httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Trawick <traw...@gmail.com>
Subject Re: server-status and privacy
Date Wed, 23 Jun 2010 16:42:45 GMT
On Wed, Jun 23, 2010 at 12:09 PM, William A. Rowe Jr.
<wrowe@rowe-clan.net> wrote:
> On 6/23/2010 10:49 AM, Jim Jagielski wrote:
>>
>> On Jun 21, 2010, at 1:07 PM, Jeff Trawick wrote:
>>
>>> On Mon, Jun 21, 2010 at 8:40 AM, Jim Jagielski <jim@jagunet.com> wrote:
>>>> There have been a few reports regarding how server-status "leaks"
>>>> info, mostly about our (the ASF's) open use of server-status and
>>>> how IP addresses are exposed.
>>>>
>>>> I'm thinking about a patch that adjusts server-status/mod_status
>>>> to have a "public vs. private" setting... Public would be to
>>>> have IP addresses exposed as public info; private would be to
>>>> not expose 'em (keep 'em private).
>>>
>>> use mod_sed or similar on apache.org to change the client IP address
>>> field to "?"
>>
>> True... so I'm guessing this means that the patch would
>> be unacceptable?
>
> If it's an obfuscation (truncated hash of IP?) that lets the admin/users
> see that one individual has tying up 10 connections, I don't think it's
> a bad idea to patch (mod_sed isn't going to do that effectively).  +/-0
> on patching to disable the field entirely.
>

admins can set up unobfuscated /server-status-foo with auth required;
if they care about a single client IP tying up n connections, they
want to see IP address too

nearly zero sites want a public server-status page with
obfuscated/omitted client IP address; why write new code to handle
that?

Mime
View raw message