Testing XAMPP

Introduction

Today I installed and tested XAMPP, a suite of software which instantly turns a computer into a web server running Apache, MySQL Database server, FileZilla FTP Server and also a POP server.

XAMPP stands for X (refers to cross-platform) Apache MySQL PHP & Perl. Despite this name, XAMPP does in fact install more software than this. The project is open-source and is developed by a non-profit group Apache Friends. The version installed in this test is 1.7.7 (released September 20th 2011). XAMPP is available for Windows, Mac OS X, Linux and Solaris.

Installation

XAMPP is available as an automated installer or a compressed archive. As recommended by the site itself, the automated installer was selected. This provides a "next, next... finish" install which is very easy to follow. During installation, the installer asks whether XAMPP components are to be installed as a service.

If this option is selected, the components such as Apache and MySQL are installed as Windows services. This allows them to be automatically started during bootup and also allows them to be run independently of the control panel. At this point in the installation, the services option was not selected and a standard install resumed.

Testing: Control Panel

When the XAMPP application is launched, all services are turned on by default. These can then be started by using the start button, or they can be installed as services by ticking the SVC checkbox. In this case, Apache and MySQL were started normally, whereas FileZilla FTP was started as a service since this is a requirement of the server.

<<TODO: Screenshot of the control panel running properly>>

Once the services are started, the administration pages can be used. The first step was to launch the Apache administration page, which also serves as the control centre for XAMPP. Clicking the "admin" button launches http://localhost.

Test: HTTP & HTTPS Services

The fact that the control panel above is shown means that the Apache HTTP server is capable of serving content, i.e. that HTTP is working. The next step is to ensure HTTPS is also operational.

A link in the main page points to the secure version of the control panel, i.e. https://localhost. When loading this page, the browser displays a warning since the page is not signed by a trusted authority.

The control panel is now running on HTTPS.

Test: FTP Service

To test the FTP service, an FTP client is needed. The free FileZilla FTP client was downloaded. The default connection details were used:

host: localhost

username: newuser

password: wampp

The FTP client connected to the server which displaued the contents of the htdocs folder. As a test, a sample image was uploaded to the directory, and then displayed in the web browser.

Test: XAMPP Security Report

The XAMPP Security Report tests the XAMPP installation for common security flaws. It can be accessed by clicking "Security" in the left menu.

As can be seen from the above, the default XAMPP installation has some security flaws, which are there for the convenience of the user.

·         The XAMPP directory must be protected so only localhost can see it.

·         A password must be set for the MySQL root user.

·         phpMyAdmin must be protected with a password.

·         PHP must run in safe mode (at least on production websites).

·         The default FileZilla password must be changed.

·         In this case, a POP3 server was not found running because it was not configured to run.

XAMPP provides a link to automatically fix some of these issues.

When reloading the control panel, XAMPP now asks for user authentication.

The FileZilla FTP password was changed.

safe_mode was set to On in php.ini.

After some further adjustements, the security part was successful.

Test: phpinfo

The next test was to generate a phpinfo report. This is done by clicking the phpinfo() link under the PHP menu heading. The report displays details related to the installation of PHP including modules configured to work with it.

Test: visitor report

The next test was to generate a visitor report. This is done using Webalizer link under the Tools menu heading. Webalizer analyses Apache access logs to generate graphs and charts which report referring links, pages hit, hit count and access by country amongst others.

Test: default guestbook

XAMPP contains a sample Perl application - a Guest Book.

After pressing "write" the comment is added to the guestbook.

Test: Adding an image and a stylesheet

For the following test, a simple HTML page including a stylesheet and an image was created.

Test: Access the site from another computer

First the IP of the XAMPP computer was established usign the ipconfig command.

Another machine on the network (in this case running Mac OS X) was then used to launch the site

Test: Change the files using an FTP client on another machine

An FTP client was installed on the Mac an a connection was made to the XAMPP machine, however this failed as FileZilla FTP was set to only accept local connections. After changes were made to Windows Firewall, the test was successful.