On Wed, Jun 23, 2010 at 12:09 PM, William A. Rowe Jr. <[email protected]> wrote: > On 6/23/2010 10:49 AM, Jim Jagielski wrote: >> >> On Jun 21, 2010, at 1:07 PM, Jeff Trawick wrote: >> >>> On Mon, Jun 21, 2010 at 8:40 AM, Jim Jagielski <[email protected]> wrote: >>>> There have been a few reports regarding how server-status "leaks" >>>> info, mostly about our (the ASF's) open use of server-status and >>>> how IP addresses are exposed. >>>> >>>> I'm thinking about a patch that adjusts server-status/mod_status >>>> to have a "public vs. private" setting... Public would be to >>>> have IP addresses exposed as public info; private would be to >>>> not expose 'em (keep 'em private). >>> >>> use mod_sed or similar on apache.org to change the client IP address >>> field to "?" >> >> True... so I'm guessing this means that the patch would >> be unacceptable? > > If it's an obfuscation (truncated hash of IP?) that lets the admin/users > see that one individual has tying up 10 connections, I don't think it's > a bad idea to patch (mod_sed isn't going to do that effectively). +/-0 > on patching to disable the field entirely. >
admins can set up unobfuscated /server-status-foo with auth required; if they care about a single client IP tying up n connections, they want to see IP address too nearly zero sites want a public server-status page with obfuscated/omitted client IP address; why write new code to handle that?
