a 403 error. To send them off to another location
use a 'Rewrite'.

LINKING OTHER AREAS ON BOX TO YOUR WEBSITE:

```````````````````````````````````````````
Symbolic Links and/or Alias Directive. You can read about this on your
Admin Page under the link Documentation/Apache 2 documentation /Mapping
URLs to the Filesystem/ -this opens an outside URL HERE. Basically it's
like creating a shortcut that the users won't be aware of. An example they
give:
"For example, with:

Alias /docs /var/web

The URL http://www.example.com/docs/dir/file.html will be served from
/var/web/dir/file.html. The ScriptAlias directive
works the same way, with the additional affect that all the content
located at the target path is treated as CGI scripts."
Other examples are HERE.

This is what I did. I have on my D drive (same drive I have xampp on)
another directory that I want my users to have access to and I don't want
to copy the contents over to my D:\xampp folders.

For an example the directory I want my users to access is 'wallpaper'

which is located here: D:\MyStuff\graphics\large\wallpaper
I want the URL to be http://mysite.com/gfx
Edited httpd.conf
Add this:
Alias /gfx /MyStuff/graphics/large/wallpaper
<Directory /MyStuff/graphics/large/wallpaper>
Order allow,deny
Allow from all
</Directory>

If it's on another Drive, just add the drive in the path, like this:
Alias /gfx F:/MyStuff/graphics/large/wallpaper
<Directory F:/MyStuff/graphics/large/wallpaper>

Options Indexes
Order allow,deny
Allow from all
</Directory>

*Note alias '/gfx' is what the user will enter in the URL to access that
path. It can be anything you like.

FORCE REDIRECT HTTP TO SSL HTTPS:

`````````````````````````````````
For my other site I have the entire web-site redirected to https. If you
don't want the entire site but only a certain area; see comment below
settings.
Edit httpd.conf (D:\xampp\apache\conf\httpd.conf)
Has this:
ServerAdmin admin@localhost
ServerName mydomain.com:80
DocumentRoot "D:/xampp/htdocs"
<Directory />

Change to:
ServerAdmin admin@localhost
ServerName mydomain.com:80
RewriteEngine on

RewriteRule ^/(.*) https://your.site.com/$1

DocumentRoot "D:/xampp/htdocs"
<Directory />

Or to only have https on a certain area of your site for example directory
named 'mewbies' enter settings like this for the above:
RewriteRule ^/(mewbies.*) https://your.site.com/$1

save, exit, restart apache, test that by going to

http://your.site.com/mewbies , you'll be redirected to
https://your.site.com/mewbies
*Note: Something I have noticed with this setting if you have a
authentication mode for that area:
When I go to my site http://your.site.com/mewbies
I'll first be prompted for login- name and pass, submit those, and then
only are users redirected to https. In other words it seems as though the
name/pass is being sent via http, then only are users redirected to https
mode... Definitely this is something to work out and find correct method.

TO CHANGE SIZE OF FILES ALLOWED TO UPLOAD:

``````````````````````````````````````````
To allow large file uploads you must change the settings on your PHP &
Apache conf files, we'll use 600MB file size as the example, change it to
your own needs:
Edit this file: D:\xampp\php\php.ini

Search for: upload_max_filesize

Change to:
upload_max_filesize = 600M

Search for: post_max_size

Has this:
post_max_size = 8M
Change to (it must be larger than upload_max_filesize):
post_max_size = 700M

Search for: memory_limit

Has this: memory_limit = 128M
Change to, if you don't want any limit:
memory_limit = -1
Or change to (it must be larger than post_max_size):
memory_limit = 800M

Search for: max_execution_time

Has this: max_execution_time = 30
Change to for example:
max_execution_time = 9600

Search for (just below max_execution_time): max_input_time = 60

Has this: max_input_time = 60

Change to: max_input_time =3600

Done, save the changes.

Edit this file: D:\xampp\apache\conf\extra\httpd-default.conf

Search for: LimitRequestBody
If your conf does not have this line; add it
Has this: LimitRequestBody 102400
Change to:
LimitRequestBody 600000000

If you set it to 0, meaning unlimited up to 2147483647 bytes (2GB)

Restart your web server.

SECURITY TIPS:
``````````````
For 'Ten Tips Securing Apache' read HERE. This is what I did for what
applied to my installation and some others:
1 .(3) DON'T GIVE AWAY PROGRAM INFORMATION:
Why give away information that could potentially help a newbie hacker.
Make them work a little more for it :p. If I were to go to a non existing
URL on my site (not this site) I would see something like this:
Not Found
The requested URL /testing was not found on this server.

Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.9 Server

at 123.456.789 Port 80

Thats just too much info.

Edit: D:\xampp\apache\conf\extra\httpd-default.conf
Has this:
ServerTokens Full
ServerSignature On

Change to:
ServerTokens Prod
ServerSignature Off

restart apache, test it now :) sweet

Not Found
The requested URL /testing was not found on this server.
Apache

You of course could make a custom error page to redirect users to as well.

2. (4) INSTALL A FIREWALL mod_security

See my tutorial for mod_security

3. (7) BE SPECIFIC ON WHAT IP:PORT APACHE LISTENS ON:

The default 'Listen 80' directive tells Apache to listen to every IP

address on port 80.

Edit this file: D:\xampp\apache\conf\extra\httpd.conf :
Mine has:
Listen 80

Change to:
Listen my.domain.com:80

Also can change this:

ServerName localhost:80

To:
ServerName yourdomain.com:80

exit, save, restart apache

*Note doing this I have noticed that on the Admin Page I'm now not able to
open: security page, cd collection, phonebook, or mercury mail. I get this
error: FORBIDDEN FOR CLIENT 192.168.1.2 or Access forbidden! Error 403.

5. (8) KEEP USERS OUT OF ROOT / :

I didn't do this step as naughty me has a number of Alias and symbolic
links to other locations in my box.
If you don't need users all over your box just edit this file:
D:\xampp\apache\conf\extra\httpd.conf

Has this:
<Directory />
Options FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
</Directory>

Change to:
<Directory />
Options None
AllowOverride None
Order deny,allow
Deny from all
</Directory>

6. (9)CLEAN UP HTTPD.CONF FILE

Any line in the file that is preceded with '#' is called 'commented'.
These lines are generally notes, directions, possible settings, etc. To
speed up apache a tiny tad and be sure all the lines that are there should
be there; remove every commented line. Your conf file will be so much
easier to read and locate settings after.
Always make a backup copy first; like
httpd-before.removing.comments.conf), just in case you remove a needed
line.

exit, save, restart apache, make sure all is in order and check your
error.log.

7. (10) PREVENT DOS/DENIAL OF SERVICE ATTACKS:

See a chart HERE for setting recommendations.
Edit this file: D:\xampp\apache\conf\extra\httpd-default.conf
Has: Timeout 300
Change to: 30

Has: KeepAliveTimeout 5
Change to: KeepAliveTimeout 2

Edit this file D:\xampp\apache\conf\extra\httpd.conf

'LimitRequestBody 102400' would be to limit the size per file uploaded to
102400 bytes.
settings would be 0 (meaning unlimited) to 2147483647 (2GB)
I want to allow 600MB so 'add' these lines:
LimitRequestBody 600000000
LimitRequestFields 50
LimitRequestFieldSize 8190
LimitRequestLine 8190

Edit this file D:\xampp\apache\conf\extra\httpd-mpm.conf

Has this:
MaxClients

150

MaxClients

50

Since my other site is private, very few ppl I changed it to:

MaxClients
MaxClients

50
5

PHP - you'll need to change the settings for upload max size as well to
match your above settings:
When editing .ini files I open them with WordPad, edit, then save not by
file/save (which will corrupt the file) but close it via the red X and
select Yes.
Edit this file: D:\xampp\php\php.ini

Has this:
; Maximum allowed size for uploaded files.
upload_max_filesize = 64M
post_max_size = 64M

Change to match above settings:

; Maximum allowed size for uploaded files.
upload_max_filesize = 600M
post_max_size = 700M

red X, yes, restart apache, test site that all is good.

8. DISABLE USERS FROM BROWSING DIRECTORIES THAT DO NOT HOLD WEBPAGES:

Edited httpd.conf
Under Options has this:
Options Indexes FollowSymLinks Includes ExecCGI
Change to:
Options -Indexes FollowSymLinks Includes ExecCGI

But I do have some directories that I want to allow users to browse. For
example if I want users to be able to browse a directory named 'files':
Add this below the first one:
<Directory "D:/xampp/htdocs/files">
Options Indexes FollowSymLinks Includes ExecCGI
AllowOverride All
Order allow,deny
Allow from all
</Directory>

Test this by making a directory in your website, copy over a file into
that new directory, then go to that URL. You will now be denied.

9. DISABLE PHP EASTER EGGS:

These Easter eggs can reveal information about your PHP such as version
and which modules are installed. If you would like to view these click

HERE. To disable them:

Edit this file: xampp\php\php.ini
Search for 'expose_php' and change:
expose_php = On
To:
expose_php = Off

Restart your web server.

TROUBLE SHOOTING:
`````````````````
1. XAMPP Directory Mismatch Warning
If you get this warning after starting xampp-control.exe - the XAMPP
Control Panel:
Current Directory: D:\xampp
Install Directory:
*** WARNING: Directory mismatch ***
Status Check OK

This can by fixed by entering a new key in the Windows Registry:

1. Window's Start button/ Run / type in: regedit
then select OK. This will bring up the windows registry editor.
If you aren't familar with it, it is always a good idea to make a
backup first: File / Export / save it to where ever you like. If
there is a problem you just File / Import it back in.

2. Left pane navigate to HKEY_LOCAL_MACHINE and then SOFTWARE.

3. Right click on SOFTWARE, choose New, and choose Key.
(This will make a new key with a directory icon named New Key #1)
4. Rename that to XAMPP and press Enter.
5. Right click on XAMPP, choose New, and choose String Value.
(This will make a new key named New Value #1)
6. Rename that new key to: Install_Dir
then press Enter.
7. Right click on the key Install_Dir and choose Modify.
8. Enter in the 'Value data:' text box the path to your XAMPP, such as
D:\xampp and then select OK.
9. Close the Registry Editor.
10. Run XAMPP Control Panel and the error should be gone.
Thank you to the peeps at Apache Friends forum for this fix HERE.

2. XAMPP states busy and won't start

You can't start your web server- just keeps stating busy. There could be a
number of reasons. One way to find out the reason is to double click on
apache_start.bat which is located in your \xampp\ directory. This will
state an error why the web server won't start. For example when I had
this problem it stated:
(OS 10049)The requested address is not valid in its context.
: make_sock: could not bind to address 192.168.1.3:80
no listening sockets available, shutting down Unable to open logs

From there I could see that it was trying my network IP '192.168.1.3'

which was no longer valid for myself. This was the IP that I had put in my
'hosts' file (in the step 4 of installing XAMPP in this tutorial). Once I
changed '192.168.1.3 my.freedomain.com' to '192.168.1.2 my.freedomain.com'
I was able to start the web server.
Note: If you have other IPs, domains listed for the same localhost, that
is fine, it will work.

//----------------------------------------------------------------------

If you find mistakes, have suggestions, and or questions please post at

mewbies forum HERE - thank you.

Last update on 21 Mar '13

- mewbies.com -