Skip to content
GitLab
Projects Groups Topics Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Register
  • Sign in
  • FreedomBox FreedomBox
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
  • Issues 449
    • Issues 449
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 4
    • Merge requests 4
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • FreedomBoxFreedomBox
  • FreedomBoxFreedomBox
  • Issues
  • #1935
Closed
Open
Issue created Aug 22, 2020 by James Valleroy@jvalleroyOwner

apache: /server-status page publicly visible through Tor or Pagekite

The /server-status page is only meant to be viewable from localhost. But since Tor onion service and Pagekite connections are treated as local, the page is publicly visible through those. (I only tested Tor, but I assume Pagekite will do the same.)

The issue was reported on IRC, so it is somewhat public knowledge already.

  • Disable mod_status, or require authorization for /server-status location.
  • Make an announcement on the forum, mailing list, and social media with instructions so users running Pagekite or Tor Onion Service can quickly disable mod_status with sudo a2dismod status && sudo systemctl restart apache2.
Edited Aug 26, 2020 by James Valleroy
Assignee
Assign to
Time tracking