Re: [Resin-interest] Disabling HTTP Methods
I could use some help on this, even if it's just a hint or some ideas what else to try. Thanks, Aaron I'd like to disabled the HTTP CONNECT method. I don't know the best way to do that, but I tried this and it's not working: resin:Forbidden regexp='.*' resin:IfMethod value=CONNECT/ /resin:Forbidden The request is passed on and I receive a 200 OK response when I telnet and test the CONNECT. What is the most efficient way to get Resin to deny those requests? Thanks, Aaron ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest
Re: [Resin-interest] Disabling HTTP Methods
On 07/20/2011 10:39 AM, Aaron Freeman wrote: I'd like to disabled the HTTP CONNECT method. I don't know the best way to do that, but I tried this and it's not working: resin:Forbidden regexp='.*' resin:IfMethod value=CONNECT/ /resin:Forbidden The request is passed on and I receive a 200 OK response when I telnet and test the CONNECT. What is the most efficient way to get Resin to deny those requests? That config works for me. (You don't need the regexp if you're matching everything, but it doesn't matter for this issue.) There is the resin:Forbidden tag? -- Scott Thanks, Aaron ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest
Re: [Resin-interest] Disabling HTTP Methods
On 7/21/2011 12:27 PM, Scott Ferguson wrote: On 07/20/2011 10:39 AM, Aaron Freeman wrote: I'd like to disabled the HTTP CONNECT method. I don't know the best way to do that, but I tried this and it's not working: resin:Forbidden regexp='.*' resin:IfMethod value=CONNECT/ /resin:Forbidden The request is passed on and I receive a 200 OK response when I telnet and test the CONNECT. What is the most efficient way to get Resin to deny those requests? That config works for me. (You don't need the regexp if you're matching everything, but it doesn't matter for this issue.) There is theresin:Forbidden tag? -- Scott The config doesn't bomb, but in resin-pro-4.0.18 when I run this: telnet localhost 80 then CONNECT http://localhost/ HTTP/1.0 I then get the home page and a 200 OK, instead of a 403 FORBIDDEN. You are able to get it to throw an appropriate HTTP 403? Thanks, Aaron ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest
Re: [Resin-interest] Disabling HTTP Methods
On 07/21/2011 02:01 PM, Aaron Freeman wrote: On 7/21/2011 12:27 PM, Scott Ferguson wrote: On 07/20/2011 10:39 AM, Aaron Freeman wrote: I'd like to disabled the HTTP CONNECT method. I don't know the best way to do that, but I tried this and it's not working: resin:Forbidden regexp='.*' resin:IfMethod value=CONNECT/ /resin:Forbidden The request is passed on and I receive a 200 OK response when I telnet and test the CONNECT. What is the most efficient way to get Resin to deny those requests? That config works for me. (You don't need the regexp if you're matching everything, but it doesn't matter for this issue.) There is theresin:Forbidden tag? -- Scott The config doesn't bomb, but in resin-pro-4.0.18 when I run this: telnet localhost 80 then CONNECT http://localhost/ HTTP/1.0 I then get the home page and a 200 OK, instead of a 403 FORBIDDEN. You are able to get it to throw an appropriate HTTP 403? Where is the resin:Forbidden tag? (cluster, host, web-app, resin-web.xml?) -- Scott Thanks, Aaron ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest
Re: [Resin-interest] Disabling HTTP Methods
On 7/21/2011 4:12 PM, Scott Ferguson wrote: On 07/21/2011 02:01 PM, Aaron Freeman wrote: On 7/21/2011 12:27 PM, Scott Ferguson wrote: On 07/20/2011 10:39 AM, Aaron Freeman wrote: I'd like to disabled the HTTP CONNECT method. I don't know the best way to do that, but I tried this and it's not working: resin:Forbidden regexp='.*' resin:IfMethod value=CONNECT/ /resin:Forbidden The request is passed on and I receive a 200 OK response when I telnet and test the CONNECT. What is the most efficient way to get Resin to deny those requests? That config works for me. (You don't need the regexp if you're matching everything, but it doesn't matter for this issue.) There is theresin:Forbiddentag? -- Scott The config doesn't bomb, but in resin-pro-4.0.18 when I run this: telnet localhost 80 then CONNECT http://localhost/ HTTP/1.0 I then get the home page and a 200 OK, instead of a 403 FORBIDDEN. You are able to get it to throw an appropriate HTTP 403? Where is theresin:Forbidden tag? (cluster,host,web-app, resin-web.xml?) -- Scott Ah now I get your question. :) I was confused. I tried in the web-app-default and web-app based on the regex, but I am guessing you are going to tell me that's too late and I need to put it at the host level -- so I just tried that and it's working great. Sorry for being slow and not thinking this one through more. Thanks, Aaron ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest
Re: [Resin-interest] Disabling HTTP Methods
On 07/21/2011 02:28 PM, Aaron Freeman wrote: On 7/21/2011 4:12 PM, Scott Ferguson wrote: On 07/21/2011 02:01 PM, Aaron Freeman wrote: On 7/21/2011 12:27 PM, Scott Ferguson wrote: On 07/20/2011 10:39 AM, Aaron Freeman wrote: I'd like to disabled the HTTP CONNECT method. I don't know the best way to do that, but I tried this and it's not working: resin:Forbidden regexp='.*' resin:IfMethod value=CONNECT/ /resin:Forbidden The request is passed on and I receive a 200 OK response when I telnet and test the CONNECT. Ah now I get your question. :) I was confused. I tried in the web-app-default and web-app based on the regex, but I am guessing you are going to tell me that's too late and I need to put it at thehost level -- so I just tried that and it's working great. Sorry for being slow and not thinking this one through more. Hmm. The web-app and web-app-default should also work (I just checked with web-app-default), unless there's an earlier resin:Dispatch (or resin:XXX) that matches. -- Scott Thanks, Aaron ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest
Re: [Resin-interest] Disabling HTTP Methods
Aaron Freeman wrote: You are able to get it to throw an appropriate HTTP 403? Actually, the appropriate response would be 405, Method Not Allowed. -Eric ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest