Ubuntu – Unable to limit Apache server-status page to localhost

apache-2.4Apache2Ubuntu

I am using Apache 2.4.18 on Ubuntu.

I want to allow reading server status only from localhost.

In /etc/apache2/mods-enabled/status.conf I have:

<Location /server-status>
          SetHandler server-status
          Require ip 127.0.0.1
</Location>

I have read https://httpd.apache.org/docs/2.4/howto/access.html and and from I belive the above configuration should be working. I have restarted Apache to ensure that new configuration is active. However the status page is still open for reading from anywhere.

In /etc/apache2/sites-enabled/mysite.conf I have:

 DocumentRoot /var/www
 <Location />
        Require all granted
 </Location>

What is wrong with my configuration?

Best Answer

From what i can see, the virtual host config file seems to take precedence over the mod_status config file.

Actually you grant all to / within mysite.conf :

<Location />
        Require all granted
</Location>

This results in that everyone can access /server-status.

You would have to manage permissions to /server-status in the virtual host config file itself /etc/apache2/sites-enabled/status.conf :

DocumentRoot /var/www
 <Location />
        Require all granted
 </Location>
 <Location /server-status>
        Require local
 </Location>

From there, whatever permissions you set in /etc/apache2/mods-enabled/status.conf they will be ignored as /etc/apache2/sites-enabled/status.conf takes precedence.

Related Solutions

Ubuntu – How To Tune Apache on Ubuntu 14.04 Server

Recognize that Ubuntu 14.04 uses Apache 2 with PHP running through an mpm_prefork module, of which an editable file is in /etc/apache2/mods-enabled/mpm_prefork.conf. Also, recognize that starting in Apache 2.4, MaxClients is now renamed as MaxRequestWorkers, and so any documentation regarding MaxClients needs to be switched to MaxRequestWorkers.
Stop the Apache web service with the following command, temporarily:

    sudo service apache2 stop

Wait 5 seconds and then run the following command to find out how much virtual memory you have on the server that is free:

    sudo free -ht

Read the Mem: line and look at the free column. Consider this as the amount of RAM that you can dedicate to Apache, although I usually like to deduct 2GB on a beefier server (as in > 4GB), or 1GB on a lighter server. So, if the free column said I had 13GB free, I would recommend giving Apache 11GB. That's a baseline. If we encounter any database issue in the logs occasionally (as in like 3 times in the logs over a 3 day period) that it needs more memory, then we might consider that we only had 10GB to play with instead of 11GB (in this case). If we encounter in the Apache logs that the server needs more MaxRequestWorkers, then that's a separate issue I'll address below.

Start the Apache web server.

    sudo service apache2 start

Open like 10 browser tabs, connect to some of your longer or slower-loading pages from your website, and refresh like 3-4 times on each tab.
After doing that, rapidly now run the following command:

    sudo ps -ylC apache2 | awk '{x += $8;y += 1} END {print "Apache Memory Usage (MB): "x/1024; print "Average Process Size (MB): "x/((y-1)*1024)}'

Run it like 5 times rapidly.

Look at the Average Process Size value and average that value out among the 5 times you ran that.

Now do the following math, and be sure to convert GB to MB as necessary so that all the numbers are in MB values. So, either multiply times 1024 or divide by 1024, depending on which way you need to go.

MaxRequestWorkers = Baseline Free (with buffer space) / Avg Process Size

For example, I had a 14GB server, but when Apache was stopped the server showed it used 1GB RAM in idle. I then provide another 1GB in some extra buffer space for the OS in case it needs it. That means I would have a Baseline Free of 12GB. Now I must convert it from GB to MB, and so I multiply 12 x 1024 and get 12288. The 12288 MB is my Baseline Free value. In my case I saw that the Average Process Size was 21MB. So, I take 12288 / 21 and I get approximately 585. Now, it's common that sysops round down this value, and so I got 580.

Edit the file /etc/apache2/mods-enabled/mpm_prefork.conf and consider setting it to the following defaults, replacing XXX with your MaxRequestWorkers calculation:

`<IfModule mpm_prefork_module>`
  StartServers                    2
  MinSpareServers                 2
  MaxSpareServers                 5
  MaxRequestWorkers               XXX
  ServerLimit                     XXX
  MaxConnectionsPerChild          0
</IfModule>

Note that you may not see the ServerLimit parameter there. Add it. This parameter defaults to 256 if not present, but needs to be the same value as MaxRequestWorkers or you'll get an error.

Another critical factor in your Apache configuration is the /etc/apache2/apache2.conf file with the Timeout variable and is measured in seconds. This is how long you can send or receive from the server before it times out. You have to also keep in mind a file upload or file download, such as if you have a website where people can upload or download CSV or other large files, for instance. And you need to keep in mind a busy database server and where you might need to provide some time before pages timeout. The smaller you make that Timeout variable, the more available the web server is to receive new connections. Note, however, that setting this value too low may cause havoc with PHP session variables, although not with browser session-based cookies. So, for instance, a value of 300 (5 minutes) might be good for a web server that relies on PHP session variables for web app workflow instead of browser session cookies. A value of 45 might be good for a web server that serves up nothing more than static advertising landing pages, but would be terrible for a server that needs to use PHP session variables a great deal. So, edit the Timeout parameter in this file to the amount you need. This may take some testing with all your web pages to see if the value is too low. It's probably a good idea, however, to not set it higher than 300 unless you're seeing problems in large file uploads or large file downloads.
Now restart your Apache web service. If you did something wrong, Apache will likely tell you about it the moment you start it again, and you can rectify it.

    sudo service apache2 restart

Now repeat the 10 tab browser trick that you did previously, and see if you encounter Apache configuration errors in the Apache web server error log:

    sudo tail -f /var/log/apache2/error.log

...press CTRL+C to get out of that, should you want.

Look for a complaint about needing MaxRequestWorkers (and recently since you restarted the web server). If you see that even with an optimal MaxRequestWorkers setting, then you're likely needing more firepower for your websites or web applications. Consider these options:

Using a CDN for large file downloads, images, and scripts.
Using a caching service like CloudFlare or others.
Redoing your website or web application strategy to use multiple web servers acting as one "web app" behind a load balancer.
Adding more RAM to the server, and thus doing this calculation all over again.

Now that the Apache server is tuned, it's sort of baseline tuned. You'll need to check on it over the course of 2-3 weeks and look for MaxRequestWorker issues in the Apache error logs. From that, you can make a decision on optimization (see step 10). You can also install Munin with apt on Ubuntu and look at the Apache performance over time and plot an idea of growth before you decide you need to do anything about the amount of traffic the web server is handling.

Debian/Apache – Set up a git server + gitweb without virtualhost

After installing gitweb via apt-get, you should run the following:

# a2enmod cgi
# service restart apache2

Then enter http://your-hostname/gitweb

Best Answer

Related Solutions

Ubuntu – How To Tune Apache on Ubuntu 14.04 Server

Debian/Apache – Set up a git server + gitweb without virtualhost

Related Topic