Apache HTTPD web server has a useful handler server-status enabled by mod_status which provides server current status reports. While Apache has several modules and directives that manage access control, but only access control based on host is implemented by default in <Location> directive that defines the server-status handler.

The limitation of host-based access control means that it’s not suitable for people on dynamic IP address who wants to view the Apache current status remotely, as constantly changed IP address may accidentally block the access. A more foolproof method is by using password authentication when accessing /server-status from remote host.

Enable User ID and Password Authentication for /server-status Location

Add the following Apache HTTPD server authorization snippet to the Location /server-status directive to quickly add basic and simple user name and password authentication before one is allowed to check the server status.

<Location /server-status>
    SetHandler server-status
    Order deny,allow
    Deny from all
    Satisfy any

    Allow from localhost ip6-localhost

    AuthType basic
    AuthName "Apache Server Status"
    AuthBasicProvider file
    AuthUserFile /etc/httpd/passwords
    Require valid-user
</Location>

Some explanation about the code above:

AuthType enables the HTTP Basic Authentication to restrict access by looking up users in the given providers.

AuthName sets the name of the authorization realm for a directory so that the user knows which username and password to send. You can modify the name according to your preference.

AuthBasicProvider is optional as file is the default provider. It sets which provider is used to authenticate the users for this location.

AuthUserFile directive sets the name of a textual file containing the list of users and passwords for user authentication. The path and name of the file must be identical to the file generated by htpasswd utility, which will be shown below.

Require valid-user specifies that all valid users can access the /server-status location. Alternatively, you can set which specific users that can access by changing it to: Require user userid, where ‘userid’ to be replaced with actual user name. More users can be specified by separating with space.

Satisfy any is required if you want to allow either authenticated users or allowed host (as specified in ‘Allow from’ directive) to access the URL. In this case, computer which is allowed via host address will be able to access the server status without logging in. If you want to tighten the security by required the host to match both the host address and user credentials, you can change it to Satisfy All.

Creating Username and Password File for HTTPD Basic Authentication

Creates a new file and stores a record in it for user ‘username’ with the htpasswd through the following command. You will be prompted to enter the password. Replace ‘username’ with the actual user name of your choice.

htpasswd -c /etc/httpd/passwords username

If you have previously created a file through htpasswd, use the following command to add or modify the password:

htpasswd /etc/httpd/passwords username