Protect the /server-status and /server-info endpoints

These provide potentially sensitive information, so allow access only
from localhost.

Reported-by: bas

1 files changed, 38 insertions, 0 deletions

diff --git a/modules/apache/templates/info.conf b/modules/apache/templates/info.conf
new file mode 100644
index 00000000..1ca918ea
--- /dev/null
+++ b/modules/apache/templates/info.conf
@@ -0,0 +1,38 @@
+#
+# Get information about the requests being processed by the server
+# and the configuration of the server.
+#
+# Required modules: mod_authz_core, mod_authz_host,
+#                   mod_info (for the server-info handler),
+#                   mod_status (for the server-status handler)
+
+#
+# Allow server status reports generated by mod_status,
+# with the URL of http://servername/server-status
+# Allow access only from localhost
+
+<Location /server-status>
+    SetHandler server-status
+    Order deny,allow
+    Deny from all
+    Allow from 127
+</Location>
+
+#
+# ExtendedStatus controls whether Apache will generate "full" status
+# information (ExtendedStatus On) or just basic information (ExtendedStatus
+# Off) when the "server-status" handler is called. The default is Off.
+#
+#ExtendedStatus On
+
+#
+# Allow remote server configuration reports, with the URL of
+#  http://servername/server-info (requires that mod_info.c be loaded).
+# Allow access only from localhost
+#
+<Location /server-info>
+    SetHandler server-info
+    Order deny,allow
+    Deny from all
+    Allow from 127
+</Location>