Protect or disable Apache server-status
# Best: if nothing scrapes it, remove the module entirelysudo a2dismod statusIf something does scrape it, restrict it rather than leaving it open:
<Location /server-status> SetHandler server-status Require local Require ip 10.0.1.5</Location>ExtendedStatus OffWhy it matters
Section titled “Why it matters”/server-status is not a health check. It is a live operational dashboard, and it
publishes:
- Every request currently being served — the full URL, including query strings and anything else in the path.
- Client IP addresses for those requests.
- Every vhost the server hosts, which enumerates your internal hostnames.
- Uptime, worker state, request rates, and the server version.
With ExtendedStatus On — which mod_status enables by default in some
packagings — you get the full request line for every worker. That means session
tokens, password reset links, API keys and anything else people put in query
strings appear on the page, live, to whoever loads it.
Scanners look for this path continuously and it is trivially findable. It is one of the most reliably productive URLs on the internet for reconnaissance.
Require local is narrower than it sounds
Section titled “Require local is narrower than it sounds”The default Debian status.conf uses:
<Location /server-status> SetHandler server-status Require local</Location>Require local allows 127.0.0.1, ::1, and the server’s own IP addresses. That
is usually fine — but note two things:
Behind a reverse proxy or load balancer, every request appears to come from the
proxy. If the proxy is on the same host, or if mod_remoteip is not configured,
Require local may match traffic that originated anywhere. A proxied
/server-status request can pass a Require local check that was never meant to
allow it.
Require local is not Require ip 127.0.0.1. If you want strictly loopback,
say so.
The safest position is that the module isn’t loaded. The second safest is an
explicit IP allow-list plus ExtendedStatus Off.
mod_info is worse
Section titled “mod_info is worse”While you’re here:
sudo a2dismod infomod_info serves /server-info, which is your entire parsed configuration —
every module, every directive, every vhost, every path. There is no production
scenario where that should be reachable. It is less common than mod_status and
strictly more damaging.
Related
Section titled “Related”- Disable unused modules — the broader audit.
- Disable information disclosure — listings and version banners.