httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From pque...@apache.org
Subject cvs commit: httpd-2.0/docs/manual/mod mod_info.xml mod_info.html.en
Date Sat, 04 Sep 2004 01:38:24 GMT
pquerna     2004/09/03 18:38:24

  Modified:    docs/manual/mod mod_info.xml mod_info.html.en
  Log:
  updated mod_info to include docs on the different arguments it can take.
  Submitted By: Rici Lake
  
  Revision  Changes    Path
  1.17      +87 -36    httpd-2.0/docs/manual/mod/mod_info.xml
  
  Index: mod_info.xml
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/docs/manual/mod/mod_info.xml,v
  retrieving revision 1.16
  retrieving revision 1.17
  diff -u -r1.16 -r1.17
  --- mod_info.xml	17 Apr 2004 10:49:22 -0000	1.16
  +++ mod_info.xml	4 Sep 2004 01:38:24 -0000	1.17
  @@ -40,42 +40,94 @@
         </Location>
       </example>
   
  -    <p>You may wish to add a 
  -    <directive type="section" module="core">Limit</directive> 
  -    clause inside the 
  -    <directive type="section" module="core">Location</directive>
  -    directive to limit access to your server configuration 
  -    information.</p>
  -
       <p>Once configured, the server information is obtained by
       accessing <code>http://your.host.dom/server-info</code></p>
  -
  -    <note>
  -      Note that the configuration files are read by the
  -      module at run-time, and therefore the display may
  -      <em>not</em> reflect the running server's active
  -      configuration if the files have been changed since the server
  -      was last reloaded. Also, the configuration files must be
  -      readable by the user as which the server is running (see the
  -      <directive module="mpm_common">User</directive> directive), or
  -      else the directive settings will not be listed.
  -
  -      <p>It should also be noted that if
  -      <module>mod_info</module> is compiled into the server, its
  -      handler capability is available in <em>all</em> configuration
  -      files, including per-directory files (<em>e.g.</em>,
  -      <code>.htaccess</code>). This may have security-related
  -      ramifications for your site.</p>
  -
  -      <p>In particular, this module can leak sensitive information
  -      from the configuration directives of other Apache modules such as
  -      system paths, usernames/passwords, database names, etc.  Due to
  -      the way this module works there is no way to block information
  -      from it.  Therefore, this module should <strong>only</strong> be
  -      used in a controlled environment and always with caution.</p>
  -    </note>
   </summary>
   
  +<section id="security"><title>Security Issues</title>
  +    <p>Once <module>mod_info</module> is loaded into the server, its
  +    handler capability is available in <em>all</em> configuration
  +    files, including per-directory files (<em>e.g.</em>,
  +    <code>.htaccess</code>). This may have security-related
  +    ramifications for your site.</p>
  +
  +    <p>In particular, this module can leak sensitive information
  +    from the configuration directives of other Apache modules such as
  +    system paths, usernames/passwords, database names, etc. Therefore,
  +    this module should <strong>only</strong> be
  +    used in a controlled environment and always with caution.</p>
  +
  +    <p>You will probably want to use <module>mod_access</module> 
  +    to limit access to your server configuration information.</p>
  +      
  +    <example><title>Access control</title>
  +      &lt;Location /server-info&gt;<br />
  +      <indent>
  +        SetHandler server-info<br />
  +        Order allow,deny
  +        # Allow access from server itself
  +        Allow from 127.0.0.1
  +        # Additionally, allow access from local workstation
  +        Allow from 192.168.1.17
  +      </indent>
  +      &lt;/Location&gt;
  +    </example>
  +</section>
  +
  +<section id="queries"><title>Selecting the information shown</title>
  +    <p>By default, the server information includes a list of
  +    all enabled modules, and for each module, a description of
  +    the directives understood by that module, the hooks implemented
  +    by that module, and the relevant directives from the current
  +    configuration.</p>
  +    
  +    <p>Other views of the configuration information are available by
  +    appending a query to the <code>server-info</code> request. For
  +    example, <code>http://your.host.dom/server-info?config</code>
  +    will show all configuration directives.</p>
  +    
  +    <dl>
  +        <dt><code>?&lt;module-name&gt;</code></dt>
  +            <dd>Only information relevant to the named module</dd>
  +        <dt><code>?config</code></dt>
  +            <dd>Just the configuration directives, not sorted by module</dd>
  +        <dt><code>?list</code></dt>
  +            <dd>Only a simple list of enabled modules</dd>
  +        <dt><code>?server</code></dt>
  +            <dd>Only the basic server information</dd>
  +    </dl>
  +</section>
  +
  +<section id="limitations"><title>Known Limitations</title>
  +    <p><module>mod_info</module> provides its information by reading
the
  +    parsed configuration, rather than reading the original configuration
  +    file. There are a few limitations as a result of the way the parsed
  +    configuration tree is created:</p>
  +    <ul>
  +      <li>Directives which are executed immediately rather than being
  +          stored in the parsed configuration are not listed. These include
  +          <directive module="core">ServerRoot</directive>,
  +          <directive module="mod_so">LoadModule</directive>, and
  +          <directive module="mod_so">LoadFile</directive>.</li>
  +      <li>Directives which control the configuration file itself, such as
  +          <directive module="core">Include</directive>,
  +          <directive module="core">&lt;IfModule&gt;</directive> and
  +          <directive module="core">&lt;IfDefine&gt;</directive> are
not
  +          listed, but the included configuration directives are.</li>
  +      <li>Comments are not listed. (This may be considered a feature.)</li>
  +      <li>Configuration directives from <code>.htaccess</code> files
are
  +          not listed (since they do not form part of the permanent server
  +          configuration).</li>
  +      <li>Container directives such as
  +          <directive module="core">&lt;Directory&gt;</directive>
  +          are listed normally, but <module>mod_info</module> cannot figure
  +          out the line number for the closing
  +          <directive module="core">&lt;/Directory&gt;</directive>.</li>
  +      <li>Directives generated by third party modules such as <module>mod_perl</module>
  +          might not be listed.</li>
  +    </ul>
  +</section>
  +
   <directivesynopsis>
   <name>AddModuleInfo</name>
   <description>Adds additional information to the module
  @@ -93,12 +145,11 @@
       <example>
         AddModuleInfo mod_deflate.c 'See &lt;a \<br />
         <indent>
  -      href="http://www.apache.org/docs-2.1/mod/mod_deflate.html"&gt;\<br />
  -      http://www.apache.org/docs-2.1/mod/mod_deflate.html&lt;/a&gt;'
  +        href="http://www.apache.org/docs-2.1/mod/mod_deflate.html"&gt;\<br />
  +        http://www.apache.org/docs-2.1/mod/mod_deflate.html&lt;/a&gt;'
         </indent>
       </example>
   </usage>
   
   </directivesynopsis>
   </modulesynopsis>
  -
  
  
  
  1.28      +92 -35    httpd-2.0/docs/manual/mod/mod_info.html.en
  
  Index: mod_info.html.en
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/docs/manual/mod/mod_info.html.en,v
  retrieving revision 1.27
  retrieving revision 1.28
  diff -u -r1.27 -r1.28
  --- mod_info.html.en	21 Feb 2004 00:31:36 -0000	1.27
  +++ mod_info.html.en	4 Sep 2004 01:38:24 -0000	1.28
  @@ -42,47 +42,104 @@
         &lt;/Location&gt;
       </code></p></div>
   
  -    <p>You may wish to add a 
  -    <code class="directive"><a href="../mod/core.html#limit">&lt;Limit&gt;</a></code>

  -    clause inside the 
  -    <code class="directive"><a href="../mod/core.html#location">&lt;Location&gt;</a></code>
  -    directive to limit access to your server configuration 
  -    information.</p>
  -
       <p>Once configured, the server information is obtained by
       accessing <code>http://your.host.dom/server-info</code></p>
  -
  -    <div class="note">
  -      Note that the configuration files are read by the
  -      module at run-time, and therefore the display may
  -      <em>not</em> reflect the running server's active
  -      configuration if the files have been changed since the server
  -      was last reloaded. Also, the configuration files must be
  -      readable by the user as which the server is running (see the
  -      <code class="directive"><a href="../mod/mpm_common.html#user">User</a></code>
directive), or
  -      else the directive settings will not be listed.
  -
  -      <p>It should also be noted that if
  -      <code class="module"><a href="../mod/mod_info.html">mod_info</a></code>
is compiled into the server, its
  -      handler capability is available in <em>all</em> configuration
  -      files, including per-directory files (<em>e.g.</em>,
  -      <code>.htaccess</code>). This may have security-related
  -      ramifications for your site.</p>
  -
  -      <p>In particular, this module can leak sensitive information
  -      from the configuration directives of other Apache modules such as
  -      system paths, usernames/passwords, database names, etc.  Due to
  -      the way this module works there is no way to block information
  -      from it.  Therefore, this module should <strong>only</strong> be
  -      used in a controlled environment and always with caution.</p>
  -    </div>
   </div>
   <div id="quickview"><h3 class="directives">Directives</h3>
   <ul id="toc">
   <li><img alt="" src="../images/down.gif" /> <a href="#addmoduleinfo">AddModuleInfo</a></li>
   </ul>
  +<h3>Topics</h3>
  +<ul id="topics">
  +<li><img alt="" src="../images/down.gif" /> <a href="#security">Security
Issues</a></li>
  +<li><img alt="" src="../images/down.gif" /> <a href="#queries">Selecting
the information shown</a></li>
  +<li><img alt="" src="../images/down.gif" /> <a href="#limitations">Known
Limitations</a></li>
  +</ul></div>
  +<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif"
/></a></div>
  +<div class="section">
  +<h2><a name="security" id="security">Security Issues</a></h2>
  +    <p>Once <code class="module"><a href="../mod/mod_info.html">mod_info</a></code>
is loaded into the server, its
  +    handler capability is available in <em>all</em> configuration
  +    files, including per-directory files (<em>e.g.</em>,
  +    <code>.htaccess</code>). This may have security-related
  +    ramifications for your site.</p>
  +
  +    <p>In particular, this module can leak sensitive information
  +    from the configuration directives of other Apache modules such as
  +    system paths, usernames/passwords, database names, etc. Therefore,
  +    this module should <strong>only</strong> be
  +    used in a controlled environment and always with caution.</p>
  +
  +    <p>You will probably want to use <code class="module"><a href="../mod/mod_access.html">mod_access</a></code>

  +    to limit access to your server configuration information.</p>
  +      
  +    <div class="example"><h3>Access control</h3><p><code>
  +      &lt;Location /server-info&gt;<br />
  +      <span class="indent">
  +        SetHandler server-info<br />
  +        Order allow,deny
  +        # Allow access from server itself
  +        Allow from 127.0.0.1
  +        # Additionally, allow access from local workstation
  +        Allow from 192.168.1.17
  +      </span>
  +      &lt;/Location&gt;
  +    </code></p></div>
  +</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif"
/></a></div>
  +<div class="section">
  +<h2><a name="queries" id="queries">Selecting the information shown</a></h2>
  +    <p>By default, the server information includes a list of
  +    all enabled modules, and for each module, a description of
  +    the directives understood by that module, the hooks implemented
  +    by that module, and the relevant directives from the current
  +    configuration.</p>
  +    
  +    <p>Other views of the configuration information are available by
  +    appending a query to the <code>server-info</code> request. For
  +    example, <code>http://your.host.dom/server-info?config</code>
  +    will show all configuration directives.</p>
  +    
  +    <dl>
  +        <dt><code>?&lt;module-name&gt;</code></dt>
  +            <dd>Only information relevant to the named module</dd>
  +        <dt><code>?config</code></dt>
  +            <dd>Just the configuration directives, not sorted by module</dd>
  +        <dt><code>?list</code></dt>
  +            <dd>Only a simple list of enabled modules</dd>
  +        <dt><code>?server</code></dt>
  +            <dd>Only the basic server information</dd>
  +    </dl>
  +</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif"
/></a></div>
  +<div class="section">
  +<h2><a name="limitations" id="limitations">Known Limitations</a></h2>
  +    <p><code class="module"><a href="../mod/mod_info.html">mod_info</a></code>
provides its information by reading the
  +    parsed configuration, rather than reading the original configuration
  +    file. There are a few limitations as a result of the way the parsed
  +    configuration tree is created:</p>
  +    <ul>
  +      <li>Directives which are executed immediately rather than being
  +          stored in the parsed configuration are not listed. These include
  +          <code class="directive"><a href="../mod/core.html#serverroot">ServerRoot</a></code>,
  +          <code class="directive"><a href="../mod/mod_so.html#loadmodule">LoadModule</a></code>,
and
  +          <code class="directive"><a href="../mod/mod_so.html#loadfile">LoadFile</a></code>.</li>
  +      <li>Directives which control the configuration file itself, such as
  +          <code class="directive"><a href="../mod/core.html#include">Include</a></code>,
  +          <code class="directive"><a href="../mod/core.html#&lt;ifmodule&gt;">&lt;IfModule&gt;</a></code>
and
  +          <code class="directive"><a href="../mod/core.html#&lt;ifdefine&gt;">&lt;IfDefine&gt;</a></code>
are not
  +          listed, but the included configuration directives are.</li>
  +      <li>Comments are not listed. (This may be considered a feature.)</li>
  +      <li>Configuration directives from <code>.htaccess</code> files
are
  +          not listed (since they do not form part of the permanent server
  +          configuration).</li>
  +      <li>Container directives such as
  +          <code class="directive"><a href="../mod/core.html#&lt;directory&gt;">&lt;Directory&gt;</a></code>
  +          are listed normally, but <code class="module"><a href="../mod/mod_info.html">mod_info</a></code>
cannot figure
  +          out the line number for the closing
  +          <code class="directive"><a href="../mod/core.html#&lt;/directory&gt;">&lt;/Directory&gt;</a></code>.</li>
  +      <li>Directives generated by third party modules such as <code class="module"><a
href="../mod/mod_perl.html">mod_perl</a></code>
  +          might not be listed.</li>
  +    </ul>
   </div>
  -
   <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif"
/></a></div>
   <div class="directive-section"><h2><a name="AddModuleInfo" id="AddModuleInfo">AddModuleInfo</a>
<a name="addmoduleinfo" id="addmoduleinfo">Directive</a></h2>
   <table class="directive">
  @@ -101,8 +158,8 @@
       <div class="example"><p><code>
         AddModuleInfo mod_deflate.c 'See &lt;a \<br />
         <span class="indent">
  -      href="http://www.apache.org/docs-2.1/mod/mod_deflate.html"&gt;\<br />
  -      http://www.apache.org/docs-2.1/mod/mod_deflate.html&lt;/a&gt;'
  +        href="http://www.apache.org/docs-2.1/mod/mod_deflate.html"&gt;\<br />
  +        http://www.apache.org/docs-2.1/mod/mod_deflate.html&lt;/a&gt;'
         </span>
       </code></p></div>
   
  
  
  

Mime
View raw message