Revert disable apache2 mod_status instead hardening status.conf.

ScIT-Raphael · ScIT-Raphael · commit 6ebb9e4796ed · 2020-05-21T21:22:20.000+02:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,9 +8,8 @@ All notable changes to this project will be documented in this file.
 - Added the ability to set the php cli version per user (using alias).
 - Added support for resolving ip addresses based on geoip database for Awstats
 
-
 ### Bugfixes
-- Disable Apache2 Server Status Module by default.
+- Do not allow to show apache2 server-status page from public.
 - Do not allow to change the password of a non-hestia user. Thanks to Alexandre Zanni!
 - Use sury repository for Apache2 packages.
 - Check whether Nginx, Apache2 and MariaDB are selected for installation prior to adding third party repositories.
diff --git a/install/hst-install-debian.sh b/install/hst-install-debian.sh
@@ -1188,7 +1188,6 @@ if [ "$apache" = 'yes' ]; then
     a2enmod suexec > /dev/null 2>&1
     a2enmod ssl > /dev/null 2>&1
     a2enmod actions > /dev/null 2>&1
-    a2dismod status > /dev/null 2>&1
     if [ "$release" -eq 10 ]; then
         a2enmod mpm_itk > /dev/null 2>&1
     else
@@ -1206,6 +1205,9 @@ if [ "$apache" = 'yes' ]; then
     chmod 640 /var/log/apache2/access.log /var/log/apache2/error.log
     chmod 751 /var/log/apache2/domains
 
+    # Prevent remote access to server-status page
+    sed -i '/Allow from all/d' /etc/apache2/mods-enabled/status.conf
+
     update-rc.d apache2 defaults > /dev/null 2>&1
     systemctl start apache2 >> $LOG
     check_result $? "apache2 start failed"
diff --git a/install/hst-install-ubuntu.sh b/install/hst-install-ubuntu.sh
@@ -1165,7 +1165,6 @@ if [ "$apache" = 'yes' ]; then
     a2enmod ssl > /dev/null 2>&1
     a2enmod actions > /dev/null 2>&1
     a2enmod ruid2 > /dev/null 2>&1
-    a2dismod status > /dev/null 2>&1
     mkdir -p /etc/apache2/conf.d
     mkdir -p /etc/apache2/conf.d/domains
     echo "# Powered by hestia" > /etc/apache2/sites-available/default
@@ -1178,15 +1177,12 @@ if [ "$apache" = 'yes' ]; then
     chmod 640 /var/log/apache2/access.log /var/log/apache2/error.log
     chmod 751 /var/log/apache2/domains
 
-    if [ "$release" != '20.04' ]; then
-        update-rc.d apache2 defaults > /dev/null 2>&1
-        systemctl start apache2 >> $LOG
-        check_result $? "apache2 start failed"
-    fi
-else
-    update-rc.d apache2 disable > /dev/null 2>&1
-    systemctl stop apache2 > /dev/null 2>&1
-fi
+    # Prevent remote access to server-status page
+    sed -i '/Allow from all/d' /etc/apache2/mods-enabled/status.conf
+
+    update-rc.d apache2 defaults > /dev/null 2>&1
+    systemctl start apache2 >> $LOG
+    check_result $? "apache2 start failed"
 
 
 #----------------------------------------------------------#
diff --git a/install/upgrade/versions/latest.sh b/install/upgrade/versions/latest.sh
@@ -7,8 +7,8 @@
 #######################################################################################
 
 if [ -e "/etc/apache2/mods-enabled/status.conf" ]; then
-    echo "(*) Disable Apache2 Server Status Module..."
-    a2dismod status > /dev/null 2>&1
+    echo "(*) Hardening Apache2 Server Status Module..."
+    sed -i '/Allow from all/d' /etc/apache2/mods-enabled/status.conf
 fi
 
 # Add sury apache2 repository
