Review: XAMPP--An Apache Server Stack
By: Sean Michael Kerner
Wednesday, June 8, 2005 11:35:38 PM EST
URL: http://www.linuxplanet.com/linuxplanet/reviews/5888/1/
The Need
The cornerstone of most open source application serving is the ubiquitous LAMP (Linux Apache MySQL PHP/Python/Perl) stack. Yet it's not always as easy as you'd expect to get all the elements of the stack properly installed and working together. Enter XAMPP, which is an effort to provide a working stack that will provide all of the stack components (except for the OS) in one simple install. No messy ./configure commands required.
The difficulty in getting Apache, PHP, Perl, Python and MySQL all properly compiled and working together is no laughing matter. Certainly RPM based distributions that include all the elements in a pre-compiled state have made the task easier than it once was. However a visit to just about any open source application support board will give you an indication of how widespread configuration difficulties of the AMP stack are for users of all stripes. More often than not MySQL support is not configured into PHP or PHP support is not configured into Apache or some other similar combination mismatch.
If you read the documentation for compiling and installing Apache from source (http://httpd.apache.org/docs-2.0/install.html for 2.x or http://httpd.apache.org/docs/install.html for 1.3.x) and follow the quick installation instructions, you will end up with an Apache installation that may not necessarily have either Perl, PHP or MySQL support. The same kinds of difficulties are often experienced when compiling PHP.
XAMMP is an effort to fix the above problem. Rather than slaving over ./configure extensions to ensure that PHP/MySQL/Python/Apache all play nice together it provides one simple install that makes it all work. It also includes an impressive list of additional applications like ProFTP, PhpMyAdmin to administer MySQL and eAccelerator which helps to dramatically improve PHP performance.
Installing XAMMP
The most up to date version of XAMPP can be obtained from its SourceForge.net project page (http://sourceforge.net/projects/xampp/). For the purpose of this review I evaluated 1.4.13, which was released on April 10, 2005.
One simple line at the command prompt is all you need to get the ball rolling:
tar xzvf xampp-linux-1.4.11.tar.gz -C /opt -
Successful execution will unpack all the files and install them ready to go on your server. You could actually just type opt/lampp/lampp start at this point and you'd have a functional AMPP stack running. There are however a few adjustments that really should be made to bring XAMPP up to snuff. One of them is to enable the included eAccelerator program which dramatically improves the performance of PHP. Getting to work is a simple matter of removing the semicolon (which acts to comment out the line) in XAMPP's php.ini file located at: /opt/lampp/etc/php.ini (see Figure 1).
Security
The default LAMPP configuration is insecure and needs some tweaking which can easily be done. There is actually a simple command that will help you to correct the most obvious insecurities. XAMPP's developers (ApacheFriends) evidently feel that XAMMP isn't for production environments so that part of the reason why they haven't implemented the security by default.
Type
/opt/lampp/lampp security
The security fix will allow you to protect your XAMPP installation with a password, restrict MySQL network access and set a root password for MySQL, change the default FTP password and add a password for phpMyAdmin. The security status of your XAMPP installation can easily be determined by clicking on the security tab (see Figure 2) on the XAMPP dashboard which is the default server start page (until you change it).
Beyond what the security script provides, unless you've got a good reason to have FTP on the server I'd recommend disabling it. Far too many users still send FTP passwords "in the clear" (unencrypted) and FTP hacking is an exceptionally easy attack vector.
To disable FTP type
/opt/lampp/lampp stopftp
Also one of the most common hacker "tricks" is to use a search engine to look for server components that have a known vulnerability. Lets say apache version x has vulnerability y--that vulnerability has likely been widely published--so all a hacker needs to do is find apache version x to execute the exploit. If you tell the world what you're running you make it easier for them to exploit you. There is something to be said for security in anonymity.
XAMPP does not provide a direct script to modify Apache's httpd.conf to make the change so you'll have to dig into the file directly yourself. The change is made in the ServerToken section of httpd.conf. XAMPP by default has it set at "Full" which send all the version information about Apache and the various compiled modules. Change the entry to "Prod" which offer the least level of detail and will only reveal that Apache (not the version is running).
So instead of having your server report-"Apache/2.0.53 (Unix) mod_ssl/2.0.53 OpenSSL/0.9.7d PHP/5.0.4 DAV/2 mod_perl/1.999.21 Perl/v5.8.6 Server at hostname/ Port "--which is a veritable buffet for a hacker you simply get "Apache Server at hostname/ Port" which makes target enumeration significantly more difficult.
Running XAMPP - Features
Beyond the fact that XAMPP bundles all the key elements of an AMPP stack and makes them work together it also includes a bunch of additional elements that expand the functionality and manageability of the stack.
MySQL without a GUI admin interface is a difficult beast to tame and that's why XAMPP has included PhpMyAdmin into the offering. It's actually built right into the main XAMPP dashboard as a tab so it's easily accessible as well. In some cases MySQL is overkill for basic database needs. XAMPP cover that need off with the inclusion of SQLite and its GUI admin phpSQLiteAdmin. The included Webalizer, Apache log file analyzer is basic but sure does beat trying to manually make sense of a log file.
PHP functionality has also been enhanced with the Freetype and Ming extensions which provide additional dynamic graphics capabilities to PHP. Both extensions also have demos included on the main XAMPP dashboard. Under the Instant Art tab w is an Example for PHP+GD+FreeType and under the Flash Art tab is an Example for PHP+MING.
Though PHP 5 was introduced in July of 2004 and offers the promise of backward compatibility with PHP 4 there are still a fair number of applications that just don't seem to work on PHP 5. XAMPP helps to alleviate the issue somewhat by including both PHP 4 and 5 as well as providing a simple command to switch between the two.
Type
php5 | Activate PHP5 |
php4 | Activate PHP4 |
phpstatus | Which version of PHP is active? |
This version of XAMPP includes:
Apache 2.0.53
MySQL 4.1.11
PHP 4.3.11
PHP 5.0.4
Perl 5.8.6
ProFTPD 1.2.10
phpMyAdmin 2.6.1-pl3
OpenSSL 0.9.7d
GD 2.0.1
Freetype 2.1.7
libjpeg 6b
libpng 1.2.7
gdbm 1.8.0
zlib 1.1.4
expat 1.2
Sablotron 1.0
libxml 2.6.11
libxslt 1.1.8
Ming 0.2a
Webalizer 2.01
pdf class 009e
ncurses 5.8
mod_perl 2.0.0-RC4
FreeTDS 0.62.4
gettext 0.11.5
IMAP C-Client 2002b
OpenLDAP (client) 2.2.13
mhash library 0.8.18
mcrypt library 2.5.7
cURL 7.13.1
SQLite 2.8.9 (in case of PHP5: 2.8.14)
phpSQLiteAdmin 0.2
eAccelerator 0.9.2a
Conclusion
Though the ApacheFriends people don't recommend XAMPP for production environments, I've run the latest XAMPP version in a production environment for the last six weeks without issue. Certainly It's not a be all and end all solution for a web serving stack though. XAMPP is missing some kind of easy to use Apache server configuration tool that would help to set up virtual servers. As well, on its own it's not really a completely secure solution as it does not include any sort of IDS (like SNORT for example) which is really an imperative in today's insecure internet.
XAMPP is however one of the easiest Apache stack configurations that I've ever come across or deployed. It provides the core of what you need with a few goodies tossed in for good measure. Being a purist myself, I still derive a great deal of satisfaction and professional pride in compiling AMPP stack components and options on the command line, though I suspect that people like me are now becoming the minority.
For those you are having difficulty getting all the components of their AMPP stack working, XAMPP may well be a more than adequate solution.