Introduction
This weeks blog will talk about the server side of web application development. We were required to install XAMPP, which a single installation for Apache, MySql , PHP, FTP Server and other services. After the installation we were required to do the following tasks:
- Test the following functions:
- Control panel
- Check that the http and https services work
- Ftp service
- Get an XAMPP security report
- Get a phpinfo report
- Get a visitor report
- Test the default guestbook
- Add an image and a style sheet to C:\xampp\htdocs\index.html and test it out
- Test your web server from another computer
- Attempt to replace index.html and other files using an FTP client on another computer
- Blog about the tests you preformed. Take particular care to talk about any errors or problems you encountered.
Installing and configuring XAMPP
The control Panel
XAMPP is very easy to install and manage. You just have to follow a very straight forward installer and the rest is done by the installer itself. The first thing you notice after installing XAMPP is a little orange in the notification area. Of course we are talking about XAMPP for Windows is this case. Clicking on this icon will pull up the control panel which controls several services installed with XAMPP.
My control Panel has four modules, Apache, MySql, FileZilla and Mercury. From this control panel, one can start, stop or configure the services provided. By checking or unchecking the svc Check box near each module, one can add or the remove a particular service from XAMPP.
When I started XAMPP, all services were installed and launched correctly except for apache. At first I thought something when wrong with my installation, but soon I realized that the error occurred because I had another web server previously installed. IIS server was already installed on my windows 7 machine and therefore apache could not run simultaneously with IIS. This is due to the ports used. Both IIS and Apache use port 80 by default. To get apache working I had two options, either changing the port for apache by editing the httpd.conf file in the apache directory or by temporarily disabling IIS during testing. Since I had no need for both services to run on my machine I chose to disable IIS temporarily while using apache. Later I also tried changing ports for both Apache and IIS to see if they work simultaneously, and they do.
Well getting the services to work is pretty straight forward using XAMPP, unless you have problems with other services using the same resources.
Checking Services
To check if the http service is running, I launched the web browser and entered the loop-back address. The default XAMPP webpage launched, indicating that I successfully installed the apache server. I added HTTPS:// in front of the loop-back to test if https was working and a page indicating that the service was running correctly was shown. You can also check the status by going to the status page in the xampp index page.
To test the file Server, I downloaded the FileZilla FTP client. To get a connection in a new Filezilla FTP server (in a XAMPP installation) one must use newuser as username and wampp as password, using the default FTP port 21. I managed to easily connect to the FTP server thanks to the instructions found on the XAMPP local webpage under the Tools section. By XAMPP Local webpage I meant the index.html that is set as homepage when XAMPP is installed.
The image below shows the FTP client Connected to the FTP server.
The image below shows the FTP client Connected to the FTP server.
XAMPP Security Report
Getting a XAMPP security report is easy. You must go to your localhost address to open the Local XAMPP index page. In the list of tools on the left, the is a link called security. This link opens a new tab with a list of security concerns and the status of the security risk. This tab can only be accessed by the local host.
Well as you can image, nearly everything is unsecured after the installation, since most services still have the default passwords which are known by everyone. Well Change the FileZilla password using the gui tools provided by the filezilla control panel. To change the MySql password there are two options. You can use the tools provided in the XAMPP security section or you can change the passwords yourself from the configuration files. Changing the MySQL password without GUI is slightly more difficult if you dont have additional tools installed. I used the tool below to change my password.
$ mysqladmin -u root password NEWPASSWORD
This is a comandline tool that must be run from the bin directory under theMySql parent directory. This solved the mysql security issue by cause the phpMyAdmin to not recognize the root administrator of the mysql DBMS. Well to solve the problem one only needs to open the file config.inc.php in the phpMyAdmin directory and edit the root password, and allowing the tool to use the password. These steps are all done automatically if you choose to use the XAMPP tools in the security page.
Another security concern was that PHP is not running in safe mode. For my case, I don't need to run it in safe mode. The last unresolved issue is regarding the phpMyAdmin login. By default there is no password. Well fortunately by using a link available in the XAMPP security page, it is easy to fix this problem by adding a password. Also by default all pages are visible to users on the localhost without the need of any password. It is important to make apache pages password protected such that users cannot view or edit information on the apache server. If you have already created a user and secured these pages, Users are normally kept in a file in the directory C:\xampp\security\xampp.users in encrypted format or in a text file with a visible address in the security page. The choice is up to the user. To delete users, you must delete them manually from these files. To disable this feature you must go to C:\Xampp\htdocs\xampp\.htaccess and comment the line require valid-user. Apache pages by default are not accessible from outside the local host, but they can be made accessible by editing the file httpd-xampp.conf found in the directory c:\apache\conf\extra\httpd-xampp.conf.
The image below shows the security results after all security concerns were corrected.
Editing index.html
The image below shows the index.html as accessed from outside the webpage. Notice that there is an IP address in the address bar instead of localhost.
Finally I tried to replace Index.html using an FTP client. Well first I conncted to the FTP server using Filezilla client and dragged my index.html in the FTP server. A dialog to overwrite the current file was displayed. I overwrited the file and everything worked fine. The image below shows the overwrite dialog.
Another security concern was that PHP is not running in safe mode. For my case, I don't need to run it in safe mode. The last unresolved issue is regarding the phpMyAdmin login. By default there is no password. Well fortunately by using a link available in the XAMPP security page, it is easy to fix this problem by adding a password. Also by default all pages are visible to users on the localhost without the need of any password. It is important to make apache pages password protected such that users cannot view or edit information on the apache server. If you have already created a user and secured these pages, Users are normally kept in a file in the directory C:\xampp\security\xampp.users in encrypted format or in a text file with a visible address in the security page. The choice is up to the user. To delete users, you must delete them manually from these files. To disable this feature you must go to C:\Xampp\htdocs\xampp\.htaccess and comment the line require valid-user. Apache pages by default are not accessible from outside the local host, but they can be made accessible by editing the file httpd-xampp.conf found in the directory c:\apache\conf\extra\httpd-xampp.conf.
The image below shows the security results after all security concerns were corrected.
XAMPP phpinfo(), Visitor Report and Client Guestbook
To view PHPinfo() I clicked on the link listed in the default index page and a new page opened showing several PHP settings.
To view a Visitor Report I used the webalizer tool which is part of the Xampp package.
Finally I obtained the guest book by following another link in the default index page. I also added my name to the guest book.
Editing index.html
To edit index.html I simply went to the index.html location and edited the file. The following image is the result. I added the XAMPP icon in the center of the page.
Finally I tried to replace Index.html using an FTP client. Well first I conncted to the FTP server using Filezilla client and dragged my index.html in the FTP server. A dialog to overwrite the current file was displayed. I overwrited the file and everything worked fine. The image below shows the overwrite dialog.
Conclusion
Xampp is a great tool that eases up the installation and integration of several services. It is easy to use and does not take too much resources while bringing the big advantage of centralization where everything can be controlled from one source. Without XAMPP these services would be difficult to install, not to mention, maintain.
No comments:
Post a Comment