Why is the server-status page of Apache not available from localhost by default?

[Snel]

As far as I know the default Apache 2 configuration allows connections from localhost to /server-status.

DirectAdmin2 default configuration contains:

<Location /server-status>
    SetHandler server-status
    AuthType basic
    AuthName "Apache status"
    AuthUserFile /var/www/passwd-server-status
    Require valid-user
</Location>

I would love to see the following default configuration:

<Location /server-status>
    <IfModule mod_rewrite.c>
        RewriteEngine off
    </IfModule>
    SetHandler server-status
    AuthType basic
    AuthName "Apache status"
    AuthUserFile /var/www/passwd-server-status
    <RequireAny>
        Require local
        Require valid-user
    </RequireAny>
</Location>

This would do 2 things:
1. Disable the RewriteEngine on /server-status, this would make sure any other redirection (for example http to https) will not be processed.
2. Make /server-status available without authentication for localhost

Default behaviour will not change and as far as I can see this won't break current functionality and existing setups.

Is there any particular reason why connections from localhost are not allowed by default?

 

[smtalk]

Is there any particular reason why connections from localhost are not allowed by default?

Everyone on the server could check it then, do not you think this is a sensitive information to grant access for all of your customers?

 

[Richard G]

Exactly. I like it how it is for security reasons.

For those who want to use it, it's easy to put an allow line in the httpd-info.conf file and put that in the custom directory so it won't be overwritten.

 

[Snel]

Everyone on the server could check it then, do not you think this is a sensitive information to grant access for all of your customers?

This is actually a very good reason. I'm unsure why I didn't think about this one.

Thank you.