1

This is on Apache/2.2.21. In httpd.conf, I had the following directive:

 <Location /server-status> SetHandler server-status Order deny,allow Deny from all Allow from xx.xx.xxx.xxx <Location>

I realized recently that my own IP address no longer matched the "Allow from", but still I was able to access server-status! In other words, it was somehow set to be completely public. (I have now disabled it.)

How is this possible? The Location directive is global and my sites are served through vhosts.

Also, what is the best way to configure server-status when I am accessing it from a dynamically-assigned IP address?

Improve this question
0

1 Answer 1

Reset to default
1

Since this is outside of the <VirtualHost> definitions, I'm going to guess that you have Allow all directives inside of the <VirtualHost> blocks.

Sections inside <VirtualHost> sections are applied after the corresponding sections outside the virtual host definition. This allows virtual hosts to override the main server configuration.

See here.

Improve this answer
1
  • 1
    Yes, thank you! There was another Location directive in the vhost and I did not realize that location "/" would trump the more specific location "/server-status". Commented Jan 20, 2012 at 17:48

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.