TO Mark Montague: CC Eric Covener, Others:
Thanks! As Eric and Mark said, do you have the document or web-link file explain this viewpoint?( Apache doesn't discriminate the http methods to access CGI.) > Apache doesn't know what methods your CGI understands, so it doesn't > discriminate. > As Eric said, Apache lets your CGI decide what to do with extension > method. But if you do not want your CGI to decide, then you can use the > Limit and LimitExcept directives to tell Apache to only allow certain > methods. Then my mail said that: > And then if I access the HTML file of "/opt/web/htroot" , the result as > following: > The GET, HEAD, OPTIONS can access the HTML file. I don't set the > limits except TRACE. This is the default ? Why? Thanks! > -----Original Message----- > From: Mark Montague [mailto:m...@catseye.org] > Sent: Tuesday, March 29, 2011 1:02 PM > To: users@httpd.apache.org > Cc: Liu JinGang; 'Eric Covener' > Subject: Re: [users@httpd] Apache httpd question(emergent) > > On March 28, 2011 23:22 , "Liu JinGang" <li...@cn.fujitsu.com> wrote: > >> Apache doesn't know what methods your CGI understands, so it doesn't > >> discriminate. > > Thanks! > > As you say, I can get the result that: > > CGI is executable by the method of no existence. > > And then do you have the document or web-link file explain this viewpoint? > (I don't find it, but I need to show it to the customer.) > > RFC 2616 defines the HTTP 1.1 protocol. Section 5.1.1 says that web > browsers or web servers are allowed to invent new methods > ("extension-method"). The document is http://www.ietf.org/rfc/rfc2616.txt > > As Eric said, Apache lets your CGI decide what to do with extension > method. But if you do not want your CGI to decide, then you can use the > Limit and LimitExcept directives to tell Apache to only allow certain > methods. > > Here is an example for restricting CGI to only GET, HEAD, POST, and > OPTIONS methods. (Notes: Allowing GET automatically allows HEAD. > Also, you still need "TraceEnable Off" because Limit and LimitExcept do > not affect TRACE.) > > TraceEnable Off > <Directory "/opt/web/htroot"> > Options FollowSymLinks ExecCGI > AllowOverride all > order allow,deny > <Limit GET POST OPTIONS> > allow from all > </Limit> > <LimitExcept GET POST OPTIONS> > deny from all > </LimitExcept> > </Directory> > > > For more information about Limit and LimitExcept directives, see: > > http://httpd.apache.org/docs/2.2/mod/core.html#limit > http://httpd.apache.org/docs/2.2/mod/core.html#limitexcept > > -- > Mark Montague > m...@catseye.org
