Parckwart’s Computer Stuff

⟵ Home page

Published: October 11, 2015
Last updated: March 12, 2016

Apache HTTP Server: Disable server-status at Onion Services

If the Apache HTTP Server is being used to host a website behind a Tor Onion Service and the Tor process is running on the same machine, the requests for the webserver are comming in via the loopback network interface. That is a problem, because by default, Apache allows access to the page /server-status from loopback addresses. This page shows some stats about the webserver. The problem is that, in the worst case, it can leak your IP address. It also shows you URLs on the the which are being accessed, even those which might be hidden behind some authentification for example.

I’ve seen forum threads where people were having fun listing Onion Services which allow access to server-status. Some of these sites are actually leaking their real IP addresses.

In Debian, you can disable this "feature" by executing a2dismod status and service apache2 restart. Since the configuration files for the Apache HTTP Server vary greatly among all the distros, I can't provide a guide for every distro out there. Just disable the module status and restart the server.