Hi Guys, I am very interested in what you are talking about. Especially the CONNECT/POST discussion. I have what I believe is a spammer doing the CONNECT/POST and getting a status 200 from apache. Is this truely a php issue? Should I drop using php? Do you both agree and the apache group that this http 200 status response means the connect to another server (they are trying to connect back to thier server) is failing to connect yet the status 200 occurs? I am considering dropping php and or Apache because of this drive a Mac truck through it security hole in Apache/php. I tried the suggestions here on the Apache forum but they do not appear to fix the spammer issue. If this is a php issue I really would like a fix. Thx. Joshua Slive <[EMAIL PROTECTED]> wrote: On 6/19/07, Bob wrote:
> You are wrong Really? Interesting. Well, no actually, I'm not. But it's nice how confident you are about your knowledge on this issue. >, my original post showed the CONNECT requests having a 200 > status code which means apache did service them successfully As I've told you repeatedly, php was almost certainly treating the CONNECT request just like a GET request. So the CONNECT was not succeeding in the sense of connecting to a third-party server. It was simply serving your index.php page. > My book says a 500 code is a common error when a client calls a flawed > CGI script. And this is not the "correct" status code. The correct status code is 403 (forbidden). But as I already said, the status code is not that important since the robots don't care. (And, in fact, the original 200 status code wasn't really a problem either unless your index.php script uses up lots of resources. So you could have just left things as they were.) > I have read the php manual concerning selecting individual > methods. I could not find any mention of how to tell php to limit it self to > only using desired methods. A link to the php manual where it explains how > to restrict php to only allow the use of selected methods would go a long > way to support your view point. Providing a how to fix it post like I did is > far better then a reply spouting apache dogma. Results are what count here. I'm not here to win a debate with you. I'm just here to try to help you understand how your server is working. For php configuration questions you are better off on a php list. But I have already given you explicit instructions: "I believe you can set http.allowed_methods in your php config to the list of methods php should handle. (GET and POST would be a good basic list.)" This is documented here: http://www.php.net/manual/en/ini.php As I've also already told you, your current config should be fine. But don't go recommending it to others as the proper solution when there are many cleaner and safer solutions available (and listed in the FAQ). Joshua. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------- Get the Yahoo! toolbar and be alerted to new email wherever you're surfing.
