On Wed, Apr 4, 2018 at 1:02 PM, Nick Kew <n...@apache.org> wrote: > On Wed, 4 Apr 2018 10:46:31 -0400 > Eric Covener <cove...@gmail.com> wrote: > > >> What is the correct configuration that doesn't cause htaccess to be >> visited? If it's trunk only, I think it should be an alternate config >> mechanism rather than making it incompatible with any other setting in >> htaccess. > > Anything equivalent to the "canonical" example in both the > mod_status docs and the shipped httpd-info.conf.in . > > Note that the latter also implies it can be restricted to > an access list, which is misleading if any "Require" can > be bypassed through .htaccess. > > # Allow server status reports generated by mod_status, > # with the URL of http://servername/server-status > # Change the ".example.com" to match your domain to enable. > > <Location /server-status> > SetHandler server-status > Require host .example.com > Require ip 127 > </Location> >
That configuration has no bearing on whether htaccess files are visited for a request to /server-status. That's why the taint check is too aggressive in this case.
