Shane Rainville
I.T. professional with over a decade of experience, ranging from application development to system & infrastructure administration. He's worked with small startups to large corporate companies, using unique and creative solutions to solve problems.

Overview

Operations teams and system administrators are always love having the ability to check the status of their servers. Apache allows us to easily peak under the covers by way of a virtual directory called, as you may have guessed, /server-status.

If you are running a WordPress site, or any other site the uses so-called permalinks by way of htaccess rules, you will discover that the server-status page will be inaccessible to you. Instead, you’ll likely receive a 404 error presented by your application.

Example of the Apache Server Status page

 

Analyzing Your HTACCESS Rules

Viewing your HTACCESS rules for handling permalinks, whether in an .htaccess file or within your Apache configuration, you will notice two things. First, the rule is ignored if an existing file matches the request. Second, the rule is ignored if an existing directory matches the request. All other requests will funnel through the index.php file.

# WordPress Permalink rewrites
 RewriteBase /
 RewriteRule ^index\.php$ - [L]
 RewriteCond %{REQUEST_FILENAME} !-f
 RewriteCond %{REQUEST_FILENAME} !-d
 RewriteRule ^(.*)$ /index.php/$1 [L]

 
Now, this becomes a huge problem when attempting to access Apache virtual directory. Since the directory doesn’t actually exist on your server, your HTACCESS will redirect the request to the index.php file, forever locking you out of the server-status page. That is, unless you instruct your rewrite rules to ignore server-status page requests.

&nbps;

Allowing Access to Server-Status

To prevent htaccess from blocking access to your server-status page, we’ll need to add a new Rewrite Condition.

RewriteCond %{REQUEST_URI} !-/server-status

We would include the rule in our HTACCESS file next to the other two Rewrite Conditions, as seen in the example below.

# WordPress Permalink rewrites
 RewriteBase /
 RewriteRule ^index\.php$ - [L]
 RewriteCond %{REQUEST_FILENAME} !-f
 RewriteCond %{REQUEST_FILENAME} !-d
 RewriteCond %{REQUEST_URI} !-/server-status
 RewriteRule ^(.*)$ /index.php/$1 [L]

 

To apply changes restart the Apache service, unless you are using .htaccess files, which will apply automatically.

Enable and Secure the Server Status Page

Now, the server status page presents both a security risk as well a privacy issue. By granting access to everyone, hackers and those with curious minds are able to identify sensitive information about your server. They are also able to monitor who is accessing your server and any request they’ve sent.

To prevent unauthorized access to the status page, we’ll need to modify the Location block for it in our Apache configuration file. In the example below, we are only permitting individuals coming from IP address 10.200.0.24. A subnet or domain name may also be defined, depending on your needs.

<Location /server-status>
  SetHandler server-status
  Order deny,allow
  Deny from all
  Allow from 10.200.0.24
 </Location>

 
Restart the Apache service to apply your changes.


© 2014 Shane Rainville