New xampp security concept: Access Forbidden Error 403 - Windows 7 - phpMyAdmin

I have downloaded and installed XAMPP 1.8.1 for Windows on Windows 7 Ultimate. I have set up XAMPP to run together with IIS as per these instructions

All good so far, my PHP sites run locally and everything except phpMyAdmin is available from the XAMPP menu.

However when I try to access phpMyAdmin I get this error:

> Access forbidden! > > New XAMPP security concept: > > Access to the requested directory is only available from the local > network. > > This setting can be configured in the file "httpd-xampp.conf".

I've found several answers via Google and some on this site. However, so far, none of the solutions I've tried have resolved the issue.

Here is my httpd-xampp.conf file:

#
# XAMPP settings
#

<IfModule env_module>
    SetEnv MIBDIRS "C:/xampp/php/extras/mibs"
    SetEnv MYSQL_HOME "\\xampp\\mysql\\bin"
    SetEnv OPENSSL_CONF "C:/xampp/apache/bin/openssl.cnf"
    SetEnv PHP_PEAR_SYSCONF_DIR "\\xampp\\php"
    SetEnv PHPRC "\\xampp\\php"
    SetEnv TMP "\\xampp\\tmp"
</IfModule>

#
# PHP-Module setup
#
LoadFile "C:/xampp/php/php5ts.dll"
LoadModule php5_module "C:/xampp/php/php5apache2_4.dll"

<FilesMatch "\.php$">
    SetHandler application/x-httpd-php
</FilesMatch>
<FilesMatch "\.phps$">
    SetHandler application/x-httpd-php-source
</FilesMatch>

#
# PHP-CGI setup
#
#<FilesMatch "\.php$">
#    SetHandler application/x-httpd-php-cgi
#</FilesMatch>
#<IfModule actions_module>
#    Action application/x-httpd-php-cgi "/php-cgi/php-cgi.exe"
#</IfModule>


<IfModule php5_module>
    PHPINIDir "C:/xampp/php"
</IfModule>

<IfModule mime_module>
    AddType text/html .php .phps
</IfModule>

ScriptAlias /php-cgi/ "C:/xampp/php/"
<Directory "C:/xampp/php">
    AllowOverride None
    Options None
    Require all denied
    <Files "php-cgi.exe">
          Require all granted
    </Files>
</Directory>

<Directory "C:/xampp/cgi-bin">
    <FilesMatch "\.php$">
        SetHandler cgi-script
    </FilesMatch>
    <FilesMatch "\.phps$">
        SetHandler None
    </FilesMatch>
</Directory>

<Directory "C:/xampp/htdocs/xampp">
    <IfModule php5_module>
    	<Files "status.php">
    		php_admin_flag safe_mode off
    	</Files>
    </IfModule>
    AllowOverride AuthConfig
</Directory>

<IfModule alias_module>
    Alias /security "C:/xampp/security/htdocs/"
    <Directory "C:/xampp/security/htdocs">
        <IfModule php5_module>
    		<Files "xamppsecurity.php">
    			php_admin_flag safe_mode off
    		</Files>
        </IfModule>
        AllowOverride AuthConfig
        Require all granted
   </Directory>

    Alias /licenses "C:/xampp/licenses/"
    <Directory "C:/xampp/licenses">
        Options +Indexes
        <IfModule autoindex_color_module>
            DirectoryIndexTextColor  "#000000"
            DirectoryIndexBGColor "#f8e8a0"
            DirectoryIndexLinkColor "#bb3902"
            DirectoryIndexVLinkColor "#bb3902"
            DirectoryIndexALinkColor "#bb3902"
        </IfModule>
        Require all granted
   </Directory>

    Alias /phpmyadmin "C:/xampp/phpMyAdmin/"
    <Directory "C:/xampp/phpMyAdmin">
        AllowOverride AuthConfig Limit
        Order allow,deny
        Allow from all
        Require all granted
    </Directory>

    Alias /webalizer "C:/xampp/webalizer/"
    <Directory "C:/xampp/webalizer">
        <IfModule php5_module>
    		<Files "webalizer.php">
    			php_admin_flag safe_mode off
    		</Files>
        </IfModule>
        AllowOverride AuthConfig
        Require all granted
    </Directory>
</IfModule>

#
# New XAMPP security concept
#
<LocationMatch "^/(?i:(?:xampp|security|licenses|phpmyadmin|webalizer|server-status|server-info))">
	Order deny,allow
	Allow from all
	Require all granted

	ErrorDocument 403 /error/XAMPP_FORBIDDEN.html.var
</LocationMatch>

Does anyone have any idea as to what I'm missing?

All you have to do is to edit the httpd-xampp.conf

from Require local to Require all granted in the LocationMatch tag.

That's it!

In New Xampp

All you have to do is to edit the file:

> C:\xampp\apache\conf\extra\httpd-xampp.conf

and go to Directory tag as below:

> <Directory "C:/xampp/phpMyAdmin">

and then change

> Require local

To

> Require all granted

in the Directory tag.

Restart the Xampp. That's it!

Require all granted seemed a bit to far for me. Looking at the documentation I used: Require ip 192.168 to allow all internal access.

<LocationMatch "^/(?i:(?:xampp|security|licenses|phpmyadmin|webalizer|server-status|server-info))">
    Require local
	Require ip 192.168
	ErrorDocument 403 /error/XAMPP_FORBIDDEN.html.var
</LocationMatch>

Update for XAMPP 7.3.*

If you get into same problem for phpmyadmin in the newest XAMPP, as I had.

The solution is written inside the official documentation located in [XAMPP IP]/dashboard/docs/access-phpmyadmin-remotely.html

> To enable remote access to phpMyAdmin from other hosts, follow these steps:

> 1) Launch the stack manager by double-clicking the XAMPP icon in the mounted disk image.

> 2) Ensure that Apache and MySQL services are running in the "Services" tab of the stack manager (or start them as needed).

> 3) Open a new terminal from the "General" tab of the stack manager.

> 4) Edit the /opt/lampp/etc/extra/httpd-xampp.conf file.

> 5) Within this file, find the block <Directory "/opt/lampp/phpmyadmin"> > > Update this block and replace Require local with Require all granted, > > 6) Save the file and restart the Apache service using the stack manager.

Note for section (4) To edit this file make sure you have vim installed.

Note for section (5) Instead of allowing access to all, which is highly insecure, if your computer is connected to a network. A safer approach is to limit the access to only set of IPs as suggested by @Gunnar Bernstein.

In my case I did:

<Directory "/opt/lampp/phpmyadmin">
  AllowOverride AuthConfig Limit
  Require local
  Require ip 192.168
  ErrorDocument 403 /error/XAMPP_FORBIDDEN.html.var
</Directory>

    <LocationMatch "^/(?i:(?:xampp|security|licenses|phpmyadmin|webalizer|server-status|server-info))">
	
        Require all granted
	ErrorDocument 403 /error/XAMPP_FORBIDDEN.html.var
</LocationMatch>

Good luck!!!!

Try to reinstall new version of XAMPP. Find "<Directory "C:/xampp/php">" and then change to something like this

<Directory "C:/xampp/php">
    AllowOverride AuthConfig Limit
    Order allow,deny
    Allow from all
    Require all granted
</Directory>

You will have to edit 2 files - 1. httpd-vhosts.conf & 2. httpd-xampp.conf

> NOTE : Make sure u backup files ( httpd-xampp.conf ) and ( > httpd-vhosts.conf ) , Both Files are located in > Drive:\xampp\apache\conf\extra

Open httpd-vhosts.conf file and in the bottom of the file change it

<VirtualHost *:80>
DocumentRoot “E:/xampp/htdocs/”
ServerName localhost
<Directory E:/xampp/htdocs/>.
Require all granted 
</Directory>
</VirtualHost>

Here E:/xampp is my project workspace, you can change it as per your settings

and Second Change is on httpd-xampp.conf file and in the bottom of the file change it

#
# New XAMPP security concept
#
<LocationMatch “^/(?i:(?:xampp|security|licenses|phpmyadmin|webalizer|server-status|server-info))”>
Order deny,allow
Allow from all
Allow from ::1 127.0.0.0/8
ErrorDocument 403 /error/XAMPP_FORBIDDEN.html.var
</LocationMatch>

To access the requested directory other than local network, you need to change the XAMPP security concept configured in the file "httpd-xampp.conf".

• File location xampp\apache\conf\extra\httpd-xampp.conf

> Require Directive Selects which authenticated users can access a resource > > Syntax « Require entity-name [entity-name] ...

From « XAMPP security concept allows only local environment - Require local

<LocationMatch "^/(?i:(?:xampp|security|licenses|phpmyadmin|webalizer|server-status|server-info))">
		Require local
	ErrorDocument 403 /error/XAMPP_FORBIDDEN.html.var
</LocationMatch>

To « XAMPP security concept allows any environment - Require all granted

<LocationMatch "^/(?i:(?:xampp|security|licenses|phpmyadmin|webalizer|server-status|server-info))">
		Require all granted
	ErrorDocument 403 /error/XAMPP_FORBIDDEN.html.var
</LocationMatch>

---

Access forbidden! message from HTML Page.

---

> Allow Directive Controls which hosts can access an area of the server > > Syntax « Allow from all|host|env=[!]env-variable [host|env=[!]env-variable] ...

Allowing only local environment. Using any of the below specified url's.

• http://localhost/phpmyadmin/

• http://127.0.0.1/phpmyadmin/

   <LocationMatch "^/(?i:(?:xampp|security|licenses|phpmyadmin|webalizer|server-status|server-info))">
   	Order deny,allow
   	Deny from all
   	Allow from ::1 127.0.0.0/8 \
   	
   	ErrorDocument 403 /error/XAMPP_FORBIDDEN.html.var
   </LocationMatch>
  

Allowing only to specified IPv4, IPv6 address spaces.

• Link-local addresses for IPv4 are defined in the address block 169.254.0.0/16 in CIDR notation. In IPv6, they are assigned the address block fe80::/10

• A unique local address (ULA) is an IPv6 address in the block fc00::/7

   <LocationMatch "^/(?i:(?:xampp|security|licenses|phpmyadmin|webalizer|server-status|server-info))">
   	Order deny,allow
   	Deny from all
   	Allow from ::1 127.0.0.0/8 \
   		fc00::/7 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 \
   		fe80::/10 169.254.0.0/16
  
   	ErrorDocument 403 /error/XAMPP_FORBIDDEN.html.var
   </LocationMatch>
  

Allowing for any network address. Allow from all

<LocationMatch "^/(?i:(?:xampp|security|licenses|phpmyadmin|webalizer|server-status|server-info))">
	Order deny,allow
	Allow from all
	
	ErrorDocument 403 /error/XAMPP_FORBIDDEN.html.var
</LocationMatch>

---

404 - XAMPP Control Panel: Unable to start Apache HTTP server.

URL: http://localhost/xampp/index.php

Error « 
	Not Found
	HTTP Error 404. The requested resource is not found.

Required default Apache HTTP server port 80 is actually used by other Service.

• You need to find the service running with port 80 and stop the service, then start the Apache HTTP server.

Use Netstat to displays active TCP connections, ports on which the computer is listening.

<!-- language-all: lang-cmd -->

	 C:\Users\yashwanth.m>netstat -ano

	  Active Connections

	  Proto  Local Address          Foreign Address        State           PID
	  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       2920
	  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       1124

	  TCP    127.0.0.1:5354         0.0.0.0:0              LISTENING       3340
	  
	  TCP    [::]:80                [::]:0                 LISTENING       2920

	C:\Users\yashwanth.m>netstat -ano |findstr 2920
	  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       2920
	  TCP    0.0.0.0:443            0.0.0.0:0              LISTENING       2920
	  TCP    [::]:80                [::]:0                 LISTENING       2920
	  TCP    [::]:443               [::]:0                 LISTENING       2920

	C:\Users\yashwanth.m>taskkill /pid 2920 /F
	  SUCCESS: The process with PID 2920 has been terminated.

<!-- language-all: lang-cmd -->  

• Change listening port from main Apache HTTP server configuration file D:\xampp\apache\conf\httpd.conf. Ex: 81. From Listen 80 To Listen 81, the access URL will be http://localhost:81/xampp/index.php.

  # Change this to Listen on specific IP addresses as shown below to 
  # prevent Apache from glomming onto all bound IP addresses.
  #
  #Listen 0.0.0.0:80
  #Listen [::]:80
  Listen 80
  

For more information related to httpd and virtual host on XAMPP

Comment out the line Require local in httpd-xampp.conf.
Restart Apache.
Worked for me connecting my mobile phone to my test web-site on my PC. No idea of the security implications.

just remove:

Alias /phpmyadmin "C:/xampp2/phpMyAdmin/"
<Directory "C:/xampp2/phpMyAdmin">
    AllowOverride AuthConfig
    Require all granted
</Directory>

and remove phpmyadmin from:

<LocationMatch "^/(?i:(?:xampp|security|licenses|phpmyadmin|server-status|server-info))">

Some of the Answers are correct, but in case of working with new xampp or with some one not working other answers try this:

just go to the xampp folder:

> xampp/apache/conf/extra/httpd-xampp.c­onf

and if you are trying to access from local ip in your network so change,

 Alias /phpmyadmin "C:/xampp/phpMyAdmin/"
    <Directory "C:/xampp/phpMyAdmin">
        AllowOverride AuthConfig
        Require local
        ErrorDocument 403 /error/XAMPP_FORBIDDEN.html.var
    </Directory>

Change to :

 Alias /phpmyadmin "C:/xampp/phpMyAdmin/"
    <Directory "C:/xampp/phpMyAdmin">
        AllowOverride AuthConfig
        Require all granted
        ErrorDocument 403 /error/XAMPP_FORBIDDEN.html.var
    </Directory>

Note: this is just for text, for the security of the xampp has some search....

In your xampppath\apache\conf\extra open file httpd-xampp.conf and find the below tag:

<LocationMatch "^/(?i:(?:xampp|licenses|phpmyadmin|webalizer|server-status|server-info))">
Order deny,allow
Deny from all
Allow from ::1 127.0.0.0/8 
ErrorDocument 403   /error/HTTP_XAMPP_FORBIDDEN.html.var   

and add Allow from all after Allow from ::1 127.0.0.0/8 {line}

Restart xampp, and you are done.

If you're using a newer XAMPP (for example for PHP 5.6, 7) which is built with "Bitnami" installer and it includes Apache 2.4.x then this applies:

https://httpd.apache.org/docs/2.4/upgrading.html#run-time

> 2.2 configuration:

Order allow,deny
Allow from all

> 2.4 configuration:

Require all granted

This also applies to VirtualHost sections, if you have any custom virtualhost definitions.

Ubuntu (Linux)

:- $ sudo gedit /opt/lampp/etc/extra/httpd-xampp.conf

 Comment "Deny from all" in the following section,

Change file

> # New XAMPP security concept > # > Order deny,allow > > #Deny from all > #Require local > Allow from ::1 127.0.0.0/8
> fc00::/7 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
> fe80::/10 169.254.0.0/16 > > ErrorDocument 403 /error/XAMPP_FORBIDDEN.html.var > >

For many it's a permission issue, but for me it turns out the error was brought about by a mistake in the form I was trying to submit. To be specific i had accidentally put ">" sign after the value of "action". So I would suggest you take a second look at your code

I tried everything but nothing worked. So I just used : chmod -R 777 to htdocs. At least it's only in my local.

A reason for this could be Skype as well! If you use the default XAMPP settings, they both would run on the same port (80). You can:

• Turn off Skype
• Change the XAMPP port

> G:\xampp\apache\conf\extra\httpd-vhosts.conf

#start block
NameVirtualHost *:80

<VirtualHost *:80>
   ServerName localhost
   #change your directory name
   DocumentRoot "G:\xampp\htdocs"
</VirtualHost>

#Your vertual Host
<VirtualHost *:80>
    DocumentRoot "G:/xampp/htdocs/dev2018/guessbook"
    ServerName dev.foreign-recruitment
    <Directory "G:/xampp/htdocs/dev2018/guessbook/">

    </Directory>
</VirtualHost>
#end block

This could be because of wrong configuration, esp if your other sites are working fine.

<VirtualHost cmsdemo.git:88>
    DocumentRoot "C:/Projects/rwp/"
    ServerName cmsdemo.git
    <Directory C:/Projects/cmsdemo/>
        Require all granted 
        AllowOverride All
    </Directory>
</VirtualHost>

Notice in DocumentRoot I am specifying one folder and in Directory, I am specifying another hence 403 Error. This fixed my problem.

for anyone having problems when using xampp and IIS using windows,

check the xamp panel on apache which port is using

Let assume apache is using port 81 then try this

http://127.0.0.1:81/

for me worked like charm, it might help someone in future

With Windows 10, these options don't work for me.

After reinstalling many times without understand the initial warning about User Account Control (UAC), it work me with these steps:

• Rename C:\xampp to C:\xampp_old,
• Create manually the C:\xampp folder
• Reinstall XAMPP in C:\xampp
• Move your app, if it was configurated, to new installation folder.

Now, if you want you can delete C:\xampp_old. I tried to install XAMPP in my desktop folder, but it failed me because my Windows user contains a space character and Apache doesn't run.