403 Forbidden Error When Enabling /server-status in Apache HTTPD Server
When enabling the Apache HTTPD server status reports generated by mod_status by adding the following block to the Apache HTTPD configuration file, namely httpd.conf or apache2.conf, the 403 Forbidden error message is shown.
Directive in httpd.conf or apache2.conf to Enable Server Status
<Location /server-status>
SetHandler server-status
Order deny,allow
Deny from all
Allow from techjourney.net
</Location>
Where the ‘techjourney.net’ could be yourdomain.com, localhost, 127.0.0.1 or others.
Error Message
The following error message is shown when attempting to access the Apache HTTPD server status page, e.g. https://techjourney.net/server-status/:
403 Forbidden
Forbidden
You don’t have permission to access /server-status/ on this server.
The following entry is also logged in Apache error log:
[error] [client 192.168.1.1] client denied by server configuration: /server-status
Cause
The error happened due to acpermission to access /server-status is not properly granted.
Solution
Modify the httpd.conf or apache2.conf to include the host name or IP address of the computer which the access to /server-status is to be allowed.
Note
Some Apache configuration may make use of include directive to add configuration files saved in sub-directories such as conf/extra/ and conf.d/. Hence make sure that the server-status config is also properly modified in included config file if exist.
For example, to allow localhost to access /server-status with IPv6 support, modify the directive to the following:
<Location /server-status>
SetHandler server-status
Order deny,allow
Deny from all
Allow from 127.0.0.1 ::1
</Location>
To allow your own computer with a fixed IP address only to access /server-status, modify the directive to the following, where 177.177.177.177 should be replaced with the public IP address of your computer:
<Location /server-status>
SetHandler server-status
Order deny,allow
Deny from all
Allow from 177.177.177.177
</Location>
To give everyone’s access, modify the directive to the following:
<Location /server-status>
SetHandler server-status
Order allow,deny
Allow from all
</Location>
Note
Unprotected and universally accessible Apache server status reports page is a potential security vulnerability. If your Internet connection has dynamic IP address which makes access restriction based on IP address unfeasible, it’s possible to secure /server-status with password authentication.
LK is a technology writer for Tech Journey with background of system and network administrator. He has be documenting his experiences in digital and technology world for over 15 years.Connect with LK through Tech Journey on Facebook, Twitter or Google+.
