You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Robert Montgomery <mo...@yahoo.com> on 2008/04/27 13:43:17 UTC

[users@httpd] rejecting non GET/POST methods

Is there a way to tell apache to completely ignore
certain methods, ie, PROPFIND, CCM_POST, CONNECT,
OPTIONS, etc.. (and NOT write those requests to the
log files either!)

I've tried LIMIT & LIMIT EXCEPT directives, but I'm
not sure if they are working (I still see those
requests being logged).

Also, are there any methods other than GET/POST that I
should also consider allowing?  We do nothing fancy,
just typical websites on LAMP platforms, so I know of
no need for any methods other than GET/POST.

Many Thanks,
Rob



      ____________________________________________________________________________________
Be a better friend, newshound, and 
know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] rejecting non GET/POST methods

Posted by Robert Montgomery <mo...@yahoo.com>.

Thanks for the feedback Joshua.

I would still see any attacks by the number of
connections in netstat (which I do monitor). But as
you point out, there is still certainly some
justification to continue logging rejected requests. 
If I can use the conditional logging to write rejected
requests to a separate log file, that would be a good
compromise.

Thanks for the tips, I'll check out the conditional
logging.

Best Regards,
Rob


--- Joshua Slive <jo...@slive.ca> wrote:

> On Sun, Apr 27, 2008 at 7:43 AM, Robert Montgomery
> <mo...@yahoo.com> wrote:
> > Is there a way to tell apache to completely ignore
> >  certain methods, ie, PROPFIND, CCM_POST, CONNECT,
> >  OPTIONS, etc.. (and NOT write those requests to
> the
> >  log files either!)
> >
> >  I've tried LIMIT & LIMIT EXCEPT directives, but
> I'm
> >  not sure if they are working (I still see those
> >  requests being logged).
> >
> >  Also, are there any methods other than GET/POST
> that I
> >  should also consider allowing?  We do nothing
> fancy,
> >  just typical websites on LAMP platforms, so I
> know of
> >  no need for any methods other than GET/POST.
> 
> No, you can't completely ignore HTTP requests.
> Apache has to do
> something with them.
> 
> Yes, you can reject those requests using something
> like
> <LimitExcept GET POST>
> Order allow,deny
> Deny from all
> </LimitExcept>
> 
> But be careful where you place this block, since it
> will override any
> other access controls.
> 
> Yes, you can prevent these requests from being
> logged using conditional logging:
>
http://httpd.apache.org/docs/2.2/logs.html#conditional
> But you shouldn't do that. You'll never know if you
> are being attacked
> or if there are some problems with your site
> involving other methods.
> 
> Joshua.
> 
>
---------------------------------------------------------------------
> The official User-To-User support forum of the
> Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for
> more info.
> To unsubscribe, e-mail:
> users-unsubscribe@httpd.apache.org
>    "   from the digest:
> users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail:
> users-help@httpd.apache.org
> 
> 



      ____________________________________________________________________________________
Be a better friend, newshound, and 
know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] rejecting non GET/POST methods

Posted by Joshua Slive <jo...@slive.ca>.

On Sun, Apr 27, 2008 at 7:43 AM, Robert Montgomery <mo...@yahoo.com> wrote:
> Is there a way to tell apache to completely ignore
>  certain methods, ie, PROPFIND, CCM_POST, CONNECT,
>  OPTIONS, etc.. (and NOT write those requests to the
>  log files either!)
>
>  I've tried LIMIT & LIMIT EXCEPT directives, but I'm
>  not sure if they are working (I still see those
>  requests being logged).
>
>  Also, are there any methods other than GET/POST that I
>  should also consider allowing?  We do nothing fancy,
>  just typical websites on LAMP platforms, so I know of
>  no need for any methods other than GET/POST.

No, you can't completely ignore HTTP requests. Apache has to do
something with them.

Yes, you can reject those requests using something like
<LimitExcept GET POST>
Order allow,deny
Deny from all
</LimitExcept>

But be careful where you place this block, since it will override any
other access controls.

Yes, you can prevent these requests from being logged using conditional logging:
http://httpd.apache.org/docs/2.2/logs.html#conditional
But you shouldn't do that. You'll never know if you are being attacked
or if there are some problems with your site involving other methods.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org