You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by pq...@apache.org on 2004/09/04 03:38:24 UTC
cvs commit: httpd-2.0/docs/manual/mod mod_info.xml mod_info.html.en
pquerna 2004/09/03 18:38:24
Modified: docs/manual/mod mod_info.xml mod_info.html.en
Log:
updated mod_info to include docs on the different arguments it can take.
Submitted By: Rici Lake
Revision Changes Path
1.17 +87 -36 httpd-2.0/docs/manual/mod/mod_info.xml
Index: mod_info.xml
===================================================================
RCS file: /home/cvs/httpd-2.0/docs/manual/mod/mod_info.xml,v
retrieving revision 1.16
retrieving revision 1.17
diff -u -r1.16 -r1.17
--- mod_info.xml 17 Apr 2004 10:49:22 -0000 1.16
+++ mod_info.xml 4 Sep 2004 01:38:24 -0000 1.17
@@ -40,42 +40,94 @@
</Location>
</example>
- <p>You may wish to add a
- <directive type="section" module="core">Limit</directive>
- clause inside the
- <directive type="section" module="core">Location</directive>
- directive to limit access to your server configuration
- information.</p>
-
<p>Once configured, the server information is obtained by
accessing <code>http://your.host.dom/server-info</code></p>
-
- <note>
- Note that the configuration files are read by the
- module at run-time, and therefore the display may
- <em>not</em> reflect the running server's active
- configuration if the files have been changed since the server
- was last reloaded. Also, the configuration files must be
- readable by the user as which the server is running (see the
- <directive module="mpm_common">User</directive> directive), or
- else the directive settings will not be listed.
-
- <p>It should also be noted that if
- <module>mod_info</module> is compiled into the server, its
- handler capability is available in <em>all</em> configuration
- files, including per-directory files (<em>e.g.</em>,
- <code>.htaccess</code>). This may have security-related
- ramifications for your site.</p>
-
- <p>In particular, this module can leak sensitive information
- from the configuration directives of other Apache modules such as
- system paths, usernames/passwords, database names, etc. Due to
- the way this module works there is no way to block information
- from it. Therefore, this module should <strong>only</strong> be
- used in a controlled environment and always with caution.</p>
- </note>
</summary>
+<section id="security"><title>Security Issues</title>
+ <p>Once <module>mod_info</module> is loaded into the server, its
+ handler capability is available in <em>all</em> configuration
+ files, including per-directory files (<em>e.g.</em>,
+ <code>.htaccess</code>). This may have security-related
+ ramifications for your site.</p>
+
+ <p>In particular, this module can leak sensitive information
+ from the configuration directives of other Apache modules such as
+ system paths, usernames/passwords, database names, etc. Therefore,
+ this module should <strong>only</strong> be
+ used in a controlled environment and always with caution.</p>
+
+ <p>You will probably want to use <module>mod_access</module>
+ to limit access to your server configuration information.</p>
+
+ <example><title>Access control</title>
+ <Location /server-info><br />
+ <indent>
+ SetHandler server-info<br />
+ Order allow,deny
+ # Allow access from server itself
+ Allow from 127.0.0.1
+ # Additionally, allow access from local workstation
+ Allow from 192.168.1.17
+ </indent>
+ </Location>
+ </example>
+</section>
+
+<section id="queries"><title>Selecting the information shown</title>
+ <p>By default, the server information includes a list of
+ all enabled modules, and for each module, a description of
+ the directives understood by that module, the hooks implemented
+ by that module, and the relevant directives from the current
+ configuration.</p>
+
+ <p>Other views of the configuration information are available by
+ appending a query to the <code>server-info</code> request. For
+ example, <code>http://your.host.dom/server-info?config</code>
+ will show all configuration directives.</p>
+
+ <dl>
+ <dt><code>?<module-name></code></dt>
+ <dd>Only information relevant to the named module</dd>
+ <dt><code>?config</code></dt>
+ <dd>Just the configuration directives, not sorted by module</dd>
+ <dt><code>?list</code></dt>
+ <dd>Only a simple list of enabled modules</dd>
+ <dt><code>?server</code></dt>
+ <dd>Only the basic server information</dd>
+ </dl>
+</section>
+
+<section id="limitations"><title>Known Limitations</title>
+ <p><module>mod_info</module> provides its information by reading the
+ parsed configuration, rather than reading the original configuration
+ file. There are a few limitations as a result of the way the parsed
+ configuration tree is created:</p>
+ <ul>
+ <li>Directives which are executed immediately rather than being
+ stored in the parsed configuration are not listed. These include
+ <directive module="core">ServerRoot</directive>,
+ <directive module="mod_so">LoadModule</directive>, and
+ <directive module="mod_so">LoadFile</directive>.</li>
+ <li>Directives which control the configuration file itself, such as
+ <directive module="core">Include</directive>,
+ <directive module="core"><IfModule></directive> and
+ <directive module="core"><IfDefine></directive> are not
+ listed, but the included configuration directives are.</li>
+ <li>Comments are not listed. (This may be considered a feature.)</li>
+ <li>Configuration directives from <code>.htaccess</code> files are
+ not listed (since they do not form part of the permanent server
+ configuration).</li>
+ <li>Container directives such as
+ <directive module="core"><Directory></directive>
+ are listed normally, but <module>mod_info</module> cannot figure
+ out the line number for the closing
+ <directive module="core"></Directory></directive>.</li>
+ <li>Directives generated by third party modules such as <module>mod_perl</module>
+ might not be listed.</li>
+ </ul>
+</section>
+
<directivesynopsis>
<name>AddModuleInfo</name>
<description>Adds additional information to the module
@@ -93,12 +145,11 @@
<example>
AddModuleInfo mod_deflate.c 'See <a \<br />
<indent>
- href="http://www.apache.org/docs-2.1/mod/mod_deflate.html">\<br />
- http://www.apache.org/docs-2.1/mod/mod_deflate.html</a>'
+ href="http://www.apache.org/docs-2.1/mod/mod_deflate.html">\<br />
+ http://www.apache.org/docs-2.1/mod/mod_deflate.html</a>'
</indent>
</example>
</usage>
</directivesynopsis>
</modulesynopsis>
-
1.28 +92 -35 httpd-2.0/docs/manual/mod/mod_info.html.en
Index: mod_info.html.en
===================================================================
RCS file: /home/cvs/httpd-2.0/docs/manual/mod/mod_info.html.en,v
retrieving revision 1.27
retrieving revision 1.28
diff -u -r1.27 -r1.28
--- mod_info.html.en 21 Feb 2004 00:31:36 -0000 1.27
+++ mod_info.html.en 4 Sep 2004 01:38:24 -0000 1.28
@@ -42,47 +42,104 @@
</Location>
</code></p></div>
- <p>You may wish to add a
- <code class="directive"><a href="../mod/core.html#limit"><Limit></a></code>
- clause inside the
- <code class="directive"><a href="../mod/core.html#location"><Location></a></code>
- directive to limit access to your server configuration
- information.</p>
-
<p>Once configured, the server information is obtained by
accessing <code>http://your.host.dom/server-info</code></p>
-
- <div class="note">
- Note that the configuration files are read by the
- module at run-time, and therefore the display may
- <em>not</em> reflect the running server's active
- configuration if the files have been changed since the server
- was last reloaded. Also, the configuration files must be
- readable by the user as which the server is running (see the
- <code class="directive"><a href="../mod/mpm_common.html#user">User</a></code> directive), or
- else the directive settings will not be listed.
-
- <p>It should also be noted that if
- <code class="module"><a href="../mod/mod_info.html">mod_info</a></code> is compiled into the server, its
- handler capability is available in <em>all</em> configuration
- files, including per-directory files (<em>e.g.</em>,
- <code>.htaccess</code>). This may have security-related
- ramifications for your site.</p>
-
- <p>In particular, this module can leak sensitive information
- from the configuration directives of other Apache modules such as
- system paths, usernames/passwords, database names, etc. Due to
- the way this module works there is no way to block information
- from it. Therefore, this module should <strong>only</strong> be
- used in a controlled environment and always with caution.</p>
- </div>
</div>
<div id="quickview"><h3 class="directives">Directives</h3>
<ul id="toc">
<li><img alt="" src="../images/down.gif" /> <a href="#addmoduleinfo">AddModuleInfo</a></li>
</ul>
+<h3>Topics</h3>
+<ul id="topics">
+<li><img alt="" src="../images/down.gif" /> <a href="#security">Security Issues</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#queries">Selecting the information shown</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#limitations">Known Limitations</a></li>
+</ul></div>
+<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="security" id="security">Security Issues</a></h2>
+ <p>Once <code class="module"><a href="../mod/mod_info.html">mod_info</a></code> is loaded into the server, its
+ handler capability is available in <em>all</em> configuration
+ files, including per-directory files (<em>e.g.</em>,
+ <code>.htaccess</code>). This may have security-related
+ ramifications for your site.</p>
+
+ <p>In particular, this module can leak sensitive information
+ from the configuration directives of other Apache modules such as
+ system paths, usernames/passwords, database names, etc. Therefore,
+ this module should <strong>only</strong> be
+ used in a controlled environment and always with caution.</p>
+
+ <p>You will probably want to use <code class="module"><a href="../mod/mod_access.html">mod_access</a></code>
+ to limit access to your server configuration information.</p>
+
+ <div class="example"><h3>Access control</h3><p><code>
+ <Location /server-info><br />
+ <span class="indent">
+ SetHandler server-info<br />
+ Order allow,deny
+ # Allow access from server itself
+ Allow from 127.0.0.1
+ # Additionally, allow access from local workstation
+ Allow from 192.168.1.17
+ </span>
+ </Location>
+ </code></p></div>
+</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="queries" id="queries">Selecting the information shown</a></h2>
+ <p>By default, the server information includes a list of
+ all enabled modules, and for each module, a description of
+ the directives understood by that module, the hooks implemented
+ by that module, and the relevant directives from the current
+ configuration.</p>
+
+ <p>Other views of the configuration information are available by
+ appending a query to the <code>server-info</code> request. For
+ example, <code>http://your.host.dom/server-info?config</code>
+ will show all configuration directives.</p>
+
+ <dl>
+ <dt><code>?<module-name></code></dt>
+ <dd>Only information relevant to the named module</dd>
+ <dt><code>?config</code></dt>
+ <dd>Just the configuration directives, not sorted by module</dd>
+ <dt><code>?list</code></dt>
+ <dd>Only a simple list of enabled modules</dd>
+ <dt><code>?server</code></dt>
+ <dd>Only the basic server information</dd>
+ </dl>
+</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="limitations" id="limitations">Known Limitations</a></h2>
+ <p><code class="module"><a href="../mod/mod_info.html">mod_info</a></code> provides its information by reading the
+ parsed configuration, rather than reading the original configuration
+ file. There are a few limitations as a result of the way the parsed
+ configuration tree is created:</p>
+ <ul>
+ <li>Directives which are executed immediately rather than being
+ stored in the parsed configuration are not listed. These include
+ <code class="directive"><a href="../mod/core.html#serverroot">ServerRoot</a></code>,
+ <code class="directive"><a href="../mod/mod_so.html#loadmodule">LoadModule</a></code>, and
+ <code class="directive"><a href="../mod/mod_so.html#loadfile">LoadFile</a></code>.</li>
+ <li>Directives which control the configuration file itself, such as
+ <code class="directive"><a href="../mod/core.html#include">Include</a></code>,
+ <code class="directive"><a href="../mod/core.html#<ifmodule>"><IfModule></a></code> and
+ <code class="directive"><a href="../mod/core.html#<ifdefine>"><IfDefine></a></code> are not
+ listed, but the included configuration directives are.</li>
+ <li>Comments are not listed. (This may be considered a feature.)</li>
+ <li>Configuration directives from <code>.htaccess</code> files are
+ not listed (since they do not form part of the permanent server
+ configuration).</li>
+ <li>Container directives such as
+ <code class="directive"><a href="../mod/core.html#<directory>"><Directory></a></code>
+ are listed normally, but <code class="module"><a href="../mod/mod_info.html">mod_info</a></code> cannot figure
+ out the line number for the closing
+ <code class="directive"><a href="../mod/core.html#</directory>"></Directory></a></code>.</li>
+ <li>Directives generated by third party modules such as <code class="module"><a href="../mod/mod_perl.html">mod_perl</a></code>
+ might not be listed.</li>
+ </ul>
</div>
-
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="AddModuleInfo" id="AddModuleInfo">AddModuleInfo</a> <a name="addmoduleinfo" id="addmoduleinfo">Directive</a></h2>
<table class="directive">
@@ -101,8 +158,8 @@
<div class="example"><p><code>
AddModuleInfo mod_deflate.c 'See <a \<br />
<span class="indent">
- href="http://www.apache.org/docs-2.1/mod/mod_deflate.html">\<br />
- http://www.apache.org/docs-2.1/mod/mod_deflate.html</a>'
+ href="http://www.apache.org/docs-2.1/mod/mod_deflate.html">\<br />
+ http://www.apache.org/docs-2.1/mod/mod_deflate.html</a>'
</span>
</code></p></div>