Sunday, September 24, 2017

ubuntu - Unable to limit Apache server-status page to localhost




I am using Apache 2.4.18 on Ubuntu.



I want to allow reading server status only from localhost.



In /etc/apache2/mods-enabled/status.conf I have:




          SetHandler server-status
          Require ip 127.0.0.1




I have read https://httpd.apache.org/docs/2.4/howto/access.html and and from I belive the above configuration should be working. I have restarted Apache to ensure that new configuration is active. However the status page is still open for reading from anywhere.



In /etc/apache2/sites-enabled/mysite.conf I have:



 DocumentRoot /var/www
 
        Require all granted



What is wrong with my configuration?


Answer



From what i can see, the virtual host config file seems to take precedence over the mod_status config file.



Actually you grant all to / within mysite.conf : 




        Require all granted




This results in that everyone can access /server-status.



You would have to manage permissions to /server-status in the virtual host config file itself /etc/apache2/mods-enabled/status.conf : 



DocumentRoot /var/www
 
        Require all granted

 
 
        Require local


From there, whatever permissions you set in /etc/apache2/mods-enabled/status.conf they will be ignored as /etc/apache2/mods-enabled/status.conf takes precedence.


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...