[windows] New xampp security concept: Access Forbidden Error 403 - Windows 7 - phpMyAdmin

I have downloaded and installed XAMPP 1.8.1 for Windows on Windows 7 Ultimate. I have set up XAMPP to run together with IIS as per these instructions

All good so far, my PHP sites run locally and everything except phpMyAdmin is available from the XAMPP menu.

However when I try to access phpMyAdmin I get this error:

Access forbidden!

New XAMPP security concept:

Access to the requested directory is only available from the local network.

This setting can be configured in the file "httpd-xampp.conf".

I've found several answers via Google and some on this site. However, so far, none of the solutions I've tried have resolved the issue.

Here is my httpd-xampp.conf file:

#
# XAMPP settings
#

<IfModule env_module>
    SetEnv MIBDIRS "C:/xampp/php/extras/mibs"
    SetEnv MYSQL_HOME "\\xampp\\mysql\\bin"
    SetEnv OPENSSL_CONF "C:/xampp/apache/bin/openssl.cnf"
    SetEnv PHP_PEAR_SYSCONF_DIR "\\xampp\\php"
    SetEnv PHPRC "\\xampp\\php"
    SetEnv TMP "\\xampp\\tmp"
</IfModule>

#
# PHP-Module setup
#
LoadFile "C:/xampp/php/php5ts.dll"
LoadModule php5_module "C:/xampp/php/php5apache2_4.dll"

<FilesMatch "\.php$">
    SetHandler application/x-httpd-php
</FilesMatch>
<FilesMatch "\.phps$">
    SetHandler application/x-httpd-php-source
</FilesMatch>

#
# PHP-CGI setup
#
#<FilesMatch "\.php$">
#    SetHandler application/x-httpd-php-cgi
#</FilesMatch>
#<IfModule actions_module>
#    Action application/x-httpd-php-cgi "/php-cgi/php-cgi.exe"
#</IfModule>


<IfModule php5_module>
    PHPINIDir "C:/xampp/php"
</IfModule>

<IfModule mime_module>
    AddType text/html .php .phps
</IfModule>

ScriptAlias /php-cgi/ "C:/xampp/php/"
<Directory "C:/xampp/php">
    AllowOverride None
    Options None
    Require all denied
    <Files "php-cgi.exe">
          Require all granted
    </Files>
</Directory>

<Directory "C:/xampp/cgi-bin">
    <FilesMatch "\.php$">
        SetHandler cgi-script
    </FilesMatch>
    <FilesMatch "\.phps$">
        SetHandler None
    </FilesMatch>
</Directory>

<Directory "C:/xampp/htdocs/xampp">
    <IfModule php5_module>
        <Files "status.php">
            php_admin_flag safe_mode off
        </Files>
    </IfModule>
    AllowOverride AuthConfig
</Directory>

<IfModule alias_module>
    Alias /security "C:/xampp/security/htdocs/"
    <Directory "C:/xampp/security/htdocs">
        <IfModule php5_module>
            <Files "xamppsecurity.php">
                php_admin_flag safe_mode off
            </Files>
        </IfModule>
        AllowOverride AuthConfig
        Require all granted
   </Directory>

    Alias /licenses "C:/xampp/licenses/"
    <Directory "C:/xampp/licenses">
        Options +Indexes
        <IfModule autoindex_color_module>
            DirectoryIndexTextColor  "#000000"
            DirectoryIndexBGColor "#f8e8a0"
            DirectoryIndexLinkColor "#bb3902"
            DirectoryIndexVLinkColor "#bb3902"
            DirectoryIndexALinkColor "#bb3902"
        </IfModule>
        Require all granted
   </Directory>

    Alias /phpmyadmin "C:/xampp/phpMyAdmin/"
    <Directory "C:/xampp/phpMyAdmin">
        AllowOverride AuthConfig Limit
        Order allow,deny
        Allow from all
        Require all granted
    </Directory>

    Alias /webalizer "C:/xampp/webalizer/"
    <Directory "C:/xampp/webalizer">
        <IfModule php5_module>
            <Files "webalizer.php">
                php_admin_flag safe_mode off
            </Files>
        </IfModule>
        AllowOverride AuthConfig
        Require all granted
    </Directory>
</IfModule>

#
# New XAMPP security concept
#
<LocationMatch "^/(?i:(?:xampp|security|licenses|phpmyadmin|webalizer|server-status|server-info))">
    Order deny,allow
    Allow from all
    Require all granted

    ErrorDocument 403 /error/XAMPP_FORBIDDEN.html.var
</LocationMatch>

Does anyone have any idea as to what I'm missing?

To access the requested directory other than local network, you need to change the XAMPP security concept configured in the file "httpd-xampp.conf".

• File location xampp\apache\conf\extra\httpd-xampp.conf

Require Directive Selects which authenticated users can access a resource

Syntax « Require entity-name [entity-name] ...

From « XAMPP security concept allows only local environment - Require local

<LocationMatch "^/(?i:(?:xampp|security|licenses|phpmyadmin|webalizer|server-status|server-info))">
        Require local
    ErrorDocument 403 /error/XAMPP_FORBIDDEN.html.var
</LocationMatch>

To « XAMPP security concept allows any environment - Require all granted

<LocationMatch "^/(?i:(?:xampp|security|licenses|phpmyadmin|webalizer|server-status|server-info))">
        Require all granted
    ErrorDocument 403 /error/XAMPP_FORBIDDEN.html.var
</LocationMatch>

Access forbidden! message from HTML Page.

Allow Directive Controls which hosts can access an area of the server

Syntax « Allow from all|host|env=[!]env-variable [host|env=[!]env-variable] ...

Allowing only local environment. Using any of the below specified url's.

• http://localhost/phpmyadmin/

• http://127.0.0.1/phpmyadmin/

  <LocationMatch "^/(?i:(?:xampp|security|licenses|phpmyadmin|webalizer|server-status|server-info))">
      Order deny,allow
      Deny from all
      Allow from ::1 127.0.0.0/8 \
  
      ErrorDocument 403 /error/XAMPP_FORBIDDEN.html.var
  </LocationMatch>
  

Allowing only to specified IPv4, IPv6 address spaces.

• Link-local addresses for IPv4 are defined in the address block 169.254.0.0/16 in CIDR notation. In IPv6, they are assigned the address block fe80::/10

• A unique local address (ULA) is an IPv6 address in the block fc00::/7

  <LocationMatch "^/(?i:(?:xampp|security|licenses|phpmyadmin|webalizer|server-status|server-info))">
      Order deny,allow
      Deny from all
      Allow from ::1 127.0.0.0/8 \
          fc00::/7 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 \
          fe80::/10 169.254.0.0/16
  
      ErrorDocument 403 /error/XAMPP_FORBIDDEN.html.var
  </LocationMatch>
  

Allowing for any network address. Allow from all

<LocationMatch "^/(?i:(?:xampp|security|licenses|phpmyadmin|webalizer|server-status|server-info))">
    Order deny,allow
    Allow from all

    ErrorDocument 403 /error/XAMPP_FORBIDDEN.html.var
</LocationMatch>

404 - XAMPP Control Panel: Unable to start Apache HTTP server.

URL: http://localhost/xampp/index.php

Error « 
    Not Found
    HTTP Error 404. The requested resource is not found.

Required default Apache HTTP server port 80 is actually used by other Service.

• You need to find the service running with port 80 and stop the service, then start the Apache HTTP server.

  Use Netstat to displays active TCP connections, ports on which the computer is listening.

   C:\Users\yashwanth.m>netstat -ano
  
    Active Connections
  
    Proto  Local Address          Foreign Address        State           PID
    TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       2920
    TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       1124
  
    TCP    127.0.0.1:5354         0.0.0.0:0              LISTENING       3340
  
    TCP    [::]:80                [::]:0                 LISTENING       2920
  
  C:\Users\yashwanth.m>netstat -ano |findstr 2920
    TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       2920
    TCP    0.0.0.0:443            0.0.0.0:0              LISTENING       2920
    TCP    [::]:80                [::]:0                 LISTENING       2920
    TCP    [::]:443               [::]:0                 LISTENING       2920
  
  C:\Users\yashwanth.m>taskkill /pid 2920 /F
    SUCCESS: The process with PID 2920 has been terminated.
  

• Change listening port from main Apache HTTP server configuration file D:\xampp\apache\conf\httpd.conf. Ex: 81. From Listen 80 To Listen 81, the access URL will be http://localhost:81/xampp/index.php.

  # Change this to Listen on specific IP addresses as shown below to 
  # prevent Apache from glomming onto all bound IP addresses.
  #
  #Listen 0.0.0.0:80
  #Listen [::]:80
  Listen 80
  

For more information related to httpd and virtual host on XAMPP

A reason for this could be Skype as well! If you use the default XAMPP settings, they both would run on the same port (80). You can:

• Turn off Skype
• Change the XAMPP port

You will have to edit 2 files - 1. httpd-vhosts.conf & 2. httpd-xampp.conf

NOTE : Make sure u backup files ( httpd-xampp.conf ) and ( httpd-vhosts.conf ) , Both Files are located in Drive:\xampp\apache\conf\extra

Open httpd-vhosts.conf file and in the bottom of the file change it

<VirtualHost *:80>
DocumentRoot “E:/xampp/htdocs/”
ServerName localhost
<Directory E:/xampp/htdocs/>.
Require all granted 
</Directory>
</VirtualHost>

Here E:/xampp is my project workspace, you can change it as per your settings

and Second Change is on httpd-xampp.conf file and in the bottom of the file change it

#
# New XAMPP security concept
#
<LocationMatch “^/(?i:(?:xampp|security|licenses|phpmyadmin|webalizer|server-status|server-info))”>
Order deny,allow
Allow from all
Allow from ::1 127.0.0.0/8
ErrorDocument 403 /error/XAMPP_FORBIDDEN.html.var
</LocationMatch>

For many it's a permission issue, but for me it turns out the error was brought about by a mistake in the form I was trying to submit. To be specific i had accidentally put ">" sign after the value of "action". So I would suggest you take a second look at your code

If you're using a newer XAMPP (for example for PHP 5.6, 7) which is built with "Bitnami" installer and it includes Apache 2.4.x then this applies:

https://httpd.apache.org/docs/2.4/upgrading.html#run-time

2.2 configuration:

Order allow,deny
Allow from all

2.4 configuration:

Require all granted

This also applies to VirtualHost sections, if you have any custom virtualhost definitions.

Comment out the line Require local in httpd-xampp.conf.
Restart Apache.
Worked for me connecting my mobile phone to my test web-site on my PC. No idea of the security implications.

Require all granted seemed a bit to far for me. Looking at the documentation I used: Require ip 192.168 to allow all internal access.

<LocationMatch "^/(?i:(?:xampp|security|licenses|phpmyadmin|webalizer|server-status|server-info))">
    Require local
    Require ip 192.168
    ErrorDocument 403 /error/XAMPP_FORBIDDEN.html.var
</LocationMatch>

This could be because of wrong configuration, esp if your other sites are working fine.

<VirtualHost cmsdemo.git:88>
    DocumentRoot "C:/Projects/rwp/"
    ServerName cmsdemo.git
    <Directory C:/Projects/cmsdemo/>
        Require all granted 
        AllowOverride All
    </Directory>
</VirtualHost>

Notice in DocumentRoot I am specifying one folder and in Directory, I am specifying another hence 403 Error. This fixed my problem.

In your xampppath\apache\conf\extra open file httpd-xampp.conf and find the below tag:

<LocationMatch "^/(?i:(?:xampp|licenses|phpmyadmin|webalizer|server-status|server-info))">
Order deny,allow
Deny from all
Allow from ::1 127.0.0.0/8 
ErrorDocument 403   /error/HTTP_XAMPP_FORBIDDEN.html.var   

and add Allow from all after Allow from ::1 127.0.0.0/8 {line}

Restart xampp, and you are done.

I tried everything but nothing worked. So I just used : chmod -R 777 to htdocs. At least it's only in my local.

Ubuntu (Linux)

:- $ sudo gedit /opt/lampp/etc/extra/httpd-xampp.conf

 Comment "Deny from all" in the following section,

Change file

# New XAMPP security concept
# <LocationMatch "^/(?i:(?:xampp|security|licenses|phpmyadmin|webalizer|server-status|server-info))">
    Order deny,allow

   #Deny from all
   #Require local
    Allow from ::1 127.0.0.0/8 \
            fc00::/7 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 \
            fe80::/10 169.254.0.0/16

    ErrorDocument 403 /error/XAMPP_FORBIDDEN.html.var

just remove:

Alias /phpmyadmin "C:/xampp2/phpMyAdmin/"
<Directory "C:/xampp2/phpMyAdmin">
    AllowOverride AuthConfig
    Require all granted
</Directory>

and remove phpmyadmin from:

<LocationMatch "^/(?i:(?:xampp|security|licenses|phpmyadmin|server-status|server-info))">

    <LocationMatch "^/(?i:(?:xampp|security|licenses|phpmyadmin|webalizer|server-status|server-info))">

        Require all granted
    ErrorDocument 403 /error/XAMPP_FORBIDDEN.html.var
</LocationMatch>

Good luck!!!!

Update for XAMPP 7.3.*

If you get into same problem for phpmyadmin in the newest XAMPP, as I had.

The solution is written inside the official documentation located in [XAMPP IP]/dashboard/docs/access-phpmyadmin-remotely.html

To enable remote access to phpMyAdmin from other hosts, follow these steps:

1. Launch the stack manager by double-clicking the XAMPP icon in the mounted disk image.

2. Ensure that Apache and MySQL services are running in the "Services" tab of the stack manager (or start them as needed).

3. Open a new terminal from the "General" tab of the stack manager.

4. Edit the /opt/lampp/etc/extra/httpd-xampp.conf file.

5. Within this file, find the block <Directory "/opt/lampp/phpmyadmin">

Update this block and replace Require local with Require all granted,

6. Save the file and restart the Apache service using the stack manager.

Note for section (4) To edit this file make sure you have vim installed.

Note for section (5) Instead of allowing access to all, which is highly insecure, if your computer is connected to a network. A safer approach is to limit the access to only set of IPs as suggested by @Gunnar Bernstein.

In my case I did:

<Directory "/opt/lampp/phpmyadmin">
  AllowOverride AuthConfig Limit
  Require local
  Require ip 192.168
  ErrorDocument 403 /error/XAMPP_FORBIDDEN.html.var
</Directory>

Some of the Answers are correct, but in case of working with new xampp or with some one not working other answers try this:

just go to the xampp folder:

xampp/apache/conf/extra/httpd-xampp.c­onf

and if you are trying to access from local ip in your network so change,

 Alias /phpmyadmin "C:/xampp/phpMyAdmin/"
    <Directory "C:/xampp/phpMyAdmin">
        AllowOverride AuthConfig
        Require local
        ErrorDocument 403 /error/XAMPP_FORBIDDEN.html.var
    </Directory>

Change to :

 Alias /phpmyadmin "C:/xampp/phpMyAdmin/"
    <Directory "C:/xampp/phpMyAdmin">
        AllowOverride AuthConfig
        Require all granted
        ErrorDocument 403 /error/XAMPP_FORBIDDEN.html.var
    </Directory>

Note: this is just for text, for the security of the xampp has some search....

for anyone having problems when using xampp and IIS using windows,

check the xamp panel on apache which port is using

Let assume apache is using port 81 then try this

http://127.0.0.1:81/

for me worked like charm, it might help someone in future

Try to reinstall new version of XAMPP. Find "<Directory "C:/xampp/php">" and then change to something like this

<Directory "C:/xampp/php">
    AllowOverride AuthConfig Limit
    Order allow,deny
    Allow from all
    Require all granted
</Directory>

In New Xampp

All you have to do is to edit the file:

C:\xampp\apache\conf\extra\httpd-xampp.conf

and go to Directory tag as below:

<Directory "C:/xampp/phpMyAdmin">

and then change

Require local

To

Require all granted

in the Directory tag.

Restart the Xampp. That's it!

All you have to do is to edit the httpd-xampp.conf

from Require local to Require all granted in the LocationMatch tag.

That's it!

G:\xampp\apache\conf\extra\httpd-vhosts.conf

#start block
NameVirtualHost *:80

<VirtualHost *:80>
   ServerName localhost
   #change your directory name
   DocumentRoot "G:\xampp\htdocs"
</VirtualHost>

#Your vertual Host
<VirtualHost *:80>
    DocumentRoot "G:/xampp/htdocs/dev2018/guessbook"
    ServerName dev.foreign-recruitment
    <Directory "G:/xampp/htdocs/dev2018/guessbook/">

    </Directory>
</VirtualHost>
#end block