You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Robert Montgomery <mo...@yahoo.com> on 2008/04/27 13:43:17 UTC
[users@httpd] rejecting non GET/POST methods
Is there a way to tell apache to completely ignore
certain methods, ie, PROPFIND, CCM_POST, CONNECT,
OPTIONS, etc.. (and NOT write those requests to the
log files either!)
I've tried LIMIT & LIMIT EXCEPT directives, but I'm
not sure if they are working (I still see those
requests being logged).
Also, are there any methods other than GET/POST that I
should also consider allowing? We do nothing fancy,
just typical websites on LAMP platforms, so I know of
no need for any methods other than GET/POST.
Many Thanks,
Rob
____________________________________________________________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] rejecting non GET/POST methods
Posted by Robert Montgomery <mo...@yahoo.com>.
Thanks for the feedback Joshua.
I would still see any attacks by the number of
connections in netstat (which I do monitor). But as
you point out, there is still certainly some
justification to continue logging rejected requests.
If I can use the conditional logging to write rejected
requests to a separate log file, that would be a good
compromise.
Thanks for the tips, I'll check out the conditional
logging.
Best Regards,
Rob
--- Joshua Slive <jo...@slive.ca> wrote:
> On Sun, Apr 27, 2008 at 7:43 AM, Robert Montgomery
> <mo...@yahoo.com> wrote:
> > Is there a way to tell apache to completely ignore
> > certain methods, ie, PROPFIND, CCM_POST, CONNECT,
> > OPTIONS, etc.. (and NOT write those requests to
> the
> > log files either!)
> >
> > I've tried LIMIT & LIMIT EXCEPT directives, but
> I'm
> > not sure if they are working (I still see those
> > requests being logged).
> >
> > Also, are there any methods other than GET/POST
> that I
> > should also consider allowing? We do nothing
> fancy,
> > just typical websites on LAMP platforms, so I
> know of
> > no need for any methods other than GET/POST.
>
> No, you can't completely ignore HTTP requests.
> Apache has to do
> something with them.
>
> Yes, you can reject those requests using something
> like
> <LimitExcept GET POST>
> Order allow,deny
> Deny from all
> </LimitExcept>
>
> But be careful where you place this block, since it
> will override any
> other access controls.
>
> Yes, you can prevent these requests from being
> logged using conditional logging:
>
http://httpd.apache.org/docs/2.2/logs.html#conditional
> But you shouldn't do that. You'll never know if you
> are being attacked
> or if there are some problems with your site
> involving other methods.
>
> Joshua.
>
>
---------------------------------------------------------------------
> The official User-To-User support forum of the
> Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for
> more info.
> To unsubscribe, e-mail:
> users-unsubscribe@httpd.apache.org
> " from the digest:
> users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail:
> users-help@httpd.apache.org
>
>
____________________________________________________________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] rejecting non GET/POST methods
Posted by Joshua Slive <jo...@slive.ca>.
On Sun, Apr 27, 2008 at 7:43 AM, Robert Montgomery <mo...@yahoo.com> wrote:
> Is there a way to tell apache to completely ignore
> certain methods, ie, PROPFIND, CCM_POST, CONNECT,
> OPTIONS, etc.. (and NOT write those requests to the
> log files either!)
>
> I've tried LIMIT & LIMIT EXCEPT directives, but I'm
> not sure if they are working (I still see those
> requests being logged).
>
> Also, are there any methods other than GET/POST that I
> should also consider allowing? We do nothing fancy,
> just typical websites on LAMP platforms, so I know of
> no need for any methods other than GET/POST.
No, you can't completely ignore HTTP requests. Apache has to do
something with them.
Yes, you can reject those requests using something like
<LimitExcept GET POST>
Order allow,deny
Deny from all
</LimitExcept>
But be careful where you place this block, since it will override any
other access controls.
Yes, you can prevent these requests from being logged using conditional logging:
http://httpd.apache.org/docs/2.2/logs.html#conditional
But you shouldn't do that. You'll never know if you are being attacked
or if there are some problems with your site involving other methods.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org