I put this: RewriteEngine on RewriteOptions AllowAnyURI # for * to be taken into account by mod_rewrite RewriteCond %{REQUEST_METHOD} OPTIONS RewriteRule ^ - [R=405,L] RewriteRule ^[^/] - [R=403,L]
in my .htaccess file, but when I still telnet to mydomain 80, and try the OPTIONS thing, it's still returning a 200. I also tried the <LimitExcept GET POST> stuff but that didn't work either. On Fri, Feb 12, 2016 at 6:47 AM, Yann Ylavic <ylavic....@gmail.com> wrote: > On Fri, Feb 12, 2016 at 10:47 AM, Daniel <dferra...@gmail.com> wrote: > > The typical way to block OPTIONS in 2.2 does not need mod_rewrite at all > > IIRC. You just add this in your location/directory: > > <LimitExcept GET POST> > > deny from all > > </LimitExcept> > > > > and will return 403 if you try OPTIONS method there > > That wouldn't work because the replies to OPTIONS requests happen > before in the map_to_storage hook, that is before the authz hooks > (Toomas tried that already). > > Will discuss this on dev@, because ISTM that should work with something > like: > <LocationMatch ^> # matches / and * > <Limit OPTIONS> > Deny from all # 2.2 > Require all denied # 2.4 > </Limit> > </LocationMatch> > > For now I could only make it work with: > RewriteEngine on > RewriteOptions AllowAnyURI # for * to be taken into account by > mod_rewrite > RewriteCond %{REQUEST_METHOD} OPTIONS > RewriteRule ^ - [R=405,L] > RewriteRule ^[^/] - [R=403,L] > which should be the first rewrite rules for AllowAnyURI to not be > "dangerous" for further rules (if any) failing to match the leading > slash. > > Regards, > Yann. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > >