XAMPP “forbidden” Folder: Removing it or using it to test mod_auth_remote

June 24th, 2007

This article is part of a series of articles that I’m writing on how to make XAMPP more secure. See the overview page for all of the security steps.

The XAMPP “forbidden” folder under “htdocs” is used for testing the “auth_remote_module” of Apache. This folder is not needed to operate a webserver on XAMPP, and you may safely delete it (you also should remove it from your Apache config files, which is covered at the end of this article).

The “auth_remote_module” of Apache lets you consult a remote server for authenticating a user. The idea is that this remote server could be shared for multiple websites under your control so that usernames and passwords only need to be stored in one file in one server. auth_remote_mod is documented in the “forbidden/readme.auth_remote.txt” file and is also documented here. After you get this working and understand how it works, you should be able to apply the concepts to your own server if you so desire.

Setting up XAMPP for This Test

In order to perform this test, some things need to be changed in the Apache configuration files. First, in c:\xampp\apache\httpd.conf, the auth_remote_module needs to be loaded (it is not loaded by default). This is enabled by uncommenting (remove the “#” character) the line:

#LoadModule auth_remote_module modules/mod_auth_remote.so

After changing the httpd.conf file, it is necessary to restart the Apache server. This can be done via the XAMPP control panel by stopping and then restarting the server.

A second thing to be done is to create a folder “c:\xampp\htdocs\fonts”, and put a sample “index.html” file in there that will be accessed only after the remote authentification is completed. You can copy the index.html file from the htdocs directory, and change the “It works.” to something like “fonts directory accessed” so that you know you are hitting the right directory.

Performing The Test

Once these 2 setup steps are performed, you may access the page: http://localhost/fonts. You’ll be asked to enter a username/password for “AUTH REMOTE TEST”. The default user name is “user” and the default password is “pass”. Enter this correctly and you will be shown the index.html file that you placed into c:\xampp\htdocs\fonts.

Why This works

In the “c:\xampp\conf\extra\httpd-xampp.conf” file, the c:\xampp\htdocs\fonts directory is setup for remote authentification with these lines in the config file:

<IfModule auth_remote_module>>
<Directory "C:/xampp/htdocs/fonts">
    AllowOverride All
    AuthType           Basic
    AuthName           "AUTH REMOTE TEST"
    AuthRemoteServer   localhost
    AuthRemotePort     80
    AuthRemoteURL      /forbidden/
    Require            valid-user
    #User: user / Password: pass
</Directory>
</IfModule>

Since these lines in the config file have <IfModule auth_remote_module> in it, it means the auth_remote_module needs to be loaded in Apache in order for this to work. This is why “LoadModule auth_remote_module modules/mod_auth_remote.so” needs to be uncommented in httpd.conf.

The following 3 lines:

    AuthRemoteServer   localhost
    AuthRemotePort     80
    AuthRemoteURL      /forbidden/

indicate that remote authentification is to be used by accessing the server “localhost” on port 80 in the /forbidden/ folder.

The final enabler for this test is setting up the username/password on the remote server. This is done (by default from the XAMPP install) in .htaccess file in the “forbidden” folder which establishes that the username and password are stored in the .htpasswd file in “forbidden”. The .htpasswd file has “user” defined with password: “pass”.

Removing the forbidden folder from your harddisk and Apache config

If you don’t plan to use this “forbidden” folder, you should consider removing it to enhance security.

There are 3 things to do to remove it.

First, delete the c:\xampp\htdocs\forbidden folder from your harddisk using something like Windows Explorer.

Second, open up the c:\xamp\apache\conf\extra\httpd-xampp.conf file in a text editor. Remove the lines shown below:

# Access restriction via Remote
<IfModule auth_remote_module>
    <Directory "C:/xampp/htdocs/fonts">
    AllowOverride All
    AuthType           Basic
    AuthName           "AUTH REMOTE TEST"
    AuthRemoteServer   localhost
    AuthRemotePort     80
    AuthRemoteURL      /forbidden/
    Require            valid-user
    #User: user / Password: pass
</Directory>
</IfModule>

Finally, if you happened to create a c:\xampp\htdocs\fonts directory (it should only be there if you created it, it is not put in by the install), then you should go ahead and delete this directory and all files in it.

2 Comments

  1. Tomthon 27 Nov 2007 at 5:50 pm

    Can’t find my username/ pass to xampp = /
    Doesnt all has got the same in the beging?

    Thanks.

  2. Mikeon 16 Aug 2012 at 8:30 am

    Hey Rob, I really appreciate you posting all this info as I’m brand spankin new to this whole webserver thing. I realize this info was published in 2007 so is that why a lot of this info appears to be “wrong” for lack of a better word? Like when I go to look in these files I don’t see sections you are talking about at all. Is it just me or has Apache made it default to secure the things you are suggesting?

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.