httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joshua Slive" <>
Subject Re: [users@httpd] Deny CONNECT & GET http requests
Date Tue, 19 Jun 2007 23:40:36 GMT
On 6/19/07, Bob <> wrote:

> You are wrong

Really? Interesting.

Well, no actually, I'm not. But it's nice how confident you are about
your knowledge on this issue.

>, my original post showed the CONNECT requests having a 200
> status code which means apache did service them successfully

As I've told you repeatedly, php was almost certainly treating the
CONNECT request just like a GET request. So the CONNECT was not
succeeding in the sense of connecting to a third-party server. It was
simply serving your index.php page.

> My book says a 500 code is a common error when a client calls a flawed
> CGI script.

And this is not the "correct" status code. The correct status code is
403 (forbidden). But as I already said, the status code is not that
important since the robots don't care. (And, in fact, the original 200
status code wasn't really a problem either unless your index.php
script uses up lots of resources. So you could have just left things
as they were.)

> I have read the php manual concerning selecting individual
> methods. I could not find any mention of how to tell php to limit it self to
> only using desired methods.  A link to the php manual where it explains how
> to restrict php to only allow the use of selected methods would go a long
> way to support your view point. Providing a how to fix it post like I did is
> far better then a reply spouting apache dogma. Results are what count here.

I'm not here to win a debate with you. I'm just here to try to help
you understand how your server is working. For php configuration
questions you are better off on a php list. But I have already given
you explicit instructions: "I believe you
can set http.allowed_methods in your php config to the list of methods
php should handle. (GET and POST would be a good basic list.)" This is
documented here:

As I've also already told you, your current config should be fine. But
don't go recommending it to others as the proper solution when there
are many cleaner and safer solutions available (and listed in the


The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message