HTTPS with virtual hosts on XAMPP

Until now, I never used HTTPS for local development domains. Now I had to use it for a project, and here is how to get it working on XAMPP with virtual hosts.

Update from May 31, 2018: Before the update, I described the creation of an SSL certificate as the first necessary step before setting up the virtual host. But your browser will display a warning regardless if there is a self-created cert or not, so I removed this part. You need to add your local site as an exception to not get the warning every time.

Update from June 1, 2018: Seems that you need the cert file, otherwise apache will not start, so I added this part back to the post.

Two steps are necessary for the solution:

  1. Creating an SSL certificate.
  2. Set up the virtual host.

The requirement is (of course) XAMPP.

Creating an SSL certificate

A good tutorial about creating a cert is on robsnotebook.com. It is from 2007, but works. To create a certificate, you can follow these steps on the command line:

  1. Go to the Apache directory C:\xampp\apache.
  2. Run makecert.
  3. Enter a PEM passphrase and the other information you are asked for. For Common Name, you should enter the domain you want to use for the virtual host, so the certificate is signed for that domain.
  4. After processing all steps, you maybe want to import the cert into your browser (it lives under C:/xampp/apache/conf/ssl.crt/server.crt). Nevertheless, you will get a warning about insecure self-signed certificate after loading your website – you need to add it as an exception.

Set up virtual host with HTTPS

Entry in the Windows hosts file

To let Windows know, for example, that the domain florianbrinkmann.dev should point to the IP address 127.0.0.1 (localhost), we have to insert an entry in the Windows hosts file. The file can be found in C:\Windows\System32\drivers\etc. To edit it, you need admin privileges (search for the editor in Windows, right-click on it and choose Run as administrator).

At the end of the hosts file, add an entry with the following pattern:

127.0.0.1 florianbrinkmann.dev

You have to replace the domain with your own development domain. Afterwards, you can save and close the file.

Creating the Virtual Host in Apache

The virtual hosts in Apache can be found in the C:\xampp\apache\conf\extra\httpd-vhosts.conf file. Open the file and insert an entry according to the following pattern (an answer from stackoverflow.com was very helpful – the related question also, it brought me to the article on SSL certificate setup):

<VirtualHost florianbrinkmann.dev:80>
	DocumentRoot "C:\xampp\htdocs\florianbrinkmann.dev"
	ServerName florianbrinkmann.dev
	<Directory "C:\xampp\htdocs\florianbrinkmann.dev">
	Order allow,deny
	Allow from all
	</Directory>
</VirtualHost>

<VirtualHost florianbrinkmann.dev:443>
	DocumentRoot "C:\xampp\htdocs\florianbrinkmann.dev"
	ServerName florianbrinkmann.dev
	SSLEngine On
	SSLCertificateFile "C:/xampp/apache/conf/ssl.crt/server.crt"
	SSLCertificateKeyFile "C:/xampp/apache/conf/ssl.key/server.key"
	<Directory "C:\xampp\htdocs\florianbrinkmann.dev">
	Order allow,deny
	Allow from all
	</Directory>
</VirtualHost>

Here you have to adjust the settings for DocumentRoot, ServerName, Directory, and the domain in the VirtualHost element. The first VirtualHost is for HTTP connections, the second for HTTPS connections.

Maybe you have to uncomment the following line in the C:\xampp\apache\conf\httpd.conf:

LoadModule ssl_module modules/mod_ssl.so

Now you can restart Apache and open your site with HTTPS (including browser warning…).

Related posts

6 comments on »HTTPS with virtual hosts on XAMPP«

    1. Florian Brinkmann

      Hi Azamat,

      you can add your site as an exception, so that the browser does not check if the cert is from a trusted authority (how to do that exactly depends on the browser. In Firefox and Chrome, there is a button at the bottom of the warning, where you can add the site as an exception).

      Best,
      Florian

      Reply
    1. Florian Brinkmann

      Hi Mike,

      sorry for the late reply, your comment was marked as spam…
      No, you do not need to create a cert per host. In the meantime I think you do not need to create a cert at all. Even if there is no cert, you can set an exception for the browser warning and use the local site via https.

      Best,
      Florian

      Reply

Leave a Comment

Your email address will not be published. Required fields are marked *