Join Log in
Score:0
Tom avatar Server

Restrict access via HTTP 0.9 and HTTP 1.0 on Apache

bf flag
Tom

Is it possible to block any access other than HTTP 1.1 and HTTP/2 on Apache, for all VirtualHosts?

I added the code below to apache2.conf, but I still see IP requests coming via HTTP 1.0

#Block HTTP 0.9
RewriteEngine On
RewriteCond %{THE_REQUEST} HTTP/0\.9$
RewriteRule .* - [F]

#Block HTTP 1.0
RewriteEngine On
RewriteCond %{THE_REQUEST} HTTP/1\.0$
RewriteRule .* - [F]
230
0 + 5
João Alves avatar
ro flag
João Alves
Already answered here: [885724](https://serverfault.com/questions/885724/)
0
Reply
A.B avatar
cl flag
A.B
Also afaik, there's no `HTTP/0.9` string. The lack of any HTTP/ string means HTTP 0.9.
0
Reply
Tom avatar
bf flag
Tom
@JoãoAlves This code seems to block everything that is different from HTTP 1.1, including HTTP/2.
0
Reply
ezra-s avatar
ru flag
ezra-s
Does this answer your question? [How to disable HTTP 1.0 protocol in Apache?](https://serverfault.com/questions/885724/how-to-disable-http-1-0-protocol-in-apache)
0
Reply
Tom avatar
bf flag
Tom
The suggested answer block everything that is different from HTTP 1.1, including HTTP/2. Keeping HTTP/2 as allowed is important.
0
Reply
Score:1
Displayname71 avatar Server
ng flag
Displayname71

Here's one simple way to do it:

RewriteCond %{THE_REQUEST} !HTTP/
RewriteRule .* - [R=451,L]
RewriteCond %{THE_REQUEST} HTTP/1\.0
RewriteRule .* - [R=451,L]

HTTP 0.9 requests are in the format GET / without any kind of HTTP/XX version indicator, so the first rule will catch them. I've made the rule case sensitive so it will also catch clients who don't capitalize the "HTTP" properly, which shouldn't be a problem for legitimate clients; you can make it case-insensitive if you want but you'd probably want to make the second rule case-insensitive as well so HTTP1.0 traffic can't sneak by as "http/1.0" or similar.

You'll have to decide what kind of response code you want to send back. In this example, I've used R=451 to send back a 451 Unavailable For Legal Reasons so I can spot these easily in the logs as Apache should never generate that error on its own. (I tried using 418 I'm a teapot but Apache doesn't currently allow it).

For simplicity, instead of using an R=, you can simply use G for 410 Gone or F for 403 Forbidden:

RewriteCond %{THE_REQUEST} !HTTP/
RewriteRule .* - [G,L]
RewriteCond %{THE_REQUEST} HTTP/1\.0
RewriteRule .* - [F,L]

Caveats:

  1. You will still see the requests in your log but you should see the appropriate response code.

  2. If you use custom error pages, you may need additional RewriteCond statements so that the redirect doesn't trigger again when it tries to load the error page.

  3. Other redirects could potentially get invoked before these redirects. For example, if you put these redirects in global configuration, but also have an HTTP-to-HTTPS redirect in vhost configuration, the latter might get executed first.

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.