httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Jung <>
Subject Re: server-status and privacy
Date Mon, 21 Jun 2010 13:21:28 GMT
On 21.06.2010 14:40, Jim Jagielski wrote:
> There have been a few reports regarding how server-status "leaks"
> info, mostly about our (the ASF's) open use of server-status and
> how IP addresses are exposed.
> I'm thinking about a patch that adjusts server-status/mod_status
> to have a "public vs. private" setting... Public would be to
> have IP addresses exposed as public info; private would be to
> not expose 'em (keep 'em private).
> Comments?

Seems necessary according to privacy laws in various countries.

What about the request URL and the VHost name? Both are not necessarily 
publicly known information, i.e. you could "leak" what URLs respectively 
VHosts are there. More of a security than a privacy issue though.

Finally an attacker can derive the MPM sizing and check the 
effectiveness of DOS attacks from the server status, but I guess admins 
afraid about that will never (publicly) enable the server status.

So IMHO: w.r.t. privacy, removing the client IP is good and might even 
be necessary for admins who only want to provide the server status to a 
restricted group of users.

Optionally removing VHost and URL might allow more admins to make the 
server status available to an even bigger group of people, but if there 
are only two choices, full data and restricted data, I would prefer them 
to be still shown even in the restricted mode.



View raw message