XAMPP “forbidden” Folder: Removing it or using it to test mod_auth_remote
The XAMPP “forbidden” folder under “htdocs” is used for testing the “auth_remote_module” of Apache. This folder is not needed to operate a webserver on XAMPP, and you may safely delete it (you also should remove it from your Apache config files, which is covered at the end of this article).
The “auth_remote_module” of Apache lets you consult a remote server for authenticating a user. The idea is that this remote server could be shared for multiple websites under your control so that usernames and passwords only need to be stored in one file in one server. auth_remote_mod is documented in the “forbidden/readme.auth_remote.txt” file and is also documented here. After you get this working and understand how it works, you should be able to apply the concepts to your own server if you so desire.
Setting up XAMPP for This Test
In order to perform this test, some things need to be changed in the Apache configuration files. First, in c:\xampp\apache\httpd.conf, the auth_remote_module needs to be loaded (it is not loaded by default). This is enabled by uncommenting (remove the “#” character) the line:
#LoadModule auth_remote_module modules/mod_auth_remote.so
After changing the httpd.conf file, it is necessary to restart the Apache server. This can be done via the XAMPP control panel by stopping and then restarting the server.
A second thing to be done is to create a folder “c:\xampp\htdocs\fonts”, and put a sample “index.html” file in there that will be accessed only after the remote authentification is completed. You can copy the index.html file from the htdocs directory, and change the “It works.” to something like “fonts directory accessed” so that you know you are hitting the right directory.
Performing The Test
Once these 2 setup steps are performed, you may access the page: http://localhost/fonts. You’ll be asked to enter a username/password for “AUTH REMOTE TEST”. The default user name is “user” and the default password is “pass”. Enter this correctly and you will be shown the index.html file that you placed into c:\xampp\htdocs\fonts.
Why This works
In the “c:\xampp\conf\extra\httpd-xampp.conf” file, the c:\xampp\htdocs\fonts directory is setup for remote authentification with these lines in the config file:
<IfModule auth_remote_module>> <Directory "C:/xampp/htdocs/fonts"> AllowOverride All AuthType Basic AuthName "AUTH REMOTE TEST" AuthRemoteServer localhost AuthRemotePort 80 AuthRemoteURL /forbidden/ Require valid-user #User: user / Password: pass </Directory> </IfModule>
Since these lines in the config file have <IfModule auth_remote_module> in it, it means the auth_remote_module needs to be loaded in Apache in order for this to work. This is why “LoadModule auth_remote_module modules/mod_auth_remote.so” needs to be uncommented in httpd.conf.
The following 3 lines:
AuthRemoteServer localhost AuthRemotePort 80 AuthRemoteURL /forbidden/
indicate that remote authentification is to be used by accessing the server “localhost” on port 80 in the /forbidden/ folder.
The final enabler for this test is setting up the username/password on the remote server. This is done (by default from the XAMPP install) in .htaccess file in the “forbidden” folder which establishes that the username and password are stored in the .htpasswd file in “forbidden”. The .htpasswd file has “user” defined with password: “pass”.
Removing the forbidden folder from your harddisk and Apache config
If you don’t plan to use this “forbidden” folder, you should consider removing it to enhance security.
There are 3 things to do to remove it.
First, delete the c:\xampp\htdocs\forbidden folder from your harddisk using something like Windows Explorer.
Second, open up the c:\xamp\apache\conf\extra\httpd-xampp.conf file in a text editor. Remove the lines shown below:
# Access restriction via Remote <IfModule auth_remote_module> <Directory "C:/xampp/htdocs/fonts"> AllowOverride All AuthType Basic AuthName "AUTH REMOTE TEST" AuthRemoteServer localhost AuthRemotePort 80 AuthRemoteURL /forbidden/ Require valid-user #User: user / Password: pass </Directory> </IfModule>
Finally, if you happened to create a c:\xampp\htdocs\fonts directory (it should only be there if you created it, it is not put in by the install), then you should go ahead and delete this directory and all files in it.