How to secure Apache mod_info but keep remote access

Question

I use Apache's mod_info to display detailed information about my server setup.

httpd-vhosts.conf

# Set path below to be handled by mod_info. It will show server info. # For this to work, this module must be loaded (uncommented in httpd.conf) <Location /special/path> SetHandler server-info Order allow,deny Allow from 127.0.0.1 </Location> 

Allow from is set to the local machine because this is on my dev machine.

This module allows me to see a tremendous amount of information by navigating to /special/path. I'd like to use it on my public server but need to secure it somehow so others cannot load that path.

The docs discuss whitelisting by IP address but I have an organizational IP, shared by many.

What's the most practical way to protect this path? Apache 2.4.16

Answer 1

You're not limited to setting IP access controls, you can also use any other access control that is allowed in a <Location> scope, or combination thereof. So use the RequireAll directive to require both a specific IP-address and set up authentication and require a specific login.

<Location /special/path> SetHandler server-info AuthType Basic AuthName "Restricted Access To Special Location" AuthBasicProvider file AuthUserFile "/usr/local/apache/passwd/passwords" <RequireAll> Require ip 10.252.46.165 Require user BeetleJuice </RequireAll> </Location> 

Answer 2

Set it to only be available on 127.0.0.1, and then access it via an ssh tunnel.