Using curl on localhost and getting 200

Question

I want to install new relic on my server for monitoring httpd When I run the curl -I http://localhost/server-status 2>/dev/null | head -n 1 I get HTTP/1.1 301

One of the requirements for new relic to work is to get HTTP/1.1 200 I have installed OSWASP module as well and I think that might be causing the issue.

This is my apache config:

<IfModule mod_headers.c>
    Header always set Content-Security-Policy "upgrade-insecure-requests;"
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set X-XSS-Protection "1; mode=block"
</IfModule>

<VirtualHost *:80>
    ServerName domain.tld
    Redirect permanent / domain.tld
    RewriteEngine on
    RewriteCond %{SERVER_NAME} =domain.tld
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
    
    <Location /server-status>
      SetHandler server-status
      Order allow,deny
      Deny from all
      Allow from domain.tld
   </Location>

</VirtualHost>

<VirtualHost *:443>
    ServerName domain.tld
    SSLEngine on

    SSLProtocol TLSv1 TLSv1.1 TLSv1.2
    Header always set Strict-Transport-Security "max-age=15768000"

    ErrorLog /var/log/apache2/domain.error.log
    CustomLog /var/log/apache2/domain.access.log combined
    
    <Location / >
        ProxyPass http://127.0.0.1:8080/
        ProxyPassReverse http://127.0.0.1:8080/
        ProxyPreserveHost On
        Require all granted
    </Location>

    <Location /icer/ >
    ProxyPass http://10.160.0.6:8080/icer/
    ProxyPassReverse http://10.160.0.6:8080/icer/
    ProxyPreserveHost On
    Require all granted
    </Location>

        LogLevel debug
        SSLCertificateFile /etc/letsencrypt/live/domain.tld/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/domain.tld/privkey.pem
        Include /etc/letsencrypt/options-ssl-apache.conf
    SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
</VirtualHost>

If someone could guide me or help me in some way or the other I would really appreciate it.

Answer 1

When I run the curl -I http://localhost/server-status 2>/dev/null | head -n 1

....but you've not shown us any config for localhost. What you have shown is a set of redirect rules which will mean that http://domain.tld/server-status is not accessible.

Either:

Move your server-status block to the TLS vhost and add some access control rules to prevent remote access.

Or:

Add a new vhost listening on 127.0.0.1 only and ServerName 'localhost' with the server-status definition in it but don't put in the redirect rules.