You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Liu JinGang <li...@cn.fujitsu.com> on 2011/03/29 04:36:03 UTC
[users@httpd] Apache httpd question(emergent)
HTTPD Group:
I'm sorry to trouble you, but I have a emergent question than I couldn't have an answer. I hope that someone can give me an answer.
I modified my httpd.conf as following:
TraceEnable Off
<Directory "/opt/web/htroot">
Options FollowSymLinks ExecCGI
AllowOverride all
order allow,deny
allow from all
</Directory>
Then I use httprequest to access the CGI file of "/opt/web/htroot".
I konw that HTTP TRACE canot access the CGI file, but why DELETE/PUT/HOGE (this http method isn't exsit,as "AAAA"...) can access the CGI file.
I really don't understand. About ExecCGI ?
-bash-3.2# telnet 169.254.1.80 80
Trying 169.254.1.80...
Connected to 169.254.1.80.
Escape character is '^]'.
PUT /config/shared/web_envpl.cgi HTTP/1.1
HOST: 169.254.1.80
HTTP/1.1 200 OK
Date: Tue, 22 Mar 2011 00:27:50 GMT
Server: Apache
Transfer-Encoding: chunked
Content-Type: text/xml; charset=ISO-8859-1
293
<?xml version="1.0"?>
<webconsole_env List="0,1,2,3,"/>
0
DELETE /config/shared/web_envpl.cgi HTTP/1.1
HOST: 169.254.1.80
HTTP/1.1 200 OK
Date: Tue, 22 Mar 2011 00:27:50 GMT
Server: Apache
Transfer-Encoding: chunked
Content-Type: text/xml; charset=ISO-8859-1
293
<?xml version="1.0"?>
<webconsole_env List="0,1,2,3,"/>
0
HOGE /config/shared/web_envpl.cgi HTTP/1.1
HOST: 169.254.1.80
HTTP/1.1 200 OK
Date: Tue, 22 Mar 2011 00:27:50 GMT
Server: Apache
Transfer-Encoding: chunked
Content-Type: text/xml; charset=ISO-8859-1
293
<?xml version="1.0"?>
<webconsole_env List="0,1,2,3,"/>
0
TRACE /config/shared/web_envpl.cgi HTTP/1.1
HOST: 169.254.1.80
HTTP/1.1 403 Forbidden
Date: Fri, 18 Mar 2011 11:28:34 GMT
Server: Apache
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
e1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>403 Forbidden</TITLE>
</HEAD><BODY>
<H1>Forbidden</H1>
You don't have permission to access /config/shared/web_envpl.cgi
on this server.<P>
</BODY></HTML>
Connection closed by foreign host.
-bash-3.2#
And then if I access the HTML file of "/opt/web/htroot" , the result as following:
The GET, HEAD, OPTIONS can access the HTML file. I don't set the
limits except TRACE. This is the default ?
-bash-3.2# telnet 169.254.1.80 80
Trying 169.254.1.80...
Connected to 169.254.1.80.
Escape character is '^]'.
PUT /index.html HTTP/1.1
HOST: 169.254.1.80
HTTP/1.1 405 Method Not Allowed
Date: Tue, 22 Mar 2011 01:07:20 GMT
Server: Apache
Allow: GET, HEAD, OPTIONS
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
e3
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>405 Method Not Allowed</TITLE>
</HEAD><BODY>
<H1>Method Not Allowed</H1>
The requested method PUT is not allowed for the URL /index.html.<P>
</BODY></HTML>
0
Connection closed by foreign host.
-bash-3.2# telnet 169.254.1.80 80
Trying 169.254.1.80...
Connected to 169.254.1.80.
Escape character is '^]'.
DELETE /index.html HTTP/1.1
HOST: 169.254.1.80
HTTP/1.1 405 Method Not Allowed
Date: Tue, 22 Mar 2011 01:08:22 GMT
Server: Apache
Allow: GET, HEAD, OPTIONS
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
e6
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>405 Method Not Allowed</TITLE>
</HEAD><BODY>
<H1>Method Not Allowed</H1>
The requested method DELETE is not allowed for the URL /index.html.<P>
</BODY></HTML>
0
Connection closed by foreign host.
-bash-3.2#
-bash-3.2# telnet 169.254.1.80 80
Trying 169.254.1.80...
Connected to 169.254.1.80.
Escape character is '^]'.
TRACK /index.html HTTP/1.1
HOST: 169.254.1.80
HTTP/1.1 501 Method Not Implemented
Date: Tue, 22 Mar 2011 01:09:29 GMT
Server: Apache
Allow: GET, HEAD, OPTIONS
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
106
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>501 Method Not Implemented</TITLE>
</HEAD><BODY>
<H1>Method Not Implemented</H1>
TRACK to /index.html not supported.<P>
Invalid method in request TRACK /index.html HTTP/1.1<P>
</BODY></HTML>
0
Connection closed by foreign host.
-bash-3.2#
Best regards!
Nacrum
RE: [users@httpd] Apache httpd question(emergent)
Posted by Liu JinGang <li...@cn.fujitsu.com>.
Mark Montague:
Thank you very much !
* I do not know of any document that explains the viewpoint. However, you can observe and test that Apache does not discriminate.
I have test that Apache does not discriminate.
I also did not find the document that explains the viewpoint,so I want to know that if someone have got it
_____
From: Mark Montague [mailto:mark@catseye.org]
Sent: Wednesday, March 30, 2011 6:48 PM
To: Liu JinGang
Cc: users@httpd.apache.org; 'Eric Covener'
Subject: Re: [users@httpd] Apache httpd question(emergent)
I do not know of any document that explains the viewpoint. However, you can observe and test that Apache does not discriminate.
Also, Apache *will* discriminate if you use the Limit and LimitExcept directives. So you can have either behavior. Since you can have either behavior, I hope a document is not necessary.
I apologize if I do not understand the question.
Then my mail said that:
I hope this helps. Please let me know if I am answering the wrong questions.
==
Thanks! I understand it .
--
Mark Montague
mark@catseye.org
Re: [users@httpd] Apache httpd question(emergent)
Posted by Mark Montague <ma...@catseye.org>.
On March 29, 2011 22:01 , "Liu JinGang" <li...@cn.fujitsu.com> wrote:
>
> As Eric and Mark said, do you have the document or web-link file
> explain this viewpoint?( Apache doesn't discriminate the http methods
> to access CGI.)
>
I do not know of any document that explains the viewpoint. However, you
can observe and test that Apache does not discriminate.
Also, Apache *will* discriminate if you use the Limit and LimitExcept
directives. So you can have either behavior. Since you can have either
behavior, I hope a document is not necessary.
I apologize if I do not understand the question.
> Then my mail said that:
>
> *> And then if I access the HTML file of "/opt/web/htroot" , the
> result as following:*
>
> *> The GET, HEAD, OPTIONS can access the HTML file. I don't set the *
>
> *> limits except TRACE. This is the default ?*
>
> Why?
>
The default is that all methods are accepted. The purpose of Apache is
to serve web content in reponse to HTTP requests. So when Apache
receives an HTTP request, it tries to serve the content, unless you tell
Apache not to serve the content or unless there is some problem with the
request.
Your list of methods (above) is not complete. With the configuration
from your first email message, other methods will also be accepted for
accessing the HTML file. For example, the POST method will be accepted
to access the HTML file. I can use the "curl" program to send a POST
request for /index.html on my web server:
curl --data foo=1 --data bar=2 http://f14dev1.catseye.org/index.html
When I run the above command, the request is sucessful, even though this
is just a static HTML file (no CGI):
2011-03-30T06:40:37.984640-0400 - 172.16.168.128:42060 -
f14dev1.catseye.org:80 "POST /index.html HTTP/1.1" +200/200 876us
265/475/729 pid=1459 "curl/7.21.0 (x86_64-redhat-linux-gnu)
libcurl/7.21.0 NSS/3.12.8.0 zlib/1.2.5 libidn/1.18 libssh2/1.2.4" "-"
(I use a special LogFormat directive, so the log line above is not the
default one that Apache usually uses. But hopefully it is
understandable: "172.16.168.128 contacts f14dev1.catseye.org and makes
the request 'POST /index.html' which succeeds with HTTP status code 200")
I hope this helps. Please let me know if I am answering the wrong
questions.
--
Mark Montague
mark@catseye.org
RE: [users@httpd] Apache httpd question(emergent)
Posted by Liu JinGang <li...@cn.fujitsu.com>.
TO Mark Montague:
CC Eric Covener, Others:
Thanks!
As Eric and Mark said, do you have the document or web-link file explain this viewpoint?( Apache doesn't discriminate the http methods to access CGI.)
> Apache doesn't know what methods your CGI understands, so it doesn't
> discriminate.
> As Eric said, Apache lets your CGI decide what to do with extension
> method. But if you do not want your CGI to decide, then you can use the
> Limit and LimitExcept directives to tell Apache to only allow certain
> methods.
Then my mail said that:
> And then if I access the HTML file of "/opt/web/htroot" , the result as following:
> The GET, HEAD, OPTIONS can access the HTML file. I don't set the
> limits except TRACE. This is the default ?
Why?
Thanks!
> -----Original Message-----
> From: Mark Montague [mailto:mark@catseye.org]
> Sent: Tuesday, March 29, 2011 1:02 PM
> To: users@httpd.apache.org
> Cc: Liu JinGang; 'Eric Covener'
> Subject: Re: [users@httpd] Apache httpd question(emergent)
>
> On March 28, 2011 23:22 , "Liu JinGang" <li...@cn.fujitsu.com> wrote:
> >> Apache doesn't know what methods your CGI understands, so it doesn't
> >> discriminate.
> > Thanks!
> > As you say, I can get the result that:
> > CGI is executable by the method of no existence.
> > And then do you have the document or web-link file explain this viewpoint?
> (I don't find it, but I need to show it to the customer.)
>
> RFC 2616 defines the HTTP 1.1 protocol. Section 5.1.1 says that web
> browsers or web servers are allowed to invent new methods
> ("extension-method"). The document is http://www.ietf.org/rfc/rfc2616.txt
>
> As Eric said, Apache lets your CGI decide what to do with extension
> method. But if you do not want your CGI to decide, then you can use the
> Limit and LimitExcept directives to tell Apache to only allow certain
> methods.
>
> Here is an example for restricting CGI to only GET, HEAD, POST, and
> OPTIONS methods. (Notes: Allowing GET automatically allows HEAD.
> Also, you still need "TraceEnable Off" because Limit and LimitExcept do
> not affect TRACE.)
>
> TraceEnable Off
> <Directory "/opt/web/htroot">
> Options FollowSymLinks ExecCGI
> AllowOverride all
> order allow,deny
> <Limit GET POST OPTIONS>
> allow from all
> </Limit>
> <LimitExcept GET POST OPTIONS>
> deny from all
> </LimitExcept>
> </Directory>
>
>
> For more information about Limit and LimitExcept directives, see:
>
> http://httpd.apache.org/docs/2.2/mod/core.html#limit
> http://httpd.apache.org/docs/2.2/mod/core.html#limitexcept
>
> --
> Mark Montague
> mark@catseye.org
Re: [users@httpd] Apache httpd question(emergent)
Posted by Mark Montague <ma...@catseye.org>.
On March 28, 2011 23:22 , "Liu JinGang" <li...@cn.fujitsu.com> wrote:
>> Apache doesn't know what methods your CGI understands, so it doesn't
>> discriminate.
> Thanks!
> As you say, I can get the result that:
> CGI is executable by the method of no existence.
> And then do you have the document or web-link file explain this viewpoint? (I don't find it, but I need to show it to the customer.)
RFC 2616 defines the HTTP 1.1 protocol. Section 5.1.1 says that web
browsers or web servers are allowed to invent new methods
("extension-method"). The document is http://www.ietf.org/rfc/rfc2616.txt
As Eric said, Apache lets your CGI decide what to do with extension
method. But if you do not want your CGI to decide, then you can use the
Limit and LimitExcept directives to tell Apache to only allow certain
methods.
Here is an example for restricting CGI to only GET, HEAD, POST, and
OPTIONS methods. (Notes: Allowing GET automatically allows HEAD.
Also, you still need "TraceEnable Off" because Limit and LimitExcept do
not affect TRACE.)
TraceEnable Off
<Directory "/opt/web/htroot">
Options FollowSymLinks ExecCGI
AllowOverride all
order allow,deny
<Limit GET POST OPTIONS>
allow from all
</Limit>
<LimitExcept GET POST OPTIONS>
deny from all
</LimitExcept>
</Directory>
For more information about Limit and LimitExcept directives, see:
http://httpd.apache.org/docs/2.2/mod/core.html#limit
http://httpd.apache.org/docs/2.2/mod/core.html#limitexcept
--
Mark Montague
mark@catseye.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Apache httpd question(emergent)
Posted by Liu JinGang <li...@cn.fujitsu.com>.
Eric Covener:
> Apache doesn't know what methods your CGI understands, so it doesn't
> discriminate.
Thanks!
As you say, I can get the result that:
CGI is executable by the method of no existence.
And then do you have the document or web-link file explain this viewpoint? (I don't find it, but I need to show it to the customer.)
> -----Original Message-----
> From: Eric Covener [mailto:covener@gmail.com]
> Sent: Tuesday, March 29, 2011 10:39 AM
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] Apache httpd question(emergent)
>
> > I konw that HTTP TRACE canot access the CGI file, but why DELETE/PUT/HOGE
> > (this http method isn't exsit,as "AAAA"...) can access the CGI file.
> >
> > I really don't understand. About ExecCGI ?
>
> Apache doesn't know what methods your CGI understands, so it doesn't
> discriminate.
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache httpd question(emergent)
Posted by Eric Covener <co...@gmail.com>.
> I konw that HTTP TRACE canot access the CGI file, but why DELETE/PUT/HOGE
> (this http method isn't exsit,as "AAAA"...) can access the CGI file.
>
> I really don't understand. About ExecCGI ?
Apache doesn't know what methods your CGI understands, so it doesn't
discriminate.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org