What is the Apache mod_info Module Used For?

The mod_info module in the Apache HTTP Server provides a comprehensive, server-generated overview of the server’s configuration. By accessing a specific web address configured by the administrator, users can view a detailed breakdown of active module settings, hooks, directives, and server build information. This article explores the purpose of mod_info, how it functions, how to configure it, and the essential security considerations to keep in mind when using it.

Core Purpose and Functionality

The primary purpose of mod_info is to assist system administrators in troubleshooting and auditing their web server configurations. Instead of manually digging through multiple configuration files (like httpd.conf or apache2.conf) and included directories, mod_info centralizes this data into a single, easily readable HTML page.

When a request is made to the configured location, the module extracts the current running state of the server. The generated report typically includes:

• Server Version and Build: Details about the Apache version, compilation date, and build settings.
• Loaded Modules: A complete list of all active modules currently running in the server instance.
• Module Directives: A breakdown of which directives are available for each module, including the current settings applied to them.
• Configuration Files Structure: A visual representation of the configuration files as they were parsed during server startup.

How to Configure mod_info

To use mod_info, the module must first be enabled in the Apache configuration, and a location handler must be defined to restrict or grant access.

Below is a standard example of how to configure the module within your Apache configuration file:

<Location "/server-info">
    SetHandler server-info
    Require local
</Location>

In this setup, the SetHandler server-info directive instructs Apache to use the mod_info module to handle requests sent to the /server-info URL path.

Important Security Considerations

Because mod_info reveals the exact blueprint of your web server configuration, it poses a significant security risk if left exposed to the public internet. Malicious actors could use the information disclosed—such as specific module versions or internal path structures—to identify potential vulnerabilities in your system.

To secure the module, always restrict access to trusted entities. The Require local directive used in the configuration example ensures that only requests originating from the server itself (localhost) can view the page. If remote administrative access is required, you should restrict access to specific, secure IP addresses or enforce strong user authentication.