Security – Can’t get rid of Apache server-status

apache-2.2fedoraSecurity

I am trying to deactivate the /server-status from an Apache2 running on a Fedora server.

I tried to comment the lines in /etc/httpd/conf/httpd.conf and I also tried to make it work only for my IP address, like that:

<Location /server-status>
   SetHandler server-status
   Order deny,allow
   Deny from all
   Allow from 192.168.100.138
   #Allow from 194.106.52.52
   #Allow from localhost
</Location>

There is also a Tomcat behind the Apache, and I found that configuration on it, played with that also but got no luck…

/etc/httpd/vhosts.d/enabled/mysite.conf

#JkUnMount /server-status tomcat6

<Location /server-status>
    SetHandler server-status
    Order deny,allow
    Deny from all
    #Allow from localhost
</Location>

I tried to comment and uncomment the JkUnMount line and also the whole location block code.

What am I doing wrong?
Is there any other configuration file that I didn't notice?

Best Answer

1. Find all matches of /server-status in web server Apache log files using command:

% find /etc/httpd -type f -iname '*.conf' |xargs grep -n "/server-status"

2. Comment all matched blocks using # 3. Check web server Apache config:

% /sbin/service httpd configtest

3. Restart web server Apache using command:

% /sbin/service httpd graceful

Related Solutions

Apache 403 Error – Resolving server-status 403 on Non-Standard Port

this worked for me, when using varnish on port 80, serving apache from port 8000 with an additional apache Listen on port 8001 defined in

/etc/apache2/mods-enabled/status.conf

<IfModule mod_status.c>
#
# Allow server status reports generated by mod_status,
# with the URL of http://servername/server-status
# Uncomment and change the ".example.com" to allow
# access from other hosts.
#

Listen 8001
ExtendedStatus On
<VirtualHost *:8001>
    <Location /server-status>
        SetHandler server-status
        Order deny,allow
        Deny from all
        Allow from localhost ip6-localhost 
    #    Allow from .example.com
    </Location>
</VirtualHost>
</IfModule>

you can test it with lynx

lynx -dump http://127.0.0.1:8001/server-status

the lynx output should look like something like this: ~

                       Apache Server Status for 127.0.0.1

   Server Version: Apache/2.2.14 (Ubuntu) mod_ssl/2.2.14 OpenSSL/0.9.8k
   Server Built: Nov 3 2011 03:29:23
     __________________________________________________________________

   Current Time: Saturday, 03-Dec-2011 12:36:05 CET
   Restart Time: Friday, 02-Dec-2011 00:59:04 CET
   Parent Server Generation: 22
   Server uptime: 1 day 11 hours 37 minutes
   Total accesses: 44550 - Total Traffic: 368.1 MB
   CPU Usage: u27.53 s3.48 cu0 cs0 - .0242% CPU load
   .347 requests/sec - 3010 B/second - 8.5 kB/request
   2 requests currently being processed, 4 idle workers

W___._W.........................................................

--cut--

Default /server-status location not inheriting in Apache

You need to add an exclusion for proxy — your ProxyPass and ProxyPassMatch directives should look like:

ProxyPassMatch ^/(mytomcatappA|mytomcatappB)/(.*) balancer://tomcatCluster/$1/$2
ProxyPass /server-status !
ProxyPass / http://qa-web1/

! in place of the target URL means “exclude the specified path from proxying”. Directives should be ordered with the most specific URL first, because the first matching directive is used.

And putting ProxyPass and ProxyPassMatch inside <Proxy> and <ProxyMatch> containers is not documented — not sure whether it should really work correctly; just place them inside <VirtualHost>.

Best Answer

Related Solutions

Apache 403 Error – Resolving server-status 403 on Non-Standard Port

Default /server-status location not inheriting in Apache

Related Topic