> -----Original Message----- > From: Jeff Trawick > Sent: Mittwoch, 23. Juni 2010 18:43 > To: dev@httpd.apache.org > Subject: Re: server-status and privacy > > On Wed, Jun 23, 2010 at 12:09 PM, William A. Rowe Jr. > <wr...@rowe-clan.net> wrote: > > On 6/23/2010 10:49 AM, Jim Jagielski wrote: > >> > >> On Jun 21, 2010, at 1:07 PM, Jeff Trawick wrote: > >> > >>> On Mon, Jun 21, 2010 at 8:40 AM, Jim Jagielski > <j...@jagunet.com> wrote: > >>>> There have been a few reports regarding how server-status "leaks" > >>>> info, mostly about our (the ASF's) open use of server-status and > >>>> how IP addresses are exposed. > >>>> > >>>> I'm thinking about a patch that adjusts server-status/mod_status > >>>> to have a "public vs. private" setting... Public would be to > >>>> have IP addresses exposed as public info; private would be to > >>>> not expose 'em (keep 'em private). > >>> > >>> use mod_sed or similar on apache.org to change the client > IP address > >>> field to "?" > >> > >> True... so I'm guessing this means that the patch would > >> be unacceptable? > > > > If it's an obfuscation (truncated hash of IP?) that lets > the admin/users > > see that one individual has tying up 10 connections, I > don't think it's > > a bad idea to patch (mod_sed isn't going to do that > effectively). +/-0 > > on patching to disable the field entirely. > > > > admins can set up unobfuscated /server-status-foo with auth required; > if they care about a single client IP tying up n connections, they > want to see IP address too > > nearly zero sites want a public server-status page with > obfuscated/omitted client IP address; why write new code to handle > that? >
+1 on that. I see no need for a patch here. The situation on the apache.org site is IMHO unique and should be fixed with mod_sed / mod_substitute. Regards Rüdiger
