Bill Stoddard wrote: > > Playing devil's advocate :-) mod_status and mod_info should NOT be loaded by >default.
True. But even if they aren't, adding them in active <IfModule> sections in the default config is too dangerous in my opinion. Those are security-sensitive modules, and there is absolutely no way to know that the security policy that we have in the default config is anywhere near what is needed by any particular site. I might be willing to bend a little if it was changed to "Allow from 127.0.0.1", but even then, I don't think it is a good idea. Two general points: - I don't believe that it is a good practice to have the configuration of the server changed by simply adding a module. It should require an active change to httpd.conf to change the configuration. (We violate this policy already in some case; for example, mod_unique_id does its work regardless of the config file.) - <IfModule> sections need to be used very carefully in the default config. They seem to be misunderstood by users. For example, I see many people adding things like <IfModule mod_rewrite.c> RewriteEngine On ... </IfModule> Sometimes these people don't have mod_rewrite compiled into the server, and then instead of getting a useful error message about the directive not being understood, the server silently ignores them. In other words, we are setting a bad example by liberally using <IfModule> and we are confusing users. Joshua
