Overview
Operation teams and system administrators always love having the ability to check the status of their servers. Apache allows us to easily peak under the covers by way of a virtual directory called, as you may have guessed, /server-status.
If you are running a WordPress site, or any other site the uses so-called permalinks by way of htaccess rules, you will discover that the server-status page will be inaccessible to you. Instead, you’ll likely receive a 404 error presented by your application.
Analyzing Your HTACCESS Rules
Viewing your HTACCESS rules for handling permalinks, whether in an .htaccess file or within your Apache configuration, you will notice two things. First, the rule is ignored if an existing file matches the request. Second, the rule is ignored if an existing directory matches the request. All other requests will funnel through the index.php file.
# WordPress Permalink rewrites RewriteBase / RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule ^(.*)$ /index.php/$1 [L]
Now, this becomes a huge problem when attempting to access Apache virtual directory. Since the directory doesn’t actually exist on your server, your HTACCESS will redirect the request to the index.php file, forever locking you out of the server-status page. That is unless you instruct your rewrite rules to ignore server-status page requests.
&nbps;
Allowing Access to Server-Status
To prevent htaccess from blocking access to your server-status page, we’ll need to add a new Rewrite Condition.
RewriteCond %{REQUEST_URI} !-/server-status
We would include the rule in our HTACCESS file next to the other two Rewrite Conditions, as seen in the example below.
# WordPress Permalink rewrites RewriteBase / RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteCond %{REQUEST_URI} !-/server-status RewriteRule ^(.*)$ /index.php/$1 [L]
To apply changes restart the Apache service, unless you are using .htaccess files, which will apply automatically.
Enable and Secure the Server Status Page
Now, the server status page presents both a security risk as well a privacy issue. By granting access to everyone, hackers and those with curious minds are able to identify sensitive information about your server. They are also able to monitor who is accessing your server and any request they’ve sent.
To prevent unauthorized access to the status page, we’ll need to modify the Location block for it in our Apache configuration file. In the example below, we are only permitting individuals coming from IP address 10.200.0.24. A subnet or domain name may also be defined, depending on your needs.
<Location /server-status> SetHandler server-status Order deny,allow Deny from all Allow from 10.200.0.24 </Location>
Restart the Apache service to apply your changes.