Bug#777546: Please don't grant localhost unconditional access to mod_status

To: Jean-Michel Nirgal Vourgère <jmv_deb@nirgal.com>
Cc: 777546@bugs.debian.org
Subject: Bug#777546: Please don't grant localhost unconditional access to mod_status
From: Stefan Fritsch <sf@sfritsch.de>
Date: Tue, 17 Feb 2015 23:56:15 +0100
Message-id: <[🔎] 203461630.Tn4VqosAo7@k>
Reply-to: Stefan Fritsch <sf@sfritsch.de>, 777546@bugs.debian.org
In-reply-to: <[🔎] 54D8E17A.5040105@nirgal.com>
References: <[🔎] 54D8E17A.5040105@nirgal.com>

On Monday 09 February 2015 16:34:02, Jean-Michel Nirgal Vourgère 
wrote:
> What is your opinion on that problem?

That's a valid feature request. But for after jessie.

> Do you see a more generic way to restrict tor incoming connections
> so that it doesn't match "require local" filter?

I don't have the perfect idea right now.

One could configure an additional localhost address like 127.0.0.2, 
make the tor hidden service forward to that ip, and change mod_status' 
config to explicitly require 127.0.0.1. But one still needs to change 
the config because "require local" matches 127.0.0.0/8.

Reply to:

References:
- Bug#777546: Please don't grant localhost unconditional access to mod_status
  - From: Jean-Michel Nirgal Vourgère <jmv_deb@nirgal.com>

Prev by Date: Bug#777717: apache2-mpm-prefork: "Permission denied" on unexistent .htaccess
Next by Date: missing-build-dependency-for-dh-addon apache2 => dh-apache2 instead of apache2-dev
Previous by thread: Bug#777546: Please don't grant localhost unconditional access to mod_status
Next by thread: Bug#773815: Acknowledgement (ssl-cert in wheezy should default to SHA-2-based certs)
Index(es):
- Date
- Thread