Unable to limit Apache server-status page to localhost

Question

I am using Apache 2.4.18 on Ubuntu.

I want to allow reading server status only from localhost.

In /etc/apache2/mods-enabled/status.conf I have:

<Location /server-status>
          SetHandler server-status
          Require ip 127.0.0.1
</Location>

I have read https://httpd.apache.org/docs/2.4/howto/access.html and and from I belive the above configuration should be working. I have restarted Apache to ensure that new configuration is active. However the status page is still open for reading from anywhere.

In /etc/apache2/sites-enabled/mysite.conf I have:

 DocumentRoot /var/www
 <Location />
        Require all granted
 </Location>

What is wrong with my configuration?

Answer 1

From what i can see, the virtual host config file seems to take precedence over the mod_status config file.

Actually you grant all to / within mysite.conf :

<Location />
        Require all granted
</Location>

This results in that everyone can access /server-status.

You would have to manage permissions to /server-status in the virtual host config file itself /etc/apache2/sites-enabled/status.conf :

DocumentRoot /var/www
 <Location />
        Require all granted
 </Location>
 <Location /server-status>
        Require local
 </Location>

From there, whatever permissions you set in /etc/apache2/mods-enabled/status.conf they will be ignored as /etc/apache2/sites-enabled/status.conf takes precedence.

Answer 2

Use the below location directive in the status.conf

<Location /server-status>
    SetHandler server-status
    Order deny,allow
    Deny from all
    Allow from localhost
</Location>

After this install lynx in your machine from CLI. Lynx is a fully-featured World Wide Web (WWW) client for users which can be accessed over Linux terminals.

For Ubuntu, Install lynx using

 apt-get install lynx

Run the below command to check apache server status

 lynx http://localhost/server-status