httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Plüm, Rüdiger, VF-Group" <ruediger.pl...@vodafone.com>
Subject RE: server-status and privacy
Date Thu, 24 Jun 2010 10:58:47 GMT
 

> -----Original Message-----
> From: Jeff Trawick 
> Sent: Mittwoch, 23. Juni 2010 18:43
> To: dev@httpd.apache.org
> Subject: Re: server-status and privacy
> 
> On Wed, Jun 23, 2010 at 12:09 PM, William A. Rowe Jr.
> <wrowe@rowe-clan.net> wrote:
> > On 6/23/2010 10:49 AM, Jim Jagielski wrote:
> >>
> >> On Jun 21, 2010, at 1:07 PM, Jeff Trawick wrote:
> >>
> >>> On Mon, Jun 21, 2010 at 8:40 AM, Jim Jagielski 
> <jim@jagunet.com> wrote:
> >>>> There have been a few reports regarding how server-status "leaks"
> >>>> info, mostly about our (the ASF's) open use of server-status and
> >>>> how IP addresses are exposed.
> >>>>
> >>>> I'm thinking about a patch that adjusts server-status/mod_status
> >>>> to have a "public vs. private" setting... Public would be to
> >>>> have IP addresses exposed as public info; private would be to
> >>>> not expose 'em (keep 'em private).
> >>>
> >>> use mod_sed or similar on apache.org to change the client 
> IP address
> >>> field to "?"
> >>
> >> True... so I'm guessing this means that the patch would
> >> be unacceptable?
> >
> > If it's an obfuscation (truncated hash of IP?) that lets 
> the admin/users
> > see that one individual has tying up 10 connections, I 
> don't think it's
> > a bad idea to patch (mod_sed isn't going to do that 
> effectively).  +/-0
> > on patching to disable the field entirely.
> >
> 
> admins can set up unobfuscated /server-status-foo with auth required;
> if they care about a single client IP tying up n connections, they
> want to see IP address too
> 
> nearly zero sites want a public server-status page with
> obfuscated/omitted client IP address; why write new code to handle
> that?
> 

+1 on that. I see no need for a patch here. The situation on the apache.org
site is IMHO unique and should be fixed with mod_sed / mod_substitute.

Regards

Rüdiger

Mime
View raw message