Setup ‘https’ in XAMPP for localhost

Steps involved:

1. Create certificate
2. Config Apache to access https instead of http
3. Config mod rewrite to generate SSL url
4. Config Virtual host to test site

Step 1 : Create certificate

• Go to your XAMPP installation directory (in my case it’s E:\xampp), figure out apache folder. In this, find & run batch file named makecert.bat

• A CMD window will appear like that, this is where you setup your certificate to verify your website. All you need is only typing all information that ‘s very easy, except one information “Common Name”, at this you must be typed exactly your URL website. For example in localhost, I will use a Virtual host URL (I will configure it later)

FYI — The generated .crt & .key will be stored in C:\xampp\apache\conf\ssl.crt and C:\xampp\apache\conf\ssl.key folders respectively. No need to move them, but you will need to tell your httpd-vhosts.conf file where they are (Step 4).

Step 2: My httpd-xampp.conf results:

<Directory "C:/xampp/htdocs/xampp">
    <IfModule php7_module>
    	<Files "status.php">
    		php_admin_flag safe_mode off
    	</Files>
    </IfModule>
    AllowOverride AuthConfig
    SSLRequireSSL
</Directory>
Alias /phpmyadmin "C:/xampp/phpMyAdmin/"
<Directory "C:/xampp/phpMyAdmin">
        AllowOverride AuthConfig
        Require local
        ErrorDocument 403 /error/XAMPP_FORBIDDEN.html.var
        SSLRequireSSL
</Directory>
Alias /webalizer "C:/xampp/webalizer/"
<Directory "C:/xampp/webalizer">
    <IfModule php7_module>
        <Files "webalizer.php">
            php_admin_flag safe_mode off
        </Files>
    </IfModule>
    AllowOverride AuthConfig
    Require local
    ErrorDocument 403 /error/XAMPP_FORBIDDEN.html.var
    SSLRequireSSL
</Directory>

Step 3: Config mod_rewrite to generate SSL url

I didn’t do as I didn’t need/want the force redirects. However below is the process.

• This next optional step is to redirect “http” requests to “https” requests for the pages we want to secure. This is more user friendly and allows you to still use http when you type in the address (and automatically switch to https:// and encryption). If you don’t do this, and you used SSLRequireSSL, you will only be able to access these pages by typing https://. This is fine and probably a little bit more secure, but is not so user friendly. To accomplish the redirection, we will use mod_rewrite so that we don’t have to use the server name in this part of the config file. This helps keep small the number of places in the config files where the server name is written (making your config files more maintainable).
• First, we need to make sure that mod_rewrite is enabled. To do this, edit E:\xampp\apache\conf\httpd.conf and get rid of the comment (# character) in this line : #LoadModule rewrite_module modules/mod_rewrite.so Make it look like this :LoadModule rewrite_module modules/mod_rewrite.so

• Now paste all this text to the config file at address E:\xampp\apache\conf\extra\httpd-xampp.conf(That is rewrite URL, if not, you can't access your site via SSL):

<IfModule mod_rewrite.c>
    RewriteEngine On

    # Redirect /xampp folder to https
    RewriteCond %{HTTPS} !=on
    RewriteCond %{REQUEST_URI} xampp
    RewriteRule ^(.*) https://%{SERVER_NAME}$1 [R,L]

    # Redirect /phpMyAdmin folder to https
    RewriteCond %{HTTPS} !=on
    RewriteCond %{REQUEST_URI} phpmyadmin
    RewriteRule ^(.*) https://%{SERVER_NAME}$1 [R,L]

    # Redirect /security folder to https
    RewriteCond %{HTTPS} !=on
    RewriteCond %{REQUEST_URI} security
    RewriteRule ^(.*) https://%{SERVER_NAME}$1 [R,L]

    # Redirect /webalizer folder to https
    RewriteCond %{HTTPS} !=on
    RewriteCond %{REQUEST_URI} webalizer
    RewriteRule ^(.*) https://%{SERVER_NAME}$1 [R,L]

    # Redirect /folder_name folder to https
    RewriteCond %{HTTPS} !=on
    RewriteCond %{REQUEST_URI} folder_name
    RewriteRule ^(.*) https://%{SERVER_NAME}$1 [R,L]

</IfModule>

Step 4: My httpd-vhosts.conf results:

<virtualhost *:443>
    ServerAdmin webmaster@awesomesite.localhost.com
    DocumentRoot "C:/xampp/htdocs/awesomesite/" 
    ServerName awesomesite.localhost.com
    ServerAlias www.awesomesite.localhost.com 
    ErrorLog "logs/awesomesite.localhost.com-error.log" 
    CustomLog "logs/awesomesite.localhost.com-access.log" common
    SSLEngine on
    SSLCertificateFile "conf/ssl.crt/server.crt"
    SSLCertificateKeyFile "conf/ssl.key/server.key"
</virtualhost>

Note that chrome will indicate that the URL is Note Secure. This is normal for a non-verified cert. No worries, you are good to go now.