Mailing List Archive: mod_status over SSL?

mod_status over SSL?

Sep 7, 2021, 2:18 PM

Post #1 of 4 (397 views)

Hi,

I have an apache-2.4.48 server on fedora34 and would like to enable
mod_status to be able to obtain server status information. However, the
docs appear to say the only way to access it is over port 80, not SSL.
Is that correct?

Chrome is also expecting the site to be over SSL, of course.

https://httpd.apache.org/docs/2.4/mod/mod_status.html

Here is my virtual host entry on port 80:

<VirtualHost 209.216.111.156:80>
ServerName darwin-perf.example.com
ServerAdmin admin@example.com

ErrorLog /var/www/otherdomains-443/logs/error_log
CustomLog /var/www/otherdomains-443/logs/access_log timing
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\"
\"%{User-agent}i\" %T/%D %I/%O/%B H:%H U:%U dp80 s:%s V:%V v:%v" timing

    <Location /server-status>
        SetHandler server-status
        Order deny,allow
        Deny from all
        Allow from 127.0.0.1 localhost 192.168.1.0/24
    </Location>

    <Location /server-info>
        SetHandler server-info
        Order Deny,Allow
        Allow from ip 127.0.0.1 localhost 192.168.1.0/24
    </Location>

    <Location /perl-status>
      SetHandler perl-script
      PerlResponseHandler Apache2::Status
      Order deny,allow
      Deny from all
      Allow from ip 127.0.0.1 localhost 192.168.1.0/24
    </Location>

    <FilesMatch "^ping|status-fpm$">
      RewriteEngine Off
      SetHandler
"proxy:unix:/run/php-fpm/linuxsecurity.sock|fcgi://localhost"
    </FilesMatch>

</VirtualHost>

Re: mod_status over SSL? [ In reply to ]

harrie.robins at gmail

Sep 7, 2021, 2:29 PM

Post #2 of 4 (397 views)

Permalink

Hi,

TLS should work.

what you need is a tls/ssl config, see below example.

Include what you need in virtualhost :*443
Of course: you need a private key/tls (ssl) certificate/chain. If possible,
I can recommend letsencrypt. Simply configure TLS, and update with your
settings after this works correctly.

# generated 2021-09-07, Mozilla Guideline v5.6, Apache 2.4.48, OpenSSL
1.1.1d, intermediate configuration
# https://ssl-config.mozilla.org/#server=apache&version=2.4.48&config=intermediate&openssl=1.1.1d&guideline=5.6

# this configuration requires mod_ssl, mod_socache_shmcb, mod_rewrite,
and mod_headers
<VirtualHost *:80>
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
</VirtualHost>

<VirtualHost *:443>
SSLEngine on

# curl https://ssl-config.mozilla.org/ffdhe2048.txt >>
/path/to/signed_cert_and_intermediate_certs_and_dhparams
SSLCertificateFile
/path/to/signed_cert_and_intermediate_certs_and_dhparams
SSLCertificateKeyFile /path/to/private_key

# enable HTTP/2, if available
Protocols h2 http/1.1

# HTTP Strict Transport Security (mod_headers is required)
(63072000 seconds)
Header always set Strict-Transport-Security "max-age=63072000"
</VirtualHost>

# intermediate configuration
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
SSLSessionTickets off

SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"

Regards,
Harrie

On Tue, 7 Sep 2021, 23:18 Dave Wreski, <dwreski@guardiandigital.com.invalid>
wrote:

> Hi,
>
> I have an apache-2.4.48 server on fedora34 and would like to enable
> mod_status to be able to obtain server status information. However, the
> docs appear to say the only way to access it is over port 80, not SSL. Is
> that correct?
>
> Chrome is also expecting the site to be over SSL, of course.
>
> https://httpd.apache.org/docs/2.4/mod/mod_status.html
>
> Here is my virtual host entry on port 80:
>
> <VirtualHost 209.216.111.156:80>
> ServerName darwin-perf.example.com
> ServerAdmin admin@example.com
>
> ErrorLog /var/www/otherdomains-443/logs/error_log
> CustomLog /var/www/otherdomains-443/logs/access_log timing
> LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"
> %T/%D %I/%O/%B H:%H U:%U dp80 s:%s V:%V v:%v" timing
>
> <Location /server-status>
> SetHandler server-status
> Order deny,allow
> Deny from all
> Allow from 127.0.0.1 localhost 192.168.1.0/24
> </Location>
>
> <Location /server-info>
> SetHandler server-info
> Order Deny,Allow
> Allow from ip 127.0.0.1 localhost 192.168.1.0/24
> </Location>
>
> <Location /perl-status>
> SetHandler perl-script
> PerlResponseHandler Apache2::Status
> Order deny,allow
> Deny from all
> Allow from ip 127.0.0.1 localhost 192.168.1.0/24
> </Location>
>
> <FilesMatch
> "^ping|status-fpm$">
> RewriteEngine Off
> SetHandler
> "proxy:unix:/run/php-fpm/linuxsecurity.sock|fcgi://localhost"
> </FilesMatch>
>
> </VirtualHost>
>
>
>
>

Re: mod_status over SSL? [ In reply to ]

jim at netrition

Sep 7, 2021, 2:41 PM

Post #3 of 4 (397 views)

Permalink

On 9/7/2021 5:18 PM, Dave Wreski wrote:
>
> Hi,
>
> I have an apache-2.4.48 server on fedora34 and would like to enable
> mod_status to be able to obtain server status information. However,
> the docs appear to say the only way to access it is over port 80, not
> SSL. Is that correct?
>
> Chrome is also expecting the site to be over SSL, of course.
>
> https://httpd.apache.org/docs/2.4/mod/mod_status.html
>
> Here is my virtual host entry on port 80:
>
> <VirtualHost 209.216.111.156:80>
> ServerName darwin-perf.example.com
> ServerAdmin admin@example.com
>
> ErrorLog /var/www/otherdomains-443/logs/error_log
> CustomLog /var/www/otherdomains-443/logs/access_log timing
> LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\"
> \"%{User-agent}i\" %T/%D %I/%O/%B H:%H U:%U dp80 s:%s V:%V v:%v" timing
>
>     <Location /server-status>
>         SetHandler server-status
>         Order deny,allow
>         Deny from all
>         Allow from 127.0.0.1 localhost 192.168.1.0/24
>     </Location>
>
>     <Location /server-info>
>         SetHandler server-info
>         Order Deny,Allow
>         Allow from ip 127.0.0.1 localhost 192.168.1.0/24
>     </Location>
>
>     <Location /perl-status>
>       SetHandler perl-script
>       PerlResponseHandler Apache2::Status
>       Order deny,allow
>       Deny from all
>       Allow from ip 127.0.0.1 localhost 192.168.1.0/24
>     </Location>
>
>     <FilesMatch "^ping|status-fpm$">
>       RewriteEngine Off
>       SetHandler
> "proxy:unix:/run/php-fpm/linuxsecurity.sock|fcgi://localhost"
>     </FilesMatch>
>
> </VirtualHost>
>
>
>

You have server-status defined within an 80/http virtual host and as
such I expect it will only be available via port 80/http.
You can define server-status more globally or within an https
configuration depending on what you want to support.
However, bottom line is server-status and server-info can be configured
for https/443.

As an aside, you do want to be careful on your configuration for
availability of server-status and server-info and likely not something
you want to provide public access. I do see you are controlling access.
However... Order, Deny, Allow are deprecated in Apache 2.4 and you
might want to consider reading:
https://httpd.apache.org/docs/2.4/howto/access.html

Jim

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: mod_status over SSL? [ In reply to ]

dwreski at guardiandigital

Sep 7, 2021, 3:15 PM

Post #4 of 4 (397 views)

Permalink

Hi,

> You have server-status defined within an 80/http virtual host and as
> such I expect it will only be available via port 80/http.
> You can define server-status more globally or within an https
> configuration depending on what you want to support.
> However, bottom line is server-status and server-info can be
> configured for https/443.

Got it working, thanks. I was thrown off by the comment in the docs and
a poor memory when I initially set this up quite some time ago. I've now
got a letsencrypt cert for it and operating over SSL.

> As an aside, you do want to be careful on your configuration for
> availability of server-status and server-info and likely not something
> you want to provide public access. I do see you are controlling access.
> However... Order, Deny, Allow are deprecated in Apache 2.4 and you
> might want to consider reading:
> https://httpd.apache.org/docs/2.4/howto/access.html

Yes, thanks for this as well. I've converted them all to "Require ip"
and removed the old stuff.

Thanks,
Dave

>
> Jim
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org