You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Joost de Heer <sa...@xs4all.nl> on 2006/01/11 12:06:27 UTC
[users@httpd] Re: Disabling PUT DELETE and TRACE on Apache?
Emmanuel E wrote:
> Hi,
>
> Is there any way to disable PUT DELETE and TRACE methods on Apache? User
> authentication is one way but then it still allows authenticated users to
> use those methods.
Untested:
RewriteCond %{REQUEST_METHOD} (PUT|DELETE|TRACE)
RewriteRule (.*) - [F]
Joost
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Disabling PUT DELETE and TRACE on Apache?
Posted by Emmanuel E <em...@gmx.net>.
Oh! This is cool. I didnt realise that mod_access would work inside a Limit
directive. I toyed with it for a moment before I was led astray by the
examples highlighting the use of mod_auth.
I just want to be sure I understand this fully.
As per the docs the TRACE method cant be limited, other than by turning off
TraceEnable So I guess I could use the LimitExcept directive and do a
<LimitExcept GET POST>
Order deny,allow
Deny from all
<.LimitExcept>
I am not sure if the above will limit TRACE but then it can be turned off by
TraceEnable, even if its silly to do so :)
----- Original Message -----
From: <ht...@karsites.net>
To: <us...@httpd.apache.org>
Sent: Wednesday, January 11, 2006 9:43 PM
Subject: Re: [users@httpd] Disabling PUT DELETE and TRACE on Apache?
>
> This will do what you want it to, and should apply to the
> whole filesystem, unless you override it somewhere else.
>
> <Directory />
> Options none
> AllowOverride none
> Order deny,allow
> Deny from all
> <Limit PUT DELETE TRACE>
> Order deny,allow
> Deny from all
> </Limit>
> </Directory>
>
>
> Keith Roberts
>
> On Wed, 11 Jan 2006, Joost de Heer wrote:
>
>> To: Emmanuel E <em...@gmx.net>
>> From: Joost de Heer <sa...@xs4all.nl>
>> Subject: [users@httpd] Re: Disabling PUT DELETE and TRACE on Apache?
>>
>> Emmanuel E wrote:
>> > Hi,
>> >
>> > Is there any way to disable PUT DELETE and TRACE methods
>> > on Apache? User authentication is one way but then it
>> > still allows authenticated users to use those methods.
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Disabling PUT DELETE and TRACE on Apache?
Posted by ht...@karsites.net.
This will do what you want it to, and should apply to the
whole filesystem, unless you override it somewhere else.
<Directory />
Options none
AllowOverride none
Order deny,allow
Deny from all
<Limit PUT DELETE TRACE>
Order deny,allow
Deny from all
</Limit>
</Directory>
Keith Roberts
On Wed, 11 Jan 2006, Joost de Heer wrote:
> To: Emmanuel E <em...@gmx.net>
> From: Joost de Heer <sa...@xs4all.nl>
> Subject: [users@httpd] Re: Disabling PUT DELETE and TRACE on Apache?
>
> Emmanuel E wrote:
> > Hi,
> >
> > Is there any way to disable PUT DELETE and TRACE methods
> > on Apache? User authentication is one way but then it
> > still allows authenticated users to use those methods.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: Disabling PUT DELETE and TRACE on Apache?
Posted by Emmanuel E <em...@gmx.net>.
Hmm. This seems interesting. Need to read up a lot I guess. Will get back to
this group if I use it and it works.
----- Original Message -----
From: "Joost de Heer" <sa...@xs4all.nl>
To: "Emmanuel E" <em...@gmx.net>
Cc: <us...@httpd.apache.org>
Sent: Wednesday, January 11, 2006 4:36 PM
Subject: [users@httpd] Re: Disabling PUT DELETE and TRACE on Apache?
> Emmanuel E wrote:
>> Hi,
>>
>> Is there any way to disable PUT DELETE and TRACE methods on Apache? User
>> authentication is one way but then it still allows authenticated users to
>> use those methods.
>
> Untested:
>
> RewriteCond %{REQUEST_METHOD} (PUT|DELETE|TRACE)
> RewriteRule (.*) - [F]
>
> Joost
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org