Re: [users@httpd] Block access to "OPTIONS *"

Fri, 12 Feb 2016 01:48:07 -0800 

The typical way to block OPTIONS in 2.2 does not need mod_rewrite at all
IIRC. You just add this in your location/directory:
        <LimitExcept GET POST>
                deny from all
        </LimitExcept>

and will return 403 if you try OPTIONS method there

El vie., 12 feb. 2016 a las 7:41, Spork Schivago (<sporkschiv...@gmail.com>)
escribió:

> Thank you.   I do see the 200 OK response.
>
> OPTIONS / HTTP/1.0
>
> HTTP/1.1 200 OK
> Date: Fri, 12 Feb 2016 06:35:33 GMT
> Server: Apache
> Allow: GET,HEAD,POST,OPTIONS
> Cache-Control: max-age=0, no-cache, no-store, must-revalidate
> Pragma: no-cache
> Expires: Wed, 11 Jan 1984 05:00:00 GMT
> Content-Length: 0
> Connection: close
> Content-Type: text/html
>
> Connection closed by foreign host.
>
> How do I go about fixing this again?   I'd like the fix to be server wide,
> so I'd want to put this in my httpd.conf file?
>
>
> RewriteCond %{REQUEST_METHOD} OPTIONS
> RewriteRule .* - [R=405,L]
> RewriteRule ^[^/] - [R=403,L]
>
> I'm currently redirecting all http traffic to the https version of my site
> using this in .htaccess files:
>
> RewriteEngine on
> RewriteCond %{HTTPS} off
> RewriteRule ^(.*) https://%{HTTP_HOST}/$1 [R]
>
> I'd like to add that to make it server wide as well I think.   Just gotta
> figure out where to put it in the httpd.conf file (or the vhosts .conf
> files).   I use cPanel / WHM and EasyApache so it makes things much harder
> to figure out.
>
>
> On Fri, Feb 12, 2016 at 12:33 AM, Toomas Aas <toomas....@reach-u.com>
> wrote:
>
>>
>> On 02/12/2016 03:38 AM, Spork Schivago wrote:
>>
>> Sorry to put in here, but is there away for me to test to see if my
>>> server is affected by this OPTIONS issue?
>>>
>>
>>
>> Testing is easy. Just telnet to port 80 of your server, type "OPTIONS /
>> HTTP/1.0" and press Enter twice.
>>
>> $ telnet www.yoursite.com 80
>> Trying 12.34.56.78...
>> Connected to www.yoursite.com.
>> Escape character is '^]'.
>> OPTIONS / HTTP/1.0
>>
>> HTTP/1.0 200 OK
>> Allow: OPTIONS, GET, HEAD, POST
>> Content-Length: 0
>> Connection: close
>> Date: Fri, 12 Feb 2016 05:29:26 GMT
>> Server: Apache
>>
>> If you see the "200 OK" response, you are affected
>>
>> --
>> Toomas Aas | support engineer
>> www.reach-u.com
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> For additional commands, e-mail: users-h...@httpd.apache.org
>>
>>
>

Reply via email to