Protect apache2 server-status handler by password
Solution 1:
To allow other hosts, you can just update line:
Allow from localhost ip6-localhost
to read:
Allow from localhost ip6-localhost 1.2.3.4 1.2.3
For the authentication part, you add a block like:
AuthType Basic
AuthName "Restricted Files"
# (Following line optional)
AuthBasicProvider file
AuthUserFile /usr/local/apache/passwd/passwords
Require user rbowen
The passwords
file need to be created using htpasswd
utility. Have a look at this page for more details.
Solution 2:
In the <Location /server-status>
stanza, include both the Allow from localhost
and authentication directives. The key is to use Satisfy Any
to specify that requests from localhost can bypass authentication.
Edit: Explicit example, as requested (it just combines everything that everyone has said so far):
<Location /server-status>
SetHandler server-status
Order deny,allow
Deny from all
Satisfy Any
Allow from localhost ip6-localhost
AuthType basic
AuthName "Apache status"
AuthUserFile /etc/apache2/passwd-server-status
Require valid-user
</Location>