You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Erich Oliphant <er...@vantixweb.com> on 2003/11/19 20:58:43 UTC
[users@httpd] Limiting HTTP Methods
Hello,
I am trying to limit the methods sent by any client. For example,
I've tried the following to prevent anything other than POSTs or GETs:
<Location />
<LimitExcept GET POST>
Order deny,allow
Deny from all
</LimitExcept>
</Location>
This is not working (hence this email :)). Any suggestions would be
greatly appreciated.
Erich
Sum Cogito Ergo
I Am Therefore I Think
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] .htaccess
Posted by Duane Barnes <db...@power1.com>.
Users that are paying for hosting, so we don't have to get involved with
creating those files for every customer.
-----Original Message-----
From: cwalker [mailto:cwalker71@comcast.net]
Sent: Thursday, November 20, 2003 5:13 PM
To: users@httpd.apache.org
Subject: Re: [users@httpd] .htaccess
For what purpose?
(It matters for the response)
Chuck
----- Original Message -----
From: "Duane Barnes" <db...@power1.com>
To: <us...@httpd.apache.org>
Sent: Thursday, November 20, 2003 5:06 PM
Subject: [users@httpd] .htaccess
Is there a way to allow ftp users to generate their own .htaccess and
.htpasswd files?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info. To
unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info. To
unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] .htaccess
Posted by cwalker <cw...@comcast.net>.
For what purpose?
(It matters for the response)
Chuck
----- Original Message -----
From: "Duane Barnes" <db...@power1.com>
To: <us...@httpd.apache.org>
Sent: Thursday, November 20, 2003 5:06 PM
Subject: [users@httpd] .htaccess
Is there a way to allow ftp users to generate their own .htaccess and
.htpasswd files?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] .htaccess
Posted by Duane Barnes <db...@power1.com>.
Perfect, just what I was looking for. Thanks!
-----Original Message-----
From: Brian Dessent [mailto:brian@dessent.net]
Sent: Friday, November 21, 2003 10:07 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] .htaccess
Duane Barnes wrote:
>
> How would they go about generating the .htpasswd file?
There are plenty of online forms that you could use that perform the
crypt() function, for example: http://resma.net/tutorials/passwordgen.php
Brian
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info. To
unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] .htaccess
Posted by Brian Dessent <br...@dessent.net>.
Duane Barnes wrote:
>
> How would they go about generating the .htpasswd file?
There are plenty of online forms that you could use that perform the
crypt() function, for example:
http://resma.net/tutorials/passwordgen.php
Brian
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] .htaccess
Posted by Duane Barnes <db...@power1.com>.
How would they go about generating the .htpasswd file?
-----Original Message-----
From: Darryl Cook [mailto:dlc@cs.appstate.edu]
Sent: Friday, November 21, 2003 8:47 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] .htaccess
why can they not develop them on their client machine and just ftp them
to the server since they have ftp access?
darryl
Duane Barnes wrote:
>Is there a way to allow ftp users to generate their own .htaccess and
>.htpasswd files?
>
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP Server
>Project. See <URL:http://httpd.apache.org/userslist.html> for more
>info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info. To
unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] .htaccess
Posted by Darryl Cook <dl...@cs.appstate.edu>.
why can they not develop them on their client machine and just ftp them
to the server since they have ftp access?
darryl
Duane Barnes wrote:
>Is there a way to allow ftp users to generate their own .htaccess and
>.htpasswd files?
>
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] .htaccess
Posted by Duane Barnes <db...@power1.com>.
Is there a way to allow ftp users to generate their own .htaccess and
.htpasswd files?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Limiting HTTP Methods
Posted by Geoff Thorpe <ge...@geoffthorpe.net>.
On November 20, 2003 02:42 pm, Joshua Slive wrote:
> I still maintain that encouraging people to do things like this is
> overall harmful to security. It is true that few people make use of
> TRACE (though it does have important uses for diagnostics and
> debugging), so it is not very harmful to disable it. But having
> security professionals waste their times on things like this takes time
> away from real security issues (like making sure all client machines
> are well patched, and auditing cgi/php/java scripts where security
> vulnerabilities are much more likely to live).
And for many "professionals", a few false postives is better than zero
true positives, right? (Particularly when justifying invoices.)
Dumb managers feel that endless diatribes on corporate governance
reporting schemas is "significant value add", just like dumb
adminstrators feel that endless logs of questionable attack fingerprints
are the hallmarks of a "good audit". Don't forget, these people also tend
to use those shiny virus scanners that reply to blocked email - after
all, how else do you show attackers how secure your network is? This is
the product of a generation of point-and-click ignorance. Thank god for
Dilbert.
<sigh> Still you gotta laugh.
Cheers,
Geoff
--
Geoff Thorpe
geoff@geoffthorpe.net
http://www.geoffthorpe.net/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Limiting HTTP Methods
Posted by Joshua Slive <jo...@slive.ca>.
On Thu, 20 Nov 2003, Erich Oliphant wrote:
[ Limiting TRACE is pointless. ]
> Interesting reading, thanks.
>
> We're doing this after a security scan of the system. I've informed
> people that it's done but it doesn't really buy them much.
Yes, I guess the scanner makers figure that people won't think they're
getting their money's worth unless they turn up a few vulnerabilities. So
they add every damn thing they can think of, including the pointless ones.
I still maintain that encouraging people to do things like this is overall
harmful to security. It is true that few people make use of TRACE
(though it does have important uses for diagnostics and debugging), so it
is not very harmful to disable it. But having security professionals
waste their times on things like this takes time away from real security
issues (like making sure all client machines are well patched, and
auditing cgi/php/java scripts where security vulnerabilities are much more
likely to live).
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Limiting HTTP Methods
Posted by Erich Oliphant <er...@vantixweb.com>.
Interesting reading, thanks.
We're doing this after a security scan of the system. I've informed
people that it's done but it doesn't really buy them much.
Erich
On Wednesday, November 19, 2003, at 06:02 PM, Joshua Slive wrote:
>
> On Wed, 19 Nov 2003, Kyle Dent wrote:
>
>> On Wed, 19 Nov 2003, Erich Oliphant wrote:
>>
>>> Thanks. Hmm, is there any other way to disable the TRACE method?
>>
>> If you're using mod_rewrite:
>>
>> RewriteCond %{REQUEST_METHOD} ^TRACE
>> RewriteRule .* - [F]
>
> But don't bother. There is no such thing as a "TRACE based attack".
> Check the archives of this list for details. For example,
> http://marc.theaimsgroup.com/?l=apache-httpd-
> users&m=106209718018381&w=2
>
> Joshua.
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Sum Cogito Ergo
I Am Therefore I Think
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Limiting HTTP Methods
Posted by Joshua Slive <jo...@slive.ca>.
On Wed, 19 Nov 2003, Kyle Dent wrote:
> On Wed, 19 Nov 2003, Erich Oliphant wrote:
>
> > Thanks. Hmm, is there any other way to disable the TRACE method?
>
> If you're using mod_rewrite:
>
> RewriteCond %{REQUEST_METHOD} ^TRACE
> RewriteRule .* - [F]
But don't bother. There is no such thing as a "TRACE based attack".
Check the archives of this list for details. For example,
http://marc.theaimsgroup.com/?l=apache-httpd-users&m=106209718018381&w=2
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Limiting HTTP Methods
Posted by Erich Oliphant <er...@vantixweb.com>.
Thanks, I will give that a shot. So no "TRACE off" huh ;)
On Wednesday, November 19, 2003, at 05:22 PM, Kyle Dent wrote:
> On Wed, 19 Nov 2003, Erich Oliphant wrote:
>
>> Thanks. Hmm, is there any other way to disable the TRACE method?
>
> If you're using mod_rewrite:
>
> RewriteCond %{REQUEST_METHOD} ^TRACE
> RewriteRule .* - [F]
>
> Kyle
>
>
>> On Wednesday, November 19, 2003, at 04:46 PM, Aaron Morris wrote:
>>
>>>
>>>
>>> Erich Oliphant wrote:
>>>> I am trying to prevent nastiness such as TRACE based attacks. The
>>>> following short PERL script:
>>>> #!/usr/local/bin/perl -w
>>>> use LWP::UserAgent;
>>>> my $ua = new LWP::UserAgent;
>>>> $ua->agent("AgentName/0.1" . $ua->agent);
>>>> my $req = new HTTP::Request TRACE => "https://<my url...>/";
>>>> my $res = $ua->request($req);
>>>> if ($res->is_success)
>>>> {
>>>> print $res->content;
>>>> }
>>>> else
>>>> {
>>>> print "failed";
>>>> print $res->error_as_HTML;
>>>> }
>>>> Prints the following:
>>>> --
>>>> TRACE / HTTP/1.1
>>>> TE: deflate,gzip;q=0.3
>>>> Connection: TE, close
>>>> Host: <my url ...>
>>>> User-Agent: AgentName/0.1libwww-perl/5.75
>>>> --
>>>> as opposed to "failed" and a "Method Not Allowed" error as I would
>>>> expect. I thought maybe it was an issue with the resolving of my
>>>> various Directory, Location, etc directives but I've tried both
>>>> making this the first and last directive and received the same
>>>> results.
>>>> I will try it on a fresh Apache setup as well to verify that some of
>>>> the preexisting directives are not confusing it.
>>>> On Wednesday, November 19, 2003, at 03:36 PM, Joshua Slive wrote:
>>>>>
>>>>> On Wed, 19 Nov 2003, Erich Oliphant wrote:
>>>>>
>>>>>> Hello,
>>>>>> I am trying to limit the methods sent by any client. For
>>>>>> example,
>>>>>> I've tried the following to prevent anything other than POSTs or
>>>>>> GETs:
>>>>>>
>>>>>> <Location />
>>>>>> <LimitExcept GET POST>
>>>>>> Order deny,allow
>>>>>> Deny from all
>>>>>> </LimitExcept>
>>>>>> </Location>
>>>>>>
>>>>>> This is not working (hence this email :)). Any suggestions would
>>>>>> be
>>>>>> greatly appreciated.
>>>>>
>>>>>
>>>>> That technique is basically correct. What is your evidence that it
>>>>> is not
>>>>> working?
>>>>>
>>>>> Joshua.
>>>>>
>>>>>
>>>>>
>>>> Sum Cogito Ergo
>>>> I Am Therefore I Think
>>>
>>> The TRACE method cannot be limited with the <Limit> or <LimitExcept>
>>> directives.
>>>
>>> --
>>> Aaron W Morris <aa...@mindspring.com> (decep)
>>>
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> The official User-To-User support forum of the Apache HTTP Server
>>> Project.
>>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>
>>>
>> Sum Cogito Ergo
>> I Am Therefore I Think
>>
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP Server
>> Project.
>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Sum Cogito Ergo
I Am Therefore I Think
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Limiting HTTP Methods
Posted by Kyle Dent <kd...@seaglass.com>.
On Wed, 19 Nov 2003, Erich Oliphant wrote:
> Thanks. Hmm, is there any other way to disable the TRACE method?
If you're using mod_rewrite:
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
Kyle
> On Wednesday, November 19, 2003, at 04:46 PM, Aaron Morris wrote:
>
> >
> >
> > Erich Oliphant wrote:
> >> I am trying to prevent nastiness such as TRACE based attacks. The
> >> following short PERL script:
> >> #!/usr/local/bin/perl -w
> >> use LWP::UserAgent;
> >> my $ua = new LWP::UserAgent;
> >> $ua->agent("AgentName/0.1" . $ua->agent);
> >> my $req = new HTTP::Request TRACE => "https://<my url...>/";
> >> my $res = $ua->request($req);
> >> if ($res->is_success)
> >> {
> >> print $res->content;
> >> }
> >> else
> >> {
> >> print "failed";
> >> print $res->error_as_HTML;
> >> }
> >> Prints the following:
> >> --
> >> TRACE / HTTP/1.1
> >> TE: deflate,gzip;q=0.3
> >> Connection: TE, close
> >> Host: <my url ...>
> >> User-Agent: AgentName/0.1libwww-perl/5.75
> >> --
> >> as opposed to "failed" and a "Method Not Allowed" error as I would
> >> expect. I thought maybe it was an issue with the resolving of my
> >> various Directory, Location, etc directives but I've tried both
> >> making this the first and last directive and received the same
> >> results.
> >> I will try it on a fresh Apache setup as well to verify that some of
> >> the preexisting directives are not confusing it.
> >> On Wednesday, November 19, 2003, at 03:36 PM, Joshua Slive wrote:
> >>>
> >>> On Wed, 19 Nov 2003, Erich Oliphant wrote:
> >>>
> >>>> Hello,
> >>>> I am trying to limit the methods sent by any client. For example,
> >>>> I've tried the following to prevent anything other than POSTs or
> >>>> GETs:
> >>>>
> >>>> <Location />
> >>>> <LimitExcept GET POST>
> >>>> Order deny,allow
> >>>> Deny from all
> >>>> </LimitExcept>
> >>>> </Location>
> >>>>
> >>>> This is not working (hence this email :)). Any suggestions would be
> >>>> greatly appreciated.
> >>>
> >>>
> >>> That technique is basically correct. What is your evidence that it
> >>> is not
> >>> working?
> >>>
> >>> Joshua.
> >>>
> >>>
> >>>
> >> Sum Cogito Ergo
> >> I Am Therefore I Think
> >
> > The TRACE method cannot be limited with the <Limit> or <LimitExcept>
> > directives.
> >
> > --
> > Aaron W Morris <aa...@mindspring.com> (decep)
> >
> >
> >
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server
> > Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > " from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
> >
> Sum Cogito Ergo
> I Am Therefore I Think
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Limiting HTTP Methods
Posted by Erich Oliphant <er...@vantixweb.com>.
Thanks. Hmm, is there any other way to disable the TRACE method?
Erich
On Wednesday, November 19, 2003, at 04:46 PM, Aaron Morris wrote:
>
>
> Erich Oliphant wrote:
>> I am trying to prevent nastiness such as TRACE based attacks. The
>> following short PERL script:
>> #!/usr/local/bin/perl -w
>> use LWP::UserAgent;
>> my $ua = new LWP::UserAgent;
>> $ua->agent("AgentName/0.1" . $ua->agent);
>> my $req = new HTTP::Request TRACE => "https://<my url...>/";
>> my $res = $ua->request($req);
>> if ($res->is_success)
>> {
>> print $res->content;
>> }
>> else
>> {
>> print "failed";
>> print $res->error_as_HTML;
>> }
>> Prints the following:
>> --
>> TRACE / HTTP/1.1
>> TE: deflate,gzip;q=0.3
>> Connection: TE, close
>> Host: <my url ...>
>> User-Agent: AgentName/0.1libwww-perl/5.75
>> --
>> as opposed to "failed" and a "Method Not Allowed" error as I would
>> expect. I thought maybe it was an issue with the resolving of my
>> various Directory, Location, etc directives but I've tried both
>> making this the first and last directive and received the same
>> results.
>> I will try it on a fresh Apache setup as well to verify that some of
>> the preexisting directives are not confusing it.
>> On Wednesday, November 19, 2003, at 03:36 PM, Joshua Slive wrote:
>>>
>>> On Wed, 19 Nov 2003, Erich Oliphant wrote:
>>>
>>>> Hello,
>>>> I am trying to limit the methods sent by any client. For example,
>>>> I've tried the following to prevent anything other than POSTs or
>>>> GETs:
>>>>
>>>> <Location />
>>>> <LimitExcept GET POST>
>>>> Order deny,allow
>>>> Deny from all
>>>> </LimitExcept>
>>>> </Location>
>>>>
>>>> This is not working (hence this email :)). Any suggestions would be
>>>> greatly appreciated.
>>>
>>>
>>> That technique is basically correct. What is your evidence that it
>>> is not
>>> working?
>>>
>>> Joshua.
>>>
>>>
>>>
>> Sum Cogito Ergo
>> I Am Therefore I Think
>
> The TRACE method cannot be limited with the <Limit> or <LimitExcept>
> directives.
>
> --
> Aaron W Morris <aa...@mindspring.com> (decep)
>
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Sum Cogito Ergo
I Am Therefore I Think
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Limiting HTTP Methods
Posted by Aaron Morris <aa...@mindspring.com>.
Erich Oliphant wrote:
> I am trying to prevent nastiness such as TRACE based attacks. The
> following short PERL script:
> #!/usr/local/bin/perl -w
>
> use LWP::UserAgent;
> my $ua = new LWP::UserAgent;
> $ua->agent("AgentName/0.1" . $ua->agent);
>
>
> my $req = new HTTP::Request TRACE => "https://<my url...>/";
>
> my $res = $ua->request($req);
>
> if ($res->is_success)
> {
> print $res->content;
> }
> else
> {
> print "failed";
> print $res->error_as_HTML;
> }
>
> Prints the following:
> --
> TRACE / HTTP/1.1
> TE: deflate,gzip;q=0.3
> Connection: TE, close
> Host: <my url ...>
> User-Agent: AgentName/0.1libwww-perl/5.75
> --
>
> as opposed to "failed" and a "Method Not Allowed" error as I would
> expect. I thought maybe it was an issue with the resolving of my
> various Directory, Location, etc directives but I've tried both making
> this the first and last directive and received the same results.
>
> I will try it on a fresh Apache setup as well to verify that some of the
> preexisting directives are not confusing it.
>
>
>
> On Wednesday, November 19, 2003, at 03:36 PM, Joshua Slive wrote:
>
>>
>> On Wed, 19 Nov 2003, Erich Oliphant wrote:
>>
>>> Hello,
>>> I am trying to limit the methods sent by any client. For example,
>>> I've tried the following to prevent anything other than POSTs or GETs:
>>>
>>> <Location />
>>> <LimitExcept GET POST>
>>> Order deny,allow
>>> Deny from all
>>> </LimitExcept>
>>> </Location>
>>>
>>> This is not working (hence this email :)). Any suggestions would be
>>> greatly appreciated.
>>
>>
>> That technique is basically correct. What is your evidence that it is
>> not
>> working?
>>
>> Joshua.
>>
>>
>>
> Sum Cogito Ergo
> I Am Therefore I Think
>
>
The TRACE method cannot be limited with the <Limit> or <LimitExcept>
directives.
--
Aaron W Morris <aa...@mindspring.com> (decep)
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Limiting HTTP Methods
Posted by Erich Oliphant <er...@vantixweb.com>.
I am trying to prevent nastiness such as TRACE based attacks. The
following short PERL script:
#!/usr/local/bin/perl -w
use LWP::UserAgent;
my $ua = new LWP::UserAgent;
$ua->agent("AgentName/0.1" . $ua->agent);
my $req = new HTTP::Request TRACE => "https://<my url...>/";
my $res = $ua->request($req);
if ($res->is_success)
{
print $res->content;
}
else
{
print "failed";
print $res->error_as_HTML;
}
Prints the following:
--
TRACE / HTTP/1.1
TE: deflate,gzip;q=0.3
Connection: TE, close
Host: <my url ...>
User-Agent: AgentName/0.1libwww-perl/5.75
--
as opposed to "failed" and a "Method Not Allowed" error as I would
expect. I thought maybe it was an issue with the resolving of my
various Directory, Location, etc directives but I've tried both making
this the first and last directive and received the same results.
I will try it on a fresh Apache setup as well to verify that some of
the preexisting directives are not confusing it.
On Wednesday, November 19, 2003, at 03:36 PM, Joshua Slive wrote:
>
> On Wed, 19 Nov 2003, Erich Oliphant wrote:
>
>> Hello,
>> I am trying to limit the methods sent by any client. For example,
>> I've tried the following to prevent anything other than POSTs or GETs:
>>
>> <Location />
>> <LimitExcept GET POST>
>> Order deny,allow
>> Deny from all
>> </LimitExcept>
>> </Location>
>>
>> This is not working (hence this email :)). Any suggestions would be
>> greatly appreciated.
>
> That technique is basically correct. What is your evidence that it is
> not
> working?
>
> Joshua.
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Sum Cogito Ergo
I Am Therefore I Think
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Limiting HTTP Methods
Posted by Joshua Slive <jo...@slive.ca>.
On Wed, 19 Nov 2003, Erich Oliphant wrote:
> Hello,
> I am trying to limit the methods sent by any client. For example,
> I've tried the following to prevent anything other than POSTs or GETs:
>
> <Location />
> <LimitExcept GET POST>
> Order deny,allow
> Deny from all
> </LimitExcept>
> </Location>
>
> This is not working (hence this email :)). Any suggestions would be
> greatly appreciated.
That technique is basically correct. What is your evidence that it is not
working?
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org