You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Scott Brynen <sc...@brynen.com> on 2002/07/11 02:53:19 UTC
server-status, access commands and Named Virtual Hosts
Has anyone else out there noticed that if you add the server-status
handler, *AND* you're using named virtual hosts, the access commands aren't
processed and everyone on the net can access your /server-status ?
example from my httpd.conf
<Location /server-status>
SetHandler server-status
order deny,allow
Deny from all
Allow from 192.168.0
Allow from 24.65.162.171
</Location>
Yet my /server-status is available to everyone on the net!
---
* Put your spare computer time to good use.. Help Dogbert crack RC5-64
* http://www.brynen.com/rc5.html
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: server-status, access commands and Named Virtual Hosts
Posted by Scott Brynen <sc...@brynen.com>.
Ryan;
There are no errors in the log (other than the fact that I called a file by
the wrong name that you tried to access ;-)
can you recreate the problem on your own machine (we tried two [different]
Redhat machines, and both had the same problem).
1) /server-status directive on system with ip address restrictions, but no
Named Virtual Host -- WORKS (it is restricted)
2) server-status directive on system with ip address restrictions, and
NamedVirtualHost -- EVERYONE CAN GET AT /server-status
Scott
At 10:59 PM 7/10/02, you wrote:
>Nevermind, I found your site, and I can access your server-status page.
>How many times have you specified the server-status location in your
>config file? Are there any errors in the error log?
>
>Ryan
>
>----------------------------------------------
>Ryan Bloom rbb@covalent.net
>645 Howard St. rbb@apache.org
>San Francisco, CA
>
> > -----Original Message-----
> > From: Ryan Bloom [mailto:rbb@covalent.net]
> > Sent: Wednesday, July 10, 2002 10:55 PM
> > To: users@httpd.apache.org
> > Subject: RE: server-status, access commands and Named Virtual Hosts
> >
> > You filed this as a bug earlier today, but your proof was invalid.
>What
> > is your hostname so that I can check if I can get access to your
> > server-status page?
> >
> > Ryan
> >
> > ----------------------------------------------
> > Ryan Bloom rbb@covalent.net
> > 645 Howard St. rbb@apache.org
> > San Francisco, CA
> >
> > > -----Original Message-----
> > > From: Scott Brynen [mailto:scott@brynen.com]
> > > Sent: Wednesday, July 10, 2002 5:53 PM
> > > To: users@httpd.apache.org
> > > Subject: server-status, access commands and Named Virtual Hosts
> > >
> > > Has anyone else out there noticed that if you add the server-status
> > > handler, *AND* you're using named virtual hosts, the access commands
> > > aren't
> > > processed and everyone on the net can access your /server-status ?
> > >
> > > example from my httpd.conf
> > >
> > > <Location /server-status>
> > > SetHandler server-status
> > > order deny,allow
> > > Deny from all
> > > Allow from 192.168.0
> > > Allow from 24.65.162.171
> > > </Location>
> > >
> > > Yet my /server-status is available to everyone on the net!
> > >
> > >
> > >
> > >
> > > ---
> > > * Put your spare computer time to good use.. Help Dogbert crack
> > RC5-64
> > > * http://www.brynen.com/rc5.html
> > >
> > >
> > >
> > >
>---------------------------------------------------------------------
> > > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > > For additional commands, e-mail: users-help@httpd.apache.org
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
---
* Put your spare computer time to good use.. Help Dogbert crack RC5-64
* http://www.brynen.com/rc5.html
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: server-status, access commands and Named Virtual Hosts
Posted by Ryan Bloom <rb...@covalent.net>.
Nevermind, I found your site, and I can access your server-status page.
How many times have you specified the server-status location in your
config file? Are there any errors in the error log?
Ryan
----------------------------------------------
Ryan Bloom rbb@covalent.net
645 Howard St. rbb@apache.org
San Francisco, CA
> -----Original Message-----
> From: Ryan Bloom [mailto:rbb@covalent.net]
> Sent: Wednesday, July 10, 2002 10:55 PM
> To: users@httpd.apache.org
> Subject: RE: server-status, access commands and Named Virtual Hosts
>
> You filed this as a bug earlier today, but your proof was invalid.
What
> is your hostname so that I can check if I can get access to your
> server-status page?
>
> Ryan
>
> ----------------------------------------------
> Ryan Bloom rbb@covalent.net
> 645 Howard St. rbb@apache.org
> San Francisco, CA
>
> > -----Original Message-----
> > From: Scott Brynen [mailto:scott@brynen.com]
> > Sent: Wednesday, July 10, 2002 5:53 PM
> > To: users@httpd.apache.org
> > Subject: server-status, access commands and Named Virtual Hosts
> >
> > Has anyone else out there noticed that if you add the server-status
> > handler, *AND* you're using named virtual hosts, the access commands
> > aren't
> > processed and everyone on the net can access your /server-status ?
> >
> > example from my httpd.conf
> >
> > <Location /server-status>
> > SetHandler server-status
> > order deny,allow
> > Deny from all
> > Allow from 192.168.0
> > Allow from 24.65.162.171
> > </Location>
> >
> > Yet my /server-status is available to everyone on the net!
> >
> >
> >
> >
> > ---
> > * Put your spare computer time to good use.. Help Dogbert crack
> RC5-64
> > * http://www.brynen.com/rc5.html
> >
> >
> >
> >
---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: server-status, access commands and Named Virtual Hosts
Posted by Ryan Bloom <rb...@covalent.net>.
You filed this as a bug earlier today, but your proof was invalid. What
is your hostname so that I can check if I can get access to your
server-status page?
Ryan
----------------------------------------------
Ryan Bloom rbb@covalent.net
645 Howard St. rbb@apache.org
San Francisco, CA
> -----Original Message-----
> From: Scott Brynen [mailto:scott@brynen.com]
> Sent: Wednesday, July 10, 2002 5:53 PM
> To: users@httpd.apache.org
> Subject: server-status, access commands and Named Virtual Hosts
>
> Has anyone else out there noticed that if you add the server-status
> handler, *AND* you're using named virtual hosts, the access commands
> aren't
> processed and everyone on the net can access your /server-status ?
>
> example from my httpd.conf
>
> <Location /server-status>
> SetHandler server-status
> order deny,allow
> Deny from all
> Allow from 192.168.0
> Allow from 24.65.162.171
> </Location>
>
> Yet my /server-status is available to everyone on the net!
>
>
>
>
> ---
> * Put your spare computer time to good use.. Help Dogbert crack
RC5-64
> * http://www.brynen.com/rc5.html
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org