Setting Up mod_status on Apache

Via hacker news I found an interesting article that talked about popular sites that leave the server status page visible to everybody. If you would like to read the article, you can find it at http://blog.sucuri.net/2012/10/popular-sites-with-apache-server-status-enabled.html. This got me interested on setting up mod_status on my server. Now, I want to teach you how you can set up mod_status on your server and make sure only you can access it. The first thing you need to do is make sure mod_status is enabled. Open the terminal and type:


a2enmod status

If you need admin permissions, use sudo in front of everything else.

Once it is enabled, we need to set a handler for it. Open you apache2.conf file, or httpd.conf file depending on which you use. In my case, running ubuntu on my server, I use apache2.conf, located at /etc/apache2/apache2.conf. Since this file is most likely owned by the server, you need to use sudo:


sudo vim /etc/apache2/apache2.conf

Now you need to add this to that file:


<Location /server-status>
SetHandler server-status

Order Deny,Allow
Deny from all
Allow from .example.com
</Location>

What this is doing is setting a Location handler for the /server-status path. The handler is the server-status module. Then we proceed to deny access to it for all, and allow access only from example.com and any subdomine of it. You will need to change that part to allow access only for the desired domains. In my case, I access my server from the internal network, so I allowed access only from the ip of the machine that I use to access the server.

Let me explain a bit more that part. I have a server running, which can be accessed via its url. However, in my hosts file I’ve set up a rule to point the server’s url to the server’s internal ip. This is important because then my computer accesses the server from its internal ip, which is 192.168.0.10. The server’s internal ip is 192.168.0.14. Now, what I need to do is allow access to the /server-status page only to connections coming from 192.168.0.10, which is my computer’s ip. So the part I added to the apache2.conf file looks like this:


<Location /server-status>
SetHandler server-status

Order Deny,Allow
Deny from all
Allow from 192.168.0.10
</Location>

Now I can access the /server-status information only from my computer. Not even the server itself has access to it.

You can change the Location part to something else like Location /status or Location /pirates, and then you would access the server info via that path, but I found that doing that allows the server to access the information via /server-status even if we specify access only for connections coming from a different ip than the server’s. My suggestion would be to leave the Location part as is.

To learn more about the mod_status module, check out the apache docs page: http://httpd.apache.org/docs/2.2/mod/mod_status.html