httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jeremy Jones" <jeremy.jo...@pennyphoto.com>
Subject [users@httpd] OPTIONS * not being denied
Date Mon, 13 Oct 2008 15:09:35 GMT
Hi,
Some time ago I noticed a large number of OPTIONS requests coming into my
web servers and clogging my connections, e.g. OPTIONS / HTTP/1.0.

I don't have anything on my sites for which OPTIONS would be appropriate, so
I put this into my default site's .htaccess file:

   <LimitExcept GET POST HEAD>
     Deny from all
   </LimitExcept>



and that seemed to do the trick:


$ telnet ... 80
Trying ...
Connected to ...
Escape character is '^]'.
OPTIONS / HTTP/1.0

HTTP/1.1 403 Forbidden
Date: Mon, 13 Oct 2008 14:59:40 GMT
Server: Apache
Content-Length: 202
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /
on this server.</p>
</body></html>
Connection closed by foreign host.
$



however this afternoon my servers again came under load, and checking the
Apache status pages there were lots of lines like this:



   8-0   -    0/0/102    . 0.00 1  0   0.0  0.00  0.36 ::1
www.mysite.com      OPTIONS * HTTP/1.0




and in checking that I see that although OPTIONS / is denied, OPTIONS * is
allowed:


$ telnet ... 80
Trying ...
Connected to ...
Escape character is '^]'.
OPTIONS * HTTP/1.0

HTTP/1.1 200 OK
Date: Mon, 13 Oct 2008 14:59:47 GMT
Server: Apache
Content-Length: 0
Connection: close
Content-Type: text/plain

Connection closed by foreign host.
$




Could anyone advise me on what this command does or means, and how I can
keep these requests out?

Thanks.

Mime
View raw message