httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Spork Schivago <sporkschiv...@gmail.com>
Subject Re: [users@httpd] Block access to "OPTIONS *"
Date Fri, 12 Feb 2016 18:43:02 GMT
I put this:
  RewriteEngine on
  RewriteOptions AllowAnyURI # for * to be taken into account by mod_rewrite
  RewriteCond %{REQUEST_METHOD} OPTIONS
  RewriteRule ^ - [R=405,L]
  RewriteRule ^[^/] - [R=403,L]

in my .htaccess file, but when I still telnet to mydomain 80, and try the
OPTIONS thing, it's still returning a 200.   I also tried the <LimitExcept
GET POST> stuff but that didn't work either.

On Fri, Feb 12, 2016 at 6:47 AM, Yann Ylavic <ylavic.dev@gmail.com> wrote:

> On Fri, Feb 12, 2016 at 10:47 AM, Daniel <dferradal@gmail.com> wrote:
> > The typical way to block OPTIONS in 2.2 does not need mod_rewrite at all
> > IIRC. You just add this in your location/directory:
> >         <LimitExcept GET POST>
> >                 deny from all
> >         </LimitExcept>
> >
> > and will return 403 if you try OPTIONS method there
>
> That wouldn't work because the replies to OPTIONS requests happen
> before in the map_to_storage hook, that is before the authz hooks
> (Toomas tried that already).
>
> Will discuss this on dev@, because ISTM that should work with something
> like:
>   <LocationMatch ^>       # matches / and *
>     <Limit OPTIONS>
>        Deny from all      # 2.2
>        Require all denied # 2.4
>     </Limit>
>   </LocationMatch>
>
> For now I could only make it work with:
>   RewriteEngine on
>   RewriteOptions AllowAnyURI # for * to be taken into account by
> mod_rewrite
>   RewriteCond %{REQUEST_METHOD} OPTIONS
>   RewriteRule ^ - [R=405,L]
>   RewriteRule ^[^/] - [R=403,L]
> which should be the first rewrite rules for AllowAnyURI to not be
> "dangerous" for further rules (if any) failing to match the leading
> slash.
>
> Regards,
> Yann.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

Mime
View raw message