XAMPP: SSL Encrypt the Transmission of Passwords with https
This article is part of a series of articles about making XAMPP more secure. See the overview page for all the security measures.
If you don’t have encryption enabled on a password protected folder, the password will be sent in cleartext - meaning that it can be seen by anyone using a network sniffer. It is a good idea to encrypt the transmission of these passwords. There are 2 steps to this process, first we need to create SSL certificates, and then we need to make sure that the password protected pages are only accessed with encryption. It’s also a good idea to import your certificates into any browsers on all machines that you plan to use to access your server, otherwise you’ll get a warning about an untrusted certificate authority.
Create SSL Certificate and Server Private Key
In order to enable the encryption of your password, you must create an SSL certificiate (containing your public key) and a server private key. XAMPP provides a default certificate/key that can be used, but it is better to create a new one since the default key is available to anyone who downloads XAMPP. If someone knows your key, they can decrypt your packets.
XAMPP provides a batch file for creating a new certificate/key with random encryption keys. To execute this batch file, do the following:
- Open a command window (Start->Run, type “cmd” and press “OK)
- cd c:\xampp\apache
- makecert
You will then see this:
C:\xampp\apache>newcert Loading 'screen' into random state - done Generating a 1024 bit RSA private key ............................++++++ .....................................++++++ writing new private key to 'privkey.pem' Enter PEM pass phrase:
Enter in a pass phrase for decrypting your private server key, and press Enter. Write down this passphrase so you don’t forget it. Now you will be asked to verify it:
Verifying - Enter PEM pass phrase:
Enter your passphrase a second time and hit Enter. Now, you’ll see this:
----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:
Enter in your 2 letter country code. You’ll be asked for a few more items (shown below). Enter is what you think is most appropriate, but stop when you are asked for “Common Name”
State or Province Name (full name) [Some-State]:NY Locality Name (eg, city) []:New York Organization Name (eg, company) [Internet Widgits Pty Ltd]:Rob's Great Company Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:
For “Common Name”, you need to enter in the DNS name or IP address of your website. The name that you enter in here will need to match the server name that is entered into the browser that is accessing the page. It is important that this common name match the address that goes into a browser, otherwise you will get extra warnings when navigating to your secure web pages. If you are running this website over the public internet on an IP address that changes sometimes, you can use a Dynamic DNS service such as dyndns.org to get a free domain name that always points to your server. After you enter in the “Common Name”, you are asked for more information. Fill in what you think is appropriate, but it is OK to just hit ENTER to accept the defaults. Eventually, you will be asked for the pass phrase for privkey.pem:
Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Enter pass phrase for privkey.pem:
Enter the pass phrase that you created earlier, and now you will see this:
writing RSA key Loading 'screen' into random state - done Signature ok subject=/C=xx/ST=xx/L=xxxx/O=xxx/CN=commonname Getting Private key —– Das Zertifikat wurde erstellt. The certificate was provided. Press any key to continue . . . C:\xampp\apache>
You are now finished creating your SSL certificate and private key. The makecert.bat script will move your server private key and certificates in the appropriate directories for you.
Import the certificate into the browser for each client
Since this certificate is self signed, and is not signed by a well known Certificate Authority (CA), when you browse to the protected pages you’ll get a warning. To turn off this warning, the certificate should be imported as a trusted CA into any browsers that you will use to access your server.
Importing the certificate into IE 7
Here are the steps to import the certificate into IE 7:
Tools->Internet Options
Content Tab->Certificates Button
Trusted Root Certification Authorities Tab->Import Button
Now you’ll see the “Certificate Import Wizard”
Click Next
Provide file name: c:\xampp\apache\conf\ssl.crt\server.crt
Click Next
Leave default to Place all Certificates in Certificate store: Trusted Root Certification Authorities, and click Next
Click Finish
Importing the certificate into Firefox 2:
Here are the steps to import the certificate into Firefox 2:
Tools->Options
Advanced->Encryption Tab->View Certificates Button
Authorities Tab->Import Button
Select file: c:\xampp\apache\conf\ssl.crt\server.crt, and click “Open”
Check “Trust this CA to identify web sites”
Click “OK’
Click “OK” in Certificate manager
Click “OK” In original Options window to get back into Firefox
Edit Apache config for encryption only access to password protected folders.
Now we will instruct Apache to access the password protected folders with SSL encryption exclusively. This is done in 2 steps. First, we setup the Apache config files for these folders to say they can only be accessed with SSL encryption. Next, we redirect any “http” traffic to these pages to “https” (this is optional).
Make folders accessible with SSL encryption only
First, we need to inform Apache that the folders you want to encrypt should use always use encryption (and never go in the clear). This is accomplished by putting an SSLRequireSSL directive inside of each desired <Directory> listing in the config files (it is ok to put it at the end, just before the </Directory>). The red text below shows what to do.
Alias /web_folder_name “C:/xampp/foldername”
<Directory “C:/xampp/foldername“>
…
…
SSLRequireSSL
</Directory>
I suggest doing this for the following folders (if you still have them):
- Config File: c:\xampp\apache\conf\extra\httpd-xampp.conf
- c:\xampp\phpmyadmin
- c:\xampp\htdocs\xampp
- c:\xampp\webalizer
- c:\xampp\security\htdocs
- Config File: c:\xampp\webdav
- c:\xampp\webdav
Redirect “http” to “https” for certain folders
This next optional step is to redirect “http” requests to “https” requests for the pages we want to secure. This is more user friendly and allows you to still use http when you type in the address (and automatically switch to https:// and encryption). If you don’t do this, and you used SSLRequireSSL, you will only be able to access these pages by typing https://. This is fine and probably a little bit more secure, but is not so user friendly. To accomplish the redirection, we will use mod_rewrite so that we don’t have to use the server name in this part of the config file. This helps keep small the number of places in the config files where the server name is written (making your config files more maintainable).
First, we need to make sure that mod_rewrite is enabled. To do this, edit c:\xampp\apache\conf\httpd.conf and get rid of the comment (# character) in this line:
#LoadModule rewrite_module modules/mod_rewrite.so
to make it look like this:
LoadModule rewrite_module modules/mod_rewrite.so
Now, paste the following text into the top of c:\xampp\apache\conf\extra\httpd-xampp.conf:
<IfModule mod_rewrite.c>
RewriteEngine On
# Redirect /xampp folder to https
RewriteCond %{HTTPS} !=on
RewriteCond %{REQUEST_URI} xampp
RewriteRule ^(.*) https://%{SERVER_NAME}$1 [R,L]
# Redirect /phpMyAdmin folder to https
RewriteCond %{HTTPS} !=on
RewriteCond %{REQUEST_URI} phpmyadmin
RewriteRule ^(.*) https://%{SERVER_NAME}$1 [R,L]
# Redirect /security folder to https
RewriteCond %{HTTPS} !=on
RewriteCond %{REQUEST_URI} security
RewriteRule ^(.*) https://%{SERVER_NAME}$1 [R,L]
# Redirect /webalizer folder to https
RewriteCond %{HTTPS} !=on
RewriteCond %{REQUEST_URI} webalizer
RewriteRule ^(.*) https://%{SERVER_NAME}$1 [R,L]
</IfModule>
If you have other folders you want to redirect to https://, add the generic text below (but substitute your folder name):
# Redirect /folder_name folder to https
RewriteCond %{HTTPS} !=on
RewriteCond %{REQUEST_URI} folder_name
RewriteRule ^(.*) https://%{SERVER_NAME}$1 [R,L]
If you are going to host a webdav server, it is probably best to not have this redirection and to just require https://. This way, people can only use https:// when addressing your webdav folder. I tried using redirection for a webdav server and giving http:// in both XP and MAC OS X, and it didn’t work when encryption is required.
One thing to keep in mind with this redirection is that if you have virtual hosts, you need to place the redirection code (with the RewriteCond and RewriteRule) inside of your virtual host declarations, otherwise the redirection won’t work.
Your article about the SSL certificate on Xampp saved my day.
thanks
regards Rob Oudendijk
Great thank you very much.
Hey! This is a great tutorial! =D Can you make one like this but using other certification authorities? like Verisign? Thanks
Wow! That was a really great tutorial after all!
thank u..
ngeee:D
this is a very useful article. Thank you. I solve my problem for class project.
Excellent article! Just what I wanted to know.
Thank you Rob! Another note, folks will likely also want to change entries in apache/conf/extra/httpd-ssl.conf to reflect your domain, server root, folder permissions and so forth.
Thank you for the article. This helped me immensely — I have set up HTTPS and certs on an IIS machine, but never with Apache. Thanks.
You’re a freaking XAMPP king. Many thanks. Seconding the third party / verisign comment from above.
I am under your spell!
Doing technical documentation myself for over 20 years, I have an eye for errors or docs that tend to over explain. Not true here!!!!
You obviously know the topic above and beyond any other resource I have been able to find on the net.
Being a Windows whore for many years, I’m slowly making the leap to Apache in hopes of hosting my own domain.
You’re doing the work for me and at the same time, demonstrating in a way that makes it stick in my head.
All I can say is WOW and Thanks a million times for your efforts.
thanks a lot. Without you my database could’ve been spoilt by irrisponsible peeps. cheers
Hi there! This is a great tutorial, but I’ve a got a bug in my system & I was hoping someone can tell me how to fix it. I’m currently using XAMPP-win32 version 1.6.8 & my problem is that after running the makecert command I’m unable to type anything when requested for the pass phrase & as a result I can’t proceed. Can anyone help me out with this?
Thank you!
Thank you – great explanation
thax, it’s usefull
Many thanks. How I love your tutorial how I love internet…
Thank you Mr. Rob
I don’t get which pass phrase gets revealed to others and which stays private?? I don’t understand! all I want is for https:// to work why do they make it so difficult? Where is config file? Where do I add this stuff? When I follow directions it doesn’t work then I go to my site and it says forbidden!
I already do your step I got success with Firefox browser but IE browser, it doesn’t works, can you tell detail about this?
chhivhorng
why this step by step, not work with URL with other 80 port ??
please
Thanks you sir,
that was really helpful,
Your tutorial is simply the best I could find in all the web.
I didn’t understand the last point…
“One thing to keep in mind with this redirection is that if you have virtual hosts, you need to place the redirection code (with the RewriteCond and RewriteRule) inside of your virtual host declarations, otherwise the redirection won’t work.”
How can I place the redirection code in my host declaration? Where is my host declaration? Because my redirections seem not to work… Thank you
Hello!
First, i’d like to thank the author for this article, it’s absolutely great and helpful.
But i have one question regarding to SSL Certificates.
Does anybody know how to automatically install certificate from server, so i don’t need to manualy import it on every browser?
For example, i am building Adobe Flex application, and i am not getting any warrnings for untrusted certificate authority.. ofcourse, my application doesn’t work without imported certificate in used browser.
I appreciate any help.
its not working for me
the error is as below:
Secure Connection Failed
localhost uses an invalid security certificate.
The certificate is not trusted because it is self signed.
The certificate expired on 12/4/2006 7:11 AM.
(Error code: sec_error_expired_issuer_certificate)
* This could be a problem with the server’s configuration, or it could be someone trying to impersonate the server.
* If you have connected to this server successfully in the past, the error may be temporary, and you can try again later.
Or you can add an exception…
This was SO helpful … THX!
One question; my vhost dir ‘manager’ (http) redirects to vhost dir ‘manager.ssl’ (htpps). How does the mod rewrite looks like in my case?
Hi ppl
can some one plz help me? i’am stuck at: Edit Apache config for encryption only access to password protected folders. all the other stuff is done. have i done this right or not.. it does not use https now :/ here is my httpd-xampp.
RewriteEngine On
# Redirect /xampp folder to https
RewriteCond %{HTTPS} !=on
RewriteCond %{REQUEST_URI} xampp
RewriteRule ^(.*) https://%{SERVER_NAME}$1 [R,L]
# Redirect /phpMyAdmin folder to https
RewriteCond %{HTTPS} !=on
RewriteCond %{REQUEST_URI} phpmyadmin
RewriteRule ^(.*) https://%{SERVER_NAME}$1 [R,L]
# Redirect /security folder to https
RewriteCond %{HTTPS} !=on
RewriteCond %{REQUEST_URI} security
RewriteRule ^(.*) https://%{SERVER_NAME}$1 [R,L]
# Redirect /webalizer folder to https
RewriteCond %{HTTPS} !=on
RewriteCond %{REQUEST_URI} webalizer
RewriteRule ^(.*) https://%{SERVER_NAME}$1 [R,L]
# XAMPP settings
#
#ScriptAlias /php/ “C:/xampp/php/”
#Action application/x-httpd-php “/php/php-cgi.exe”
LoadModule php5_module “C:/xampp/apache/bin/php5apache2.dll”
AddType application/x-httpd-php-source .phps
AddType application/x-httpd-php .php .php5 .php4 .php3 .phtml
php_admin_flag safe_mode off
…
…
SSLRequireSSL
Alias /security “C:/xampp/security/htdocs/”
php_admin_flag safe_mode off
AllowOverride AuthConfig
Order allow,deny
Allow from all
…
…
SSLRequireSSL
Alias /phpmyadmin “C:/xampp/phpMyAdmin/”
AllowOverride AuthConfig
Order allow,deny
Allow from all
…
…
SSLRequireSSL
Alias /webalizer “C:/xampp/webalizer/”
php_admin_flag safe_mode off
AllowOverride AuthConfig
Order allow,deny
Allow from all
…
…
SSLRequireSSL
Alias /contrib “C:/xampp/contrib/”
php_admin_flag safe_mode off
AllowOverride AuthConfig
Order allow,deny
Allow from all
…
…
SSLRequireSSL
# Access restriction via Remote
AllowOverride All
AuthType Basic
AuthName “AUTH REMOTE TEST”
AuthRemoteServer localhost
AuthRemotePort 80
AuthRemoteURL /forbidden/
Require valid-user
#User: user / Password: pass
…
…
SSLRequireSSL
# Access restriction via MySQL
AuthMySQLEnable On
AuthName “MySQL Secured Place”
AuthType Basic
require valid-user
AuthMySQLHost localhost
AuthMySQLUser root
# AuthMySQLPassword
AuthMySQLDB webauth
AuthMySQLUserTable user_pwd
AuthMySQLNameField name
AuthMySQLPasswordField pass
AuthMySQLPwEncryption none
Thank you very much…
it is great post it works fine in all browser
Great Post. Worked Perfectly! Thank you so much Rob
Thank you! Great post
great post ,thank you.
Very useful little guide. Thank u so much