Home / server / Questions / 802893
Accepted
BeetleJuice
Asked: 2016-09-14 18:48:22 +0800 CST

How to secure Apache mod_info but keep remote access

  • 772

I use Apache's mod_info to display detailed information about my server setup.

httpd-vhosts.conf

# Set path below to be handled by mod_info. It will show server info. 
# For this to work, this module must be loaded (uncommented in httpd.conf)
<Location /special/path>
   SetHandler server-info
   Order allow,deny
   Allow from 127.0.0.1
</Location>

Allow from is set to the local machine because this is on my dev machine.

This module allows me to see a tremendous amount of information by navigating to /special/path. I'd like to use it on my public server but need to secure it somehow so others cannot load that path.

The docs discuss whitelisting by IP address but I have an organizational IP, shared by many.

What's the most practical way to protect this path? Apache 2.4.16

security apache-2.4

2 Answers

  1. Best Answer

    You're not limited to setting IP access controls, you can also use any other access control that is allowed in a <Location> scope, or combination thereof. So use the RequireAll directive to require both a specific IP-address and set up authentication and require a specific login. 

    <Location /special/path>
  SetHandler server-info
  AuthType Basic
  AuthName "Restricted Access To Special Location"
  AuthBasicProvider file
  AuthUserFile "/usr/local/apache/passwd/passwords"
  <RequireAll>
    Require ip 10.252.46.165
    Require user BeetleJuice   
  </RequireAll>
</Location>
    • 4

  2. Set it to only be available on 127.0.0.1, and then access it via an ssh tunnel.

    • 2