httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe Jr." <>
Subject Re: server-status and privacy
Date Wed, 23 Jun 2010 16:09:51 GMT
On 6/23/2010 10:49 AM, Jim Jagielski wrote:
> On Jun 21, 2010, at 1:07 PM, Jeff Trawick wrote:
>> On Mon, Jun 21, 2010 at 8:40 AM, Jim Jagielski <> wrote:
>>> There have been a few reports regarding how server-status "leaks"
>>> info, mostly about our (the ASF's) open use of server-status and
>>> how IP addresses are exposed.
>>> I'm thinking about a patch that adjusts server-status/mod_status
>>> to have a "public vs. private" setting... Public would be to
>>> have IP addresses exposed as public info; private would be to
>>> not expose 'em (keep 'em private).
>> use mod_sed or similar on to change the client IP address
>> field to "?"
> True... so I'm guessing this means that the patch would
> be unacceptable?

If it's an obfuscation (truncated hash of IP?) that lets the admin/users
see that one individual has tying up 10 connections, I don't think it's
a bad idea to patch (mod_sed isn't going to do that effectively).  +/-0
on patching to disable the field entirely.

View raw message