Recommend disabling mod_status for anyone running Nextcloud on Apache


Just saw that when mod_status is enabled on Apache going to shows a great deal of information including currently open URL’s (try on your own instance). Would recommend that anyone running Nextcloud on Apache turn off mod_status (a2dismod status).

Maybe this could be added in the server hardening guide here: Hardening and Security Guidance — Nextcloud 12 Server Administration Manual 12 documentation

It’s more like a general advice when running a public web server and most distributions already have it disabled or only allow access from localhost. We could give an even more general advice to disable everything you don’t really need :smiley:

Or you could just place .htaccess there, so you still can access it from your local network or your management machine

Debian does not. Most things one does not need does not show all GET requests. But whatever. Thread closed.

on nc and all my other vhosts i get a 403 on this request - i run mod_status for munin on debian stretch.
i’m not 100% certain this was the default ( i usually double-check), status.conf contains this:
<Location /server-status>
SetHandler server-status
Require local
#Require ip
which makes it inaccessible form "the outside."