Skip to content

server-info/.github

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
 
 
 
 

Repository files navigation

/server-info

Server Version:  GitHub.com (Linux)
Server MPM:      event
Server Built:    When you weren't looking
Current Time:    Right now, your local time
Restart Time:    Never, by design

Notice:
  This endpoint would normally hand a stranger your entire
  server configuration. By design, on this domain, it does not.

What this account is

If you typed github.com/server-info hoping to find a juicy GitHub internals page — sorry, and also, you're welcome. GitHub does not expose a mod_info endpoint. It would be a very bad day for everyone if it did.

This account exists to give a friendly nudge to anyone running Apache on the open internet: mod_info is a debugging tool, not a public endpoint. Every repo here is a file or path that should never be reachable through a browser. Each one has a README walking through what the file is, how it leaks, and how to make sure the real version on your server returns a polite 403.

Loaded modules

Module Repo What it leaks
mod_access .htaccess Per-directory Apache configuration
mod_auth .htpasswd Usernames and password hashes

More to come. If there's a path on the internet that gets scanned a million times a day and shouldn't, it probably belongs here.

Check your own server right now

From a machine that isn't your server:

curl -I https://your-domain.example/server-info
curl -I https://your-domain.example/server-status

A 403 or 404 is the right answer. Anything else is your weekend.

The fix, in case you need it, is one <Location> block:

<Location "/server-info">
    SetHandler server-info
    Require ip 127.0.0.1
    Require ip ::1
</Location>

Repeat for /server-status. Reload Apache. Re-run the curl. Sleep better.

Why this exists

/server-info and /server-status sit in the top tier of internet-wide scanned endpoints. The configurations that leave them open are almost always inherited — a tutorial from 2014, a forgotten staging vhost, a LoadModule info_module line that nobody dared remove. The fix takes thirty seconds. The cost of not fixing it is a stranger reading your entire Apache configuration over a cup of tea, and then your .htpasswd, and then your database.

If this account got you to run curl -I against your own domain this afternoon, it did its job.


A public-interest curiosity. Not affiliated with GitHub, the Apache Software Foundation, or any project referenced here. Issues and PRs welcome on individual repos.

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors