Mar
15
2014

A Web Server for WordPress Development

An article by Vince

Comments Off

The first requirement I mentioned in the intro seems obvious enough. I need “a web server that can run PHP and WordPress and has the ability to serve multiple sites so that I can work on multiple projects.” Fortunately, this easy enough to do on Windows 2008 Server by downloading an Apache web server distribution called XAMPP. In the past I’ve had nothing but trouble getting any Apache stack running on my Windows 7 laptop but getting XAMPP installed on the server was a breeze. I just downloaded the distribution for windows and ran the install. I didn’t install Tomcat, which is for Java Server Pages and middleware objects, the FTP server, or the mail server.

Change Settings

One setting that might need changed is the port Apache will listen on. If IIS or some other server is already listening on port 80 then Apache can’t listen there. This is configured in the httpd.conf file found in the apache/config directory under the XAMPP installation directory. The lines you’ll want to look for are the one that says Listen and the one that says ServerName. Personally I left Apache on port 80 and changed the port IIS listens on. I develop with Dot Net also so I want IIS running but I’d rather have Apache be the main point of contact and act as a proxy server to connect to IIS.

Enable Reverse Proxy

In httpd.conf there are a a number of lines that start with LoadModule. These lines enable various features of Apache. As I mentioned, I wanted to enable the reverse proxy capabilities. This allows Apache to forward some request to another web server and just act as a middle man. The modules that I needed to uncomment were: mod_proxy, mod_proxy_html, mod_proxy_http, mod_headers (so that it can rewrite request headers), and mod_xml2enc.

Harden XAMPP

Since the XAMPP distribution is geared toward developers it ships with lots of things enabled. This is fine as long as your server is only accessible on your local network. If you want to make it accessible to the internet however you’ll probably want to harden your installation (i.e. make it more secure). Below are some references for doing so.

Check Your Firewall Settings

You can double check that the windows firewall is set the way you want for Apache. Open your Control Panel and go to System and Security >> Windows Firewall, and then click Advanced Settings. Select Inbound Rules in the list on the left. You should see two rules for Apache HTTP Server, one for TCP and the other for UDP. If you right click, select Properties and then go to the Advanced tab, you’ll see which profiles the rule is activated for. These are allow rules so if you turn them off for a profile the traffic won’t be able to get through the firewall to your machine. If you only want local network traffic make sure only Private is selected (and possibly Domain if you are on a Windows network). If you want traffic from the internet as well then make sure Public is checked.

A XAMPP Security Guide

There is a wonderful XAMPP security guide available at the Rob’s Notebook site. The guide will help you password protect the database and the administration pages, and get rid of stuff you aren’t using to reduce the number of places an attacker could focus.

Be aware that access control directives have changed between Apache 2.2 and 2.4. Review the upgrade guide from Apache if you have any trouble with Allow from or Deny from directives. I had trouble when trying to allow connections only from localhost. I had to use the new ‘Require local’ directive.

Next we’ll look at configuring virtual hosts and after that I’ll tell you about a couple other server applications you might find useful.