Guide to configure SSL in XAMPP for Windows

SSLXampp.md

How to test 'https' in XAMPP for localhost ? I will guide you

Menu

• Create certificate
• Config Apache to access https instead of http
• Config mod rewrite to generate SSL url
• Config Virtual host to test site

Step 1 : Create certificate

• Go to your XAMPP installation directory (in my case it’s E:\xampp), figure out apache folder. In this, find & run batch file named makecert.bat

  

• A CMD window will appear like that, this is where you setup your certificate to verify your website. All you need is only typing all information that ‘s very easy, except one information “Common Name”, at this you must be typed exactly your URL website. For example in localhost, I will use a Virtual host URL (I will configure it later)

  

Step 2 : Config Apache to access https instead of http

• Now this is time for you to config Apache to access folders with “https” instead of “http”. First, we will force ssl when access folders by add this directive “SSLRequireSSL” in this config file (e:\xampp\apache\conf\extra\httpd-xampp.conf)

  

• Open this and add line that I talked above in all list folders below :

  • e:\xampp\phpmyadmin
  • e:\xampp\htdocs\xampp
  • e:\xampp\webalizer
  • e:\xampp\security\htdocs

• Another config file that also need directive SSLRequireSSL located in e:\xampp\webdav.

Step 3: Config mod_rewrite to generate SSL url

• This next optional step is to redirect “http” requests to “https” requests for the pages we want to secure. This is more user friendly and allows you to still use http when you type in the address (and automatically switch to https:// and encryption). If you don’t do this, and you used SSLRequireSSL, you will only be able to access these pages by typing https://. This is fine and probably a little bit more secure, but is not so user friendly. To accomplish the redirection, we will use mod_rewrite so that we don’t have to use the server name in this part of the config file. This helps keep small the number of places in the config files where the server name is written (making your config files more maintainable).

• First, we need to make sure that mod_rewrite is enabled. To do this, edit E:\xampp\apache\conf\httpd.conf and get rid of the comment (# character) in this line : #LoadModule rewrite_module modules/mod_rewrite.so Make it look like this : LoadModule rewrite_module modules/mod_rewrite.so

  

• Now paste all this text to the config file at address E:\xampp\apache\conf\extra\httpd-xampp.conf(That is rewrite URL, if not, you can't access your site via SSL):

  <IfModule mod_rewrite.c>
      RewriteEngine On
  
      # Redirect /xampp folder to https
      RewriteCond %{HTTPS} !=on
      RewriteCond %{REQUEST_URI} xampp
      RewriteRule ^(.*) https://%{SERVER_NAME}$1 [R,L]
  
      # Redirect /phpMyAdmin folder to https
      RewriteCond %{HTTPS} !=on
      RewriteCond %{REQUEST_URI} phpmyadmin
      RewriteRule ^(.*) https://%{SERVER_NAME}$1 [R,L]
  
      # Redirect /security folder to https
      RewriteCond %{HTTPS} !=on
      RewriteCond %{REQUEST_URI} security
      RewriteRule ^(.*) https://%{SERVER_NAME}$1 [R,L]
  
      # Redirect /webalizer folder to https
      RewriteCond %{HTTPS} !=on
      RewriteCond %{REQUEST_URI} webalizer
      RewriteRule ^(.*) https://%{SERVER_NAME}$1 [R,L]
  
      # Redirect /folder_name folder to https
      RewriteCond %{HTTPS} !=on
      RewriteCond %{REQUEST_URI} folder_name
      RewriteRule ^(.*) https://%{SERVER_NAME}$1 [R,L]
  
  </IfModule>
  

Step 4 : Config Virtual host to test site

It’s time to config a virtual host to make a better URL to access our project. So, let’s go to file at address : E\xampp\apache\conf\extra\httpd-vhosts.conf Create new virtual config as following sample :

• VirtualHost *:443 : This is port to run SSL

• DocumentRoot : Point to your project folder

• SSLEngine on : Turn on SSL

• SSLCertificateFile : Just copy, don’t modified it because in step create certificate, XAMPP will auto put your certificate in appropriate folder.

• SSLCertificateKeyFile : Same as SSLCertificateFile.

  After all, if you configure everything correctly, it will show you result like this :

  

This actually worked for me. Just putting down notes below that might help:

Step 1: FYI - The generated .crt & .key will be stored in C:\xampp\apache\conf\ssl.crt and C:\xampp\apache\conf\ssl.key folders respectively. No need to move them, but you will need to tell your httpd-vhosts.conf file where they are (Step 4).

Step 2: My httpd-xampp.conf results:

<Directory "C:/xampp/htdocs/xampp">
    <IfModule php7_module>
    	<Files "status.php">
    		php_admin_flag safe_mode off
    	</Files>
    </IfModule>
    AllowOverride AuthConfig
    SSLRequireSSL
</Directory>

Alias /phpmyadmin "C:/xampp/phpMyAdmin/"
<Directory "C:/xampp/phpMyAdmin">
        AllowOverride AuthConfig
        Require local
        ErrorDocument 403 /error/XAMPP_FORBIDDEN.html.var
        SSLRequireSSL
</Directory>

Alias /webalizer "C:/xampp/webalizer/"
<Directory "C:/xampp/webalizer">
    <IfModule php7_module>
        <Files "webalizer.php">
            php_admin_flag safe_mode off
        </Files>
    </IfModule>
    AllowOverride AuthConfig
    Require local
    ErrorDocument 403 /error/XAMPP_FORBIDDEN.html.var
    SSLRequireSSL
</Directory>

Step 3: I didn't do as I didn't need/want the force redirects.

Step 4: My httpd-vhosts.conf results:

<virtualhost *:443>
    ServerAdmin [email protected]
    DocumentRoot "C:/xampp/htdocs/awesomesite/" 
    ServerName awesomesite.localhost.com
    ServerAlias www.awesomesite.localhost.com 
    ErrorLog "logs/awesomesite.localhost.com-error.log" 
    CustomLog "logs/awesomesite.localhost.com-access.log" common

    SSLEngine on
    SSLCertificateFile "conf/ssl.crt/server.crt"
    SSLCertificateKeyFile "conf/ssl.key/server.key"
</virtualhost>

Note that chrome will indicate that the URL is Note Secure. This is normal for a non-verified cert.

@ayandyan Thank you kindly. This configuration works great! :D

Your instructions were clear and concise. Thanks a lot, your comment has saved me a lot of time.

Great work, but it's poorly explained..!

This site worked for me, nothing else, maybe I am dumb, but this site is very simple

https://ssl.indexnl.com/

@ayandyan - How about writing another tutorial on this subject? You seem to have done half of the work already and yours is the simplest explanation by far. Giving examples - what a breakthrough :-) Many thanks.

@DavidWalley Here is the original document the thread starter copied: http://robsnotebook.com/xampp-ssl-encrypt-passwords

This posters command of English is clearly not the best. You can tell because alot is left open to interpretation. I don't understand why they went about butching the original documentation for brevity as this creates issues for anyone trying to follow it to the letter.

Can we vote to delete this so called "Guide to HTTPS" .
You are guiding us in air. youre flying.

Great article! I'm searching the internet just to find an article that would be very helpful and interesting. This article helps me a lot for my lesson and discussion and I recommend it to the students of the Top universities in the Philippines.

@ayandyan Thank you. Your simple explanation works fine.

I have some problem with this tutorial :

1. myVirtualHost is unknowed.
   -> edit "hosts" file in "C:\Windows\System32\drivers\etc"
   -> add this line : "127.0.0.1 myVirtualHost" and save
   -> no need to restart anything just refresh the page in browser
   -> Why isn't it described in tutorial ?

2. The https://myVirtualHost doesn't work properly. Apache show me the "C:/xampp/htdocs/index.php" at place of my "C:/xampp/htdocs/myApplication/public"
   Here my VirtualHost declaration :
   <VirtualHost *:433>
ServerName myVirtualHost
DocumentRoot "C:/xampp/htdocs/myApplication/public"
ErrorLog "logs/myApplication-error.log"
CustomLog "logs/myApplication-access.log" common
SSLEngine on
SSLCertificateFile "C:/xampp/apache/conf/ssl.crt/server.crt"
SSLCertificateKeyFile "C:/xampp/apache/conf/ssl.key/server.key"
</VirtualHost>

I have find an awfull fix :
-> open file "C:/xampp/apache/conf/extra/httpd-ssl.conf"
->edit line 124 (before : DocumentRoot "C:/xampp/htdocs") (after : DocumentRoot "C:/xampp/htdocs/myApplication/public")

But i'm interesting if someone can explain why apache ignore my virtualhost declaration ;)

Without going deep I can note that your secure port is wrong <VirtualHost *:433>, it should be <VirtualHost *:443>, but I'm sure you already not this.
Hope it helps @bArraxas
By the way i couldn't make it through this tutorial neither.

after followed this tutorial and tried a ton of things, i found another tutorial to work better (especially with certificate issues), i also had to add my website folder which is outside of xampp folder, so i had to add more things..
for more details click here

Hi, I managed to follow the instructions until Step 4, this was unclear to me how to write the code so the comments above (bArraxas and others!) helped. But now I get "Warning: mysqli_real_connect(): (HY000/2002): php_network_getaddresses: getaddrinfo failed: No such host is known. in C:\xampp\htdocs\whweb\wp-includes\wp-db.php on line 1626" which I don't understand:

wp-db.php shows:

so I continued to the articles linked by ligantx and Darkonnen. Great investigation!

More direct tutorial below, still looking for an even better one!
https://gist.github.com/adnan360/ad2b1cfc44114ac6f91fbb668c76798d

worst tutorial ever

worst tutorial ever

I'll tell you a secret.. make a better one :)

I don't know what it is, but definitely not a tutorial. A piece of fiction, gently speaking.

If you can't make a tutorial that can be understood clearly you should not bother with it!

@ayandyan I followed the httpd-xampp.conf file, but an error occurred in the apache xampp, the error was blocked port

maybe there is another solution ... ???

totally wasted my time following this "tutorial". Please delete this and learn to write correctly next time.

How would i do this if i already own a cert?

My provider gave me 3 files + a key

mydomain.cer
Sectigo_RSA_Domain_Validation_Secure_Server_CA.crt
USERTrust_RSA_Certification_Authority.crt

I have no idea where to put which files, and in which config files. tried several tutorials, can't get it working

Do no use this tutorial.

Fake tutorial

He created this note for himself and I can understand why people don't understand. Please be kind.

This actually worked for me.
same here! Thx

Its not really that hard, sorry if you were having some trouble, instead of paying for a cert what you need is to create one at Lets Encrypt, this application was made for this purpose, the best thing about it is that you can generate your cert free, but it expires after 3 months, all one needs to do is write a small cron job in python or whatever you prefer, that auto renews the cert and viola! free cert for life :)
i have attached a screen shot here to show you all the relevant stuff you need to know in one image, think cheat sheet hehehe, if you have any questions dont hesitate to get in touch, all the best guys. (ps it should not take you more than 15 minutes to set a new SSL secured domain up, you will notice i only use free stuff, but thats very good, better than most commercial stuff you find out there, and with those few remarks here you go ...)

(create crs file, get it verified by a CA like lets encrypt or comodo) on the left, create your folders, insert the appropriate files and then upload to your server then create your virtual host code and append it, easy, restart apache. and we are good.

my https:// is now active. it took me the time before the first post and this one to propagate 5 minutes or so, all the best :)