httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bob" <...@a1poweruser.com>
Subject RE: [users@httpd] Deny CONNECT & GET http requests
Date Tue, 19 Jun 2007 11:03:58 GMT
The replies to my post came back saying that apache defaults to denying
CONNECT requests which I was not able to verify.
That the CONNECT request is some how being spoofed through php  which I was
not able to verify.
My reading of php5 says it accepts all valid methods that apache hands it.
To me this indicates that apache is not denying CONNECT requests by default.
Reading a book I have titled 'Maximum Apache Security' it said to gain
explicit control over the "Methods" use the <Limit> or <LimitExcept>
declaratives with the 'Require valid-user' in the default  <Directory />
definition in the http-conf file.

 So in apache http-conf around line 340 I added the <LimitExcept GET POST>
Declarative like this to the default directory definition so it looks like
this.

<Directory />
    Options FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all
    <LimitExcept GET POST>
       Require valid-user
    </LimitExcept>
</Directory>

Now the access log shows this

61.228.120.228 - - [17/Jun/2007:22:42:49 -0400] "CONNECT 66.196.97.250:25
HTTP/1.0" 500 602 "-" "-"

And the error.log shows this

[Sun Jun 17 22:42:49 2007] [crit] [client 61.228.120.228] configuration
error:  couldn't perform authentication. AuthType not set!: /


As you can see the CONNECT request is now being denied with a 500.
The CONNECT requests have been stopped from attacking others.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message