httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yann Ylavic <ylavic....@gmail.com>
Subject Re: [users@httpd] Block access to "OPTIONS *"
Date Fri, 12 Feb 2016 11:47:13 GMT
On Fri, Feb 12, 2016 at 10:47 AM, Daniel <dferradal@gmail.com> wrote:
> The typical way to block OPTIONS in 2.2 does not need mod_rewrite at all
> IIRC. You just add this in your location/directory:
>         <LimitExcept GET POST>
>                 deny from all
>         </LimitExcept>
>
> and will return 403 if you try OPTIONS method there

That wouldn't work because the replies to OPTIONS requests happen
before in the map_to_storage hook, that is before the authz hooks
(Toomas tried that already).

Will discuss this on dev@, because ISTM that should work with something like:
  <LocationMatch ^>       # matches / and *
    <Limit OPTIONS>
       Deny from all      # 2.2
       Require all denied # 2.4
    </Limit>
  </LocationMatch>

For now I could only make it work with:
  RewriteEngine on
  RewriteOptions AllowAnyURI # for * to be taken into account by mod_rewrite
  RewriteCond %{REQUEST_METHOD} OPTIONS
  RewriteRule ^ - [R=405,L]
  RewriteRule ^[^/] - [R=403,L]
which should be the first rewrite rules for AllowAnyURI to not be
"dangerous" for further rules (if any) failing to match the leading
slash.

Regards,
Yann.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message