httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marat Khalili <...@rqc.ru>
Subject Re: [users@httpd] Block access to "OPTIONS *"
Date Fri, 12 Feb 2016 13:43:23 GMT
I'm sorry to suggest it without myself testing it first, but are you 
aware of mod_allowmethods?

--

With Best Regards,
Marat Khalili

On 12/02/16 14:47, Yann Ylavic wrote:
> On Fri, Feb 12, 2016 at 10:47 AM, Daniel <dferradal@gmail.com> wrote:
>> The typical way to block OPTIONS in 2.2 does not need mod_rewrite at all
>> IIRC. You just add this in your location/directory:
>>          <LimitExcept GET POST>
>>                  deny from all
>>          </LimitExcept>
>>
>> and will return 403 if you try OPTIONS method there
> That wouldn't work because the replies to OPTIONS requests happen
> before in the map_to_storage hook, that is before the authz hooks
> (Toomas tried that already).
>
> Will discuss this on dev@, because ISTM that should work with something like:
>    <LocationMatch ^>       # matches / and *
>      <Limit OPTIONS>
>         Deny from all      # 2.2
>         Require all denied # 2.4
>      </Limit>
>    </LocationMatch>
>
> For now I could only make it work with:
>    RewriteEngine on
>    RewriteOptions AllowAnyURI # for * to be taken into account by mod_rewrite
>    RewriteCond %{REQUEST_METHOD} OPTIONS
>    RewriteRule ^ - [R=405,L]
>    RewriteRule ^[^/] - [R=403,L]
> which should be the first rewrite rules for AllowAnyURI to not be
> "dangerous" for further rules (if any) failing to match the leading
> slash.
>
> Regards,
> Yann.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>


Mime
View raw message