Installation
Mod_status is a standard Apache module configured by default. It requires either elinks or links, but as elinks is more lightweight, and our requires elinks, we’ll install that.
- On AlmaLinux 8.x, you need to enable the PowerTools repo (set enabled=1 in in /etc/yum.repos.d/almalinux- powertools.repo).
- On Rocky Linux 8.x, you need to enable the PowerTools repo (set enabled=1 in /etc/yum.repos.d/Rocky-PowerTools.repo).
- On RedHat 8.x, you need to enable the CodeReady repo.
yum install elinks
Usage
View the status report or the extended fullstatus report with one of these commands.
apachectl status
apachectl fullstatus
Configuration
CentOS/RHEL – Apache 2.2
To enable mod_status in Apache 2.0 / 2.2, edit the httpd.conf configuration file. You should find these lines in there already, but commented out. Also, I always update the Allow list and add RewriteEngine Off.
# /etc/httpd/conf/httpd.conf
LoadModule status_module modules/mod_status.so
ExtendedStatus On
<Location /server-status>
SetHandler server-status
Order deny,allow
Deny from all
Allow from 127.0.0.1 localhost
RewriteEngine Off
</Location>
# Always run a configtest before restarting Apache.
httpd -t
service httpd reload
CentOS/RHEL – Apache 2.4
To enable mod_status in Apache 2.4, you need to create a new configuration file. Note that “ExtendedStatus” is on by default in Apache 2.4.
# /etc/httpd/conf.modules.d/00-base.conf
# (This line should be present; make sure it is uncommented)
LoadModule status_module modules/mod_status.so
# /etc/httpd/conf.modules.d/00-status.conf
# (You will need to create this file)
<Location /server-status>
SetHandler server-status
Require local
RewriteEngine Off
</Location>
# Always run a configtest before restarting Apache.
httpd -t
service httpd reload
Debian/Ubuntu – Apache 2.4
The Apache status report is enabled by default in supported versions of Ubuntu and Debian, you just need to so that the OS has a binary it can point the/usr/bin/www-browser symlink at:
# apache2ctl fullstatus
/usr/sbin/apachectl: 113: /usr/sbin/apachectl: www-browser: not found
‘www-browser -dump http://localhost:80/server-status’ failed.
Maybe you need to install a package providing www-browser or you
need to adjust the APACHE_LYNX variable in /etc/apache2/envvars
# apt install links
# ls -lh /usr/bin/www-browser
lrwxrwxrwx 1 root root 29 Dec 19 17:33 /usr/bin/www-browser -> /etc/alternatives/www-browser
Apache behind a reverse proxy
Special care needs to be taken when Apache is running behind a local reverse proxy otherwise the status page will also be accessible externally. This is because from Apache perspective the connections are coming from localhost.
- When using the configurations below, always test it to confirm that the status page is not displayed externally
The following will block requests when the X-Forwarded-For header is set in Apache 2.2.
<Location /server-status>
SetHandler server-status
SetEnvIf X-Forwarded-For “.+” DenyAccess
Order allow,deny
Allow from 127.0.0.1 localhost
Deny from env=DenyAccess
RewriteEngine Off
</Location>
In Apache 2.4 it can be done in a similar way.
<Location /server-status>
SetHandler server-status
SetEnvIf X-Forwarded-For “.+” DenyAccess
<RequireAll>
Require local
Require not env DenyAccess
</RequireAll>
RewriteEngine Off
</Location>
A more elegant way of fixing this in Apache 2.4 is using the remoteip module to replace the Client IP with the one in the X-Forwarded-For header.
Note: this will be applied globally, so be careful as it may break other ACLs
# /etc/httpd/conf.modules.d/00-base.conf
# (This line should be present; make sure it is uncommented)
LoadModule remoteip_module modules/mod_remoteip.so
# /etc/httpd/conf.modules.d/00-remoteip.conf
# (You will need to create this file)
<IfModule mod_remoteip.c>
RemoteIPInternalProxy 127.0.0.1
RemoteIPHeader X-Forwarded-For
<IfModule>
Troubleshooting
Apache may be running on an alternate port or IP. First determine where it is running and verify server-status works with curl. Here are some examples to try.
curl -i http://localhost/server-status
curl -i http://localhost:8080/server-status
curl -ik https://localhost/server-status
curl -ik https://172.16.24.50:4433/server-status
curl -i http://192.168.100.25:7080/server-status
curl -i http://localhost:7080/server-status # Plesk with Nginx proxy enabled
curl -i http://localhost/whm-server-status # cPanel
Errors with curl.
- 401 Unauthorized: There may be an htpasswd restriction, and this may be a showstopper. You can consider creating a virtualhost on a different port just for server-status.
- 403 Forbidden: You might need to adjust the Allow statement in the httpd.conf file. Try adding the eth0 IP, like 192.168.100.205.
- 404 Not Found: mod_status is probably not enabled, or you are being redirected by the application. Check the Apache error logs to see where the request is going.
Once you identify the curl statement that works, add it to the /etc/sysconfig/httpd file (including the http:// or https:// protocol). This part does not require an Apache reload.
# /etc/sysconfig/httpd
STATUSURL=http://localhost:8080/server-status
There are no special considerations for Plesk servers.
In EL8, the apachectl bash script (located in /sbin/apachectl or /usr/sbin/apachectl ) no longer sources /etc/sysconfig/httpd someone felt this was a security risk. The following code has been removed from apachectl:
# Source /etc/sysconfig/httpd for $HTTPD setting, etc.
if [ -r /etc/sysconfig/httpd ]; then
. /etc/sysconfig/httpd
fi
I know of no elegant workaround short of just changing this statement in the apachectl script:
STATUSURL=”http://localhost:80/server-status”
If you do edit the script, your changes may get overwritten by an update to the httpd package. It also might trigger an alarm if the customer has file integrity monitoring in place.
TIP: If Apache is on an alternate port (for example, if nginx is on port 80) then the developer may want to browse to the Apache port to troubleshoot their site code with Apache directly (bypassing nginx). Simply direct them to browse to their site, but add the port designation, like http://example.com :8080. Remember to open this on the Firewall or in iptables if needed