You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Hajo Locke <ha...@gmx.de> on 2012/03/05 14:32:44 UTC
[users@httpd] mod_status, disable server-status for users
Hello List,
ist there any possibility to hide server-status page provided by mod-status
for my users?
every user with .htaccess is able to use sethandler and able to view
complete status.
how to disable this?
Thanks,
Hajo
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod_status, disable server-status for users
Posted by Hajo Locke <ha...@gmx.de>.
hello,
> I'm afraid the only way to disable this is to disable mod_status.
> I don't know of any other way and I that's why I don't use mod_status.
which module you are using? i cant renounce to view a statuspage of my
server.
Thanks,
Hans
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod_status, disable server-status for users
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
On 05.03.12 14:32, Hajo Locke wrote:
>ist there any possibility to hide server-status page provided by
>mod-status for my users?
>every user with .htaccess is able to use sethandler and able to view
>complete status.
I'm afraid the only way to disable this is to disable mod_status.
I don't know of any other way and I that's why I don't use mod_status.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux is like a teepee: no Windows, no Gates and an apache inside...
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod_status, disable server-status for users
Posted by Mark Montague <ma...@catseye.org>.
On March 5, 2012 8:32 , "Hajo Locke" <ha...@gmx.de> wrote:
> ist there any possibility to hide server-status page provided by
> mod-status for my users?
> every user with .htaccess is able to use sethandler and able to view
> complete status.
> how to disable this?
Disable mod_status, or turn off .htaccess files, or disable the
"FileInfo" override ("Options -FileInfo"), or don't give any access to
the filesystem to anyone who you don't trust with the power to use
.htaccess files.
The documentation warns about this problem:
https://httpd.apache.org/docs/2.2/mod/mod_status.html says,
> *It should be noted that if |mod_status
> <https://httpd.apache.org/docs/2.4/mod/mod_status.html>| is loaded
> into the server, its handler capability is available in /all/
> configuration files, including /per/-directory files (/e.g./,
> |.htaccess|). This may have security-related ramifications for your site.*
--
Mark Montague
mark@catseye.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org