mod_status and not displaying the password in request

[Jim Jagielski <ji...@jaguNET.com>]

I'm working on a little patch that basically adds request_rec to the score-
board and enhances and speeds up things a bit.

Right now, the server status report will not display the password in
the request. I can certainly understand why. However, one big use of
the server status is to actually do some debugging and to actually
SEE what Apache is doing. To my mind, it makes "more sense" that
the status display should not edit out information... it's quite
possible that people want to see the exact request requested.

I'd really like to avoid Yet Another runtime directive that controls
this, but I think this capability should be the default. After all,
there is "lots" of sensitive data presented in the server-status
display, and no one should really be allowing the world to see what's
going on.

Comments?
-- 
===========================================================================
   Jim Jagielski   |||   jim@jaguNET.com   |||   http://www.jaguNET.com/
            "That's no ordinary rabbit... that's the most foul,
            cruel and bad-tempered rodent you ever laid eyes on"

Re: mod_status and not displaying the password in request

[Jim Jagielski <ji...@jaguNET.com>]

>
>On a similar note I changed the output of the status module for Stronghold
>so that it looked nicer by using a table with some background colours and
>font size changes.  I've attached an example of it (with lots of lines
>removed to protect privacy :)).  I don't want to start a style-war but I'd
>like to see it in the main Apache.
>

I've always like the stronghold output and would +1 those style changes :)
--
Jim Jagielski  << jim@jaguNET.com >>  |  http://www.jaguNET.com/
    j a g u N E T   A c c e s s   S e r v i c e s,   L L C
       "Ah! I see you have the machine that goes Bing!"

Re: mod_status and not displaying the password in request

[Mark J Cox <ma...@awe.com>]

> I'd really like to avoid Yet Another runtime directive that controls
> this, but I think this capability should be the default. After all,
> there is "lots" of sensitive data presented in the server-status
> display, and no one should really be allowing the world to see what's
> going on.

A long time ago I wrote an extension to mod_status so that you could
choose which columns you wanted to be displayed with a directive (in a
similar way to the custom logging directives).  I can't find it right now
but it wasn't difficult to implement and with the possibility of having
many more potential columns might be worth redoing.

On a similar note I changed the output of the status module for Stronghold
so that it looked nicer by using a table with some background colours and
font size changes.  I've attached an example of it (with lots of lines
removed to protect privacy :)).  I don't want to start a style-war but I'd
like to see it in the main Apache.

Mark

Re: mod_status and not displaying the password in request

[Rasmus Lerdorf <ra...@lerdorf.on.ca>]

> I'd really like to avoid Yet Another runtime directive that controls
> this, but I think this capability should be the default. After all,
> there is "lots" of sensitive data presented in the server-status
> display, and no one should really be allowing the world to see what's
> going on.

What other sensitive information is there?  

-Rasmus