When enabling the Apache HTTPD server status reports generated by mod_status by adding the following block to the Apache HTTPD configuration file, namely httpd.conf or apache2.conf, the 403 Forbidden error message is shown.

Directive in httpd.conf or apache2.conf to Enable Server Status

<Location /server-status>
    SetHandler server-status
    Order deny,allow
    Deny from all
    Allow from techjourney.net
</Location>

Where the ‘techjourney.net’ could be yourdomain.com, localhost, 127.0.0.1 or others.

Error Message

The following error message is shown when attempting to access the Apache HTTPD server status page, e.g. https://techjourney.net/server-status/:

403 Forbidden

Forbidden

You don’t have permission to access /server-status/ on this server.

Apache Server Status 403 Forbidden

The following entry is also logged in Apache error log:

[error] [client 192.168.1.1] client denied by server configuration: /server-status

Cause

The error happened due to acpermission to access /server-status is not properly granted.

Solution

Modify the httpd.conf or apache2.conf to include the host name or IP address of the computer which the access to /server-status is to be allowed.

Note
Some Apache configuration may make use of include directive to add configuration files saved in sub-directories such as conf/extra/ and conf.d/. Hence make sure that the server-status config is also properly modified in included config file if exist.

For example, to allow localhost to access /server-status with IPv6 support, modify the directive to the following:

<Location /server-status>
    SetHandler server-status
    Order deny,allow
    Deny from all
    Allow from 127.0.0.1 ::1
</Location>

To allow your own computer with a fixed IP address only to access /server-status, modify the directive to the following, where 177.177.177.177 should be replaced with the public IP address of your computer:

<Location /server-status>
    SetHandler server-status
    Order deny,allow
    Deny from all
    Allow from 177.177.177.177
</Location>

To give everyone’s access, modify the directive to the following:

<Location /server-status>
    SetHandler server-status
    Order allow,deny
    Allow from all
</Location>
Note
Unprotected and universally accessible Apache server status reports page is a potential security vulnerability. If your Internet connection has dynamic IP address which makes access restriction based on IP address unfeasible, it’s possible to secure /server-status with password authentication.