httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joshua Slive" <jos...@slive.ca>
Subject Re: [users@httpd] rejecting non GET/POST methods
Date Sun, 27 Apr 2008 12:42:32 GMT
On Sun, Apr 27, 2008 at 7:43 AM, Robert Montgomery <mogtnomr@yahoo.com> wrote:
> Is there a way to tell apache to completely ignore
>  certain methods, ie, PROPFIND, CCM_POST, CONNECT,
>  OPTIONS, etc.. (and NOT write those requests to the
>  log files either!)
>
>  I've tried LIMIT & LIMIT EXCEPT directives, but I'm
>  not sure if they are working (I still see those
>  requests being logged).
>
>  Also, are there any methods other than GET/POST that I
>  should also consider allowing?  We do nothing fancy,
>  just typical websites on LAMP platforms, so I know of
>  no need for any methods other than GET/POST.

No, you can't completely ignore HTTP requests. Apache has to do
something with them.

Yes, you can reject those requests using something like
<LimitExcept GET POST>
Order allow,deny
Deny from all
</LimitExcept>

But be careful where you place this block, since it will override any
other access controls.

Yes, you can prevent these requests from being logged using conditional logging:
http://httpd.apache.org/docs/2.2/logs.html#conditional
But you shouldn't do that. You'll never know if you are being attacked
or if there are some problems with your site involving other methods.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message