Join Log in
Score:0
Tom avatar Server

HTTP Methods blocking does not work on subdomain

bf flag
Tom

I performed the blocking of methods other than GET, POST and OPTIONS in apache.conf, and when I try to run the server via IP the blocking works.

But when configuring the same blocking on a subdomain (via sites-available), this blocking does not occur. What could I have done wrong?

apache2.conf

<Directory /var/www/>
    Options None
    AllowOverride None
    Require all granted

    <LimitExcept GET POST OPTIONS>
        Require all denied
    </LimitExcept>
</Directory>

sites-available/subdomain.example.com.conf

<VirtualHost *:80>
    ServerName subdomain.example.com
    ServerAlias subdomain.example.com
    DocumentRoot /var/www/html/subdomain.example.com
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    Header append X-FRAME-OPTIONS "SAMEORIGIN"

    RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/
    RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
</VirtualHost>

<VirtualHost *:443>
    SSLEngine on

    SSLCertificateFile      /certs/example.crt
    SSLCertificateKeyFile   /certs/example.key
    SSLCertificateChainFile /certs/example-intermediary.crt

    Protocols h2 http/1.1

    Header always set Strict-Transport-Security "max-age=31536000"

    Header append X-FRAME-OPTIONS "SAMEORIGIN"

    <Directory /var/www/html/subdomain.example.com>
        Options None
        AllowOverride None
        Require all granted

        <LimitExcept GET POST OPTIONS>
            Require all denied
        </LimitExcept>
    </Directory>

    ServerName subdomain.example.com
    ServerAlias subdomain.example.com
    DocumentRoot /var/www/html/subdomain.example.com
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

This lock is not working because when executing a request with PUT, DELETE, LOCK, etc, the page content is returned normally.

75
1 + 5
Gerard H. Pille avatar
in flag
Gerard H. Pille
The "AllowOverride None" on /var/www perhaps?
0
Reply
Tom avatar
bf flag
Tom
@GerardH.Pille I put this setting, because of the CIS recommendation (4.4). >"Ensure OverRide Is Disabled for All Directories" - "Search the Apache configuration files (httpd.conf and any included configuration files) to find AllowOverride directives. Set the value for all AllowOverride directives to None. "
0
Reply
Gerard H. Pille avatar
in flag
Gerard H. Pille
I'm barking up the wrong tree, allowoverride only manages .htaccess directives. The page content isn't coming from any cache?
0
Reply
Tom avatar
bf flag
Tom
There is no cache. In Apache's own log it shows the request made with the other methods.
0
Reply
Gerard H. Pille avatar
in flag
Gerard H. Pille
No symbolic links under /var/www ? Use separate logs for this virtualhost. Try "require valid-user" to see if you hit the limitexcept.
0
Reply
Score:2
ezra-s avatar Server
ru flag
ezra-s

You should stop using that complicated old way to restrict methods.

Load mod_allowmehtods.so and define what you want to allow instead in a more simple fashion.

LoadModule allowmethods_module modules/mod_allowmethods.so
    
<Directory /var/www> 
#other directives
AllowMethods GET POST OPTIONS 
</Directory>

Unless you override this in a subdirectory with something else, this will work serverwide. Try and let us know.

0 + 2
Gerard H. Pille avatar
in flag
Gerard H. Pille
Strange that the documentation (http://httpd.apache.org/docs/current/mod/core.html) doesn't mention the depreciation.
0
Reply
ezra-s avatar
ru flag
ezra-s
@GerardH.Pille True, I certainly went ahead of myself, certainly worth a debate in the ASF, mod_allowmethods is much simpler and helps stop using Limit LimitExcept which can cause confusion. Allow me to correct my comment, thanks for pointing it out!
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.