Header Shadow Image


Linux: Enable extended httpd status reports in Apache through service: fullstatus

Apache HTTPD is the most popular web server to date.  It's extensible and configurable to meet various needs both small and big.  Here we'll focus on extending it's reporting functionality by enabling full status capability to see more granularity in status reports.  As you probably know, the service on Red Hat Linux systems can be controlled with the service command like this:

  • service httpd restart
  • service httpd stop
  • service httpd start
  • service httpd status (tells if the process is running and reports the PID of the process: nothing else useful is reported)

The configuration httpd parameter above actually refers to a script and can be viewed by editing the file /etc/init.d/httpd using vi, pico, nano or other CLI editors to look up other parameters httpd can be given (ie stop, start, restart, status etc as above).  One of the commands of interest is fullstatus which does not yet come configured out of the box.  Here are the steps to enable it:

  • cat /etc/httpd/conf/httpd.conf|egrep "Location.*\-status"
    # <Location /server-status>
    (Checks if fullstatus has not already been enabled.  A pound (#) before Location above indicates it is disabled)
  • service httpd fullstatus (or apachectl fullstatus )
    Forbidden

     

    You don't have permission to access /server-status on this server.
    .
    .
    (If error is thrown, as above fullstatus has not been enabled)

  • rpm -aq|grep elinks
    elinks-0.12-0.6.pre2.fc10.i386
    (Checks if elinks is installed.  Do this before installing elinks.)
  • yum install elinks
    (IF elinks is NOT installed)
  • rpm -aq|grep elinks
    elinks-0.12-0.6.pre2.fc10.i386
    (To verify installation worked)
  • vi /etc/httpd/conf/httpd.conf
    (Or use pico or nano if you are not comfortable with vi.)
  • Find and uncomment the line ExtendedStatus On (Remove # from start of line)
  • Find and uncomment the following directives.  Change configuration

    From

    #<Location /server-status>
    #   SetHandler server-status
    #    Order deny,allow
    #    Deny from all
    #    Allow from example.com
    #</Location>

    To

    <Location /server-status>
        SetHandler server-status
        Order deny,allow
        Deny from all
        Allow from localhost 127.0.0.1
    </Location>

  • Save the configuration file and exit (In vi type :wq )
  • service httpd restart
    (Restart the httpd service)
  • service httpd fullstatus (or apachectl fullstatus)

The last command should print output similar to the below:

 

                       Apache Server Status for localhost

   Server Version: Apache/2.2.10 (Unix) DAV/2 PHP/5.2.6 Apache/2.2.0 (Fedora)
   mod_perl/2.0.4 Perl/v5.10.0

   Server Built: Oct 21 2008 07:51:36

   --------------------------------------------------------------------------

   Current Time: Wednesday, 14-Jan-2009 01:15:24 EST

   Restart Time: Tuesday, 13-Jan-2009 09:57:34 EST

   Parent Server Generation: 0

   Server uptime: 15 hours 17 minutes 50 seconds

   Total accesses: 13 - Total Traffic: 14 kB

   CPU Usage: u.71 s.09 cu0 cs0 - .00145% CPU load

   .000236 requests/sec - 0 B/second - 1102 B/request

   1 requests currently being processed, 7 idle workers

 ______W_........................................................
 ................................................................
 ................................................................
 ................................................................

   Scoreboard Key:
   "_" Waiting for Connection, "S" Starting up, "R" Reading Request,
   "W" Sending Reply, "K" Keepalive (read), "D" DNS Lookup,
   "C" Closing connection, "L" Logging, "G" Gracefully finishing,
   "I" Idle cleanup of worker, "." Open slot with no current process

Srv PID   Acc  M CPU   SS   Req Conn Child Slot    Client       VHost           Request
0-0 2465 0/2/2 _ 0.43 26995 74  0.0  0.00  0.00 24.102.58.189 127.0.0.1 GET /nonexistenshit
                                                                        HTTP/1.1
1-0 2468 0/2/2 _ 0.00 26995 1   0.0  0.01  0.01 24.102.58.189 127.0.0.1 GET /mail/bin/msgimport
                                                                        HTTP/1.1
2-0 2471 0/2/2 _ 0.00 26994 1   0.0  0.00  0.00 24.102.58.189 127.0.0.1 GET /bin/msgimport
                                                                        HTTP/1.1
3-0 2474 0/2/2 _ 0.37 26994 1   0.0  0.00  0.00 24.102.58.189 127.0.0.1 GET /rc/bin/msgimport
                                                                        HTTP/1.1
                                                                        GET
4-0 2476 0/2/2 _ 0.00 26994 1   0.0  0.00  0.00 24.102.58.189 127.0.0.1 /roundcube/bin/msgimport
                                                                        HTTP/1.1
                                                                        GET
5-0 2478 0/2/2 _ 0.00 26993 1   0.0  0.00  0.00 24.102.58.189 127.0.0.1 /webmail/bin/msgimport
                                                                        HTTP/1.1
6-0 2480 0/1/1 W 0.00 0     0   0.0  0.00  0.00 127.0.0.1     127.0.0.1 GET /server-status
                                                                        HTTP/1.1

   --------------------------------------------------------------------------

    Srv  Child Server number - generation
    PID  OS process ID
    Acc  Number of accesses this connection / this child / this slot
     M   Mode of operation
    CPU  CPU usage, number of seconds
    SS   Seconds since beginning of most recent request
    Req  Milliseconds required to process most recent request
   Conn  Kilobytes transferred this connection
   Child Megabytes transferred this child
   Slot  Total megabytes transferred this slot

   --------------------------------------------------------------------------

    Apache/2.2.0 (Fedora) Server at localhost Port 80

In the above case it caught the popular nonexistenshit scan attempt discussed earlier in Security: Round cube webmail scans spreading on the web: roundcube, msgimport, nonexistenshit and webmail

Cheers!

8 Responses to “Linux: Enable extended httpd status reports in Apache through service: fullstatus”

  1. Hi
    Sorry for my english
    I do that you wrote but now i have error: ELinks: Connection refused
    What shoud I do?

  2. Hey Igor,

    No worries about the English. :)

    When I see that error I think of lot’s of things that could go wrong:

    First and foremost, consider upgrading to the latest version of your http and elinks software. Then, if you still get the error or you couldn’t upgrade:

    What version of elinks and httpd are you running?
    What is your distribution?
    Is the above message printed in one of the HTTP log files in /var/log/httpd/ or when you restart httpd?
    What do you get when you type service httpd fullstatus?
    Are you configuring this through the root account?
    Is there a firewall on your system?
    Where are you running the commands from?

    You could also try the following and mention here what you get:

    # rpm -qf $(which links)
    elinks-0.12-0.13.pre3.fc11.i586
    # links –dump google.com
    .
    .
    .
    #

    OR

    # links –dump [URL that caused you to get Elinks: connection refused]
    .
    .
    .
    #

    AND

    # links –dump http://localhost:80/server-status
    #

    Then load the URL http://localhost:80/server-status into your browser and mention what you get.

    Thanks,
    TK

  3. What version of elinks and httpd are you running?
    - elinks-0.11.1-5.1.0.1.el5
    Apache/2.2.3 (Red Hat)

    What is your distribution?
    - What is it?

    Is the above message printed in one of the HTTP log files in /var/log/httpd/ or when you restart httpd?
    No error

    What do you get when you type service httpd fullstatus?
    ELinks: Connection refused
    ****
    When I type httpd fullstatus, then showed
    Usage: httpd [-D name] [-d directory] [-f file]
    [-C "directive"] [-c "directive"]
    [-k start|restart|graceful|graceful-stop|stop]
    [-v] [-V] [-h] [-l] [-L] [-t] [-S]
    Options:
    -D name : define a name for use in directives
    -d directory : specify an alternate initial ServerRoot
    -f file : specify an alternate ServerConfigFile
    -C “directive” : process directive before reading config files
    -c “directive” : process directive after reading config files
    -e level : show startup errors of level (see LogLevel)
    -E file : log startup errors to file
    -v : show version number
    -V : show compile settings
    -h : list available command line options (this page)
    -l : list compiled in modules
    -L : list available configuration directives
    -t -D DUMP_VHOSTS : show parsed settings (currently only vhost settings)
    -S : a synonym for -t -D DUMP_VHOSTS
    -t -D DUMP_MODULES : show all loaded modules
    -M : a synonym for -t -D DUMP_MODULES
    -t : run syntax check for config files
    ****

    Are you configuring this through the root account?
    Yes

    Is there a firewall on your system?
    Yes, and ssh opend – allowed

    Where are you running the commands from?
    Putty

    You could also try the following and mention here what you get:

    # rpm -qf $(which links)
    elinks-0.12-0.13.pre3.fc11.i586
    # links –dump google.com
    Unabled to retrive file:///root/.dump
    No such file or directory
    AND
    # links –dump http://localhost:80/server-status
    Unabled to retrive file:///root/.dump
    No such file or directory
    #
    Then load the URL http://localhost:80/server-status into your browser and mention what you get.
    No page finded

    But I read that someone say it was of the iptables, where is it?

  4. Looks like you’re running Enterprise Linux 5. That’s also a very odd error message you get from ‘links –dump http://localhost:80/server-status‘.

    Try these as well before you stop the firewall (I dont’ want to suggest that yet as it might be unsafe for you) I was not aware you were running this from putty:

    On the host from putty, try:
    $ lwp-request http://localhost:80/server-status # You should not get 404 Page not found.

    and tell me what you get. If you get a 404 Page not found as it appears could be the case, please review the httpd.conf configuration in the post to ensure you have everything configured correctly.

    If the above lwp-request doesn’t return anything ensure httpd is running properly:

    $ service httpd restart # Make sure no errors are seen.
    $ netstat -apneet|grep http # (Make sure something is returned with LISTEN and httpd appears in it)
    $ lwp-request http://localhost:80/server-status

    Tell me what you get from this command.
    $ cat $(locate httpd.conf|grep httpd.conf$|grep etc)|grep -A 7 “server-status”

    OR (if above doesn’t work)

    $ cat /etc/httpd/conf/httpd.conf|grep -A 7 “server-status”

    If you feel it’s safe to stop your firewall temporarily this is the way to do this (If it’s iptables):

    Stop the firewall
    $ service iptables stop

    Try these again:
    $ netstat -apneet|grep http
    $ lwp-request http://localhost:80/server-status

    Start the firewall
    $ service iptables start

    Good Luck!
    TK

  5. Thanks big
    But me have already adjusted

  6. Glad it worked out for you Igor.

    Cheers!
    TK

  7. i’ve follow your step, but no changes.
    can u help me..please.

  8. Hey AA,

    Sure, however, without much details from you, I’m not sure where you are seeing an issue.

    I would suggest going over the steps above to see if anything didn’t work along the way in your case.

    Thanks,
    Tom K.

Leave a Reply

 

     
  Copyright © 2003 - 2013 Tom Kacperski (microdevsys.com). All rights reserved.

Creative Commons License
This work is licensed under a Creative Commons Attribution 3.0 Unported License