LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-20-2009, 10:56 PM   #1
ankit.thakkar
LQ Newbie
 
Registered: Oct 2009
Posts: 2

Rep: Reputation: 0
Disabling HEAD, OPTIONS HTTP METHODS in Apache Webserver


Dear All,

We are facing some challenges to disable unnecessary http methods i.e. HEAD, OPTIONS, TRACE, DELETE with Apache Webserver, we are using version Apache/2.2.3,

Trace we have disabled using TraceEnable off.

We tried with
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC]
RewriteRule .* - [F]

But not able to disable using above rewrite rule. Can anyone suggest on this issue.


Thanks
 
Old 10-20-2009, 11:59 PM   #2
raskin
Senior Member
 
Registered: Sep 2005
Location: France
Distribution: approximately NixOS (http://nixos.org)
Posts: 1,900

Rep: Reputation: 69
http://httpd.apache.org/docs/2.2/mod/core.html#limit

I am not quite sure why would you want to forbid HEAD, though.. If you can be attacked via HEAD, the same attack will get you via GET.
 
Old 10-21-2009, 01:32 PM   #3
ankit.thakkar
LQ Newbie
 
Registered: Oct 2009
Posts: 2

Original Poster
Rep: Reputation: 0
Thanks raskin for your support.

We successfully disabled PUT,DELETE,TRACE,OPTIONS using

<LimitExcept GET POST>
deny from all
</LimitExcept>

But using above configuration HEAD request is still allowed on web server.
As GET - HEAD both are almost same. But client insisting us to disable HEAD also.

We tried to disable using

<LimitExcept GET POST>
deny from all
</LimitExcept>


<Limit HEAD>
deny from all
</Limit>

But it blocked GET,POST also.

Can you please suggest some solution to restrict only HEAD.
 
Old 10-21-2009, 02:26 PM   #4
raskin
Senior Member
 
Registered: Sep 2005
Location: France
Distribution: approximately NixOS (http://nixos.org)
Posts: 1,900

Rep: Reputation: 69
Read the documentation I referenced once again..

Quote:
Originally Posted by Apache HTTPD documentation
The method names listed can be one or more of: GET, POST, PUT, DELETE, CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, and UNLOCK. The method name is case-sensitive. If GET is used it will also restrict HEAD requests. The TRACE method cannot be limited.
So GET = HEAD from Apache point of view here, so there is no way to filter the request.

Just in case: Nginx also thinks that for limit_except GET includes HEAD. Lighttpd seems not to have per-method configuration. You could try redirect to different URLs using request_method value and then one of them would return 403. The other way is to educate customers, which can be even more perverse task..
 
Old 12-23-2009, 05:09 AM   #5
beeyes76
LQ Newbie
 
Registered: Mar 2006
Posts: 1

Rep: Reputation: 0
Please find the required answer below:

**************************************************************************************************** ********************
Description: How to disable the HTTP TRACE method on recent apache versions.

Most vulnerability scanners (like the popular nessus, but commercial ones also) will complain (normally as a low thread or warning level) about TRACE method being enabled on the web server tested.

Normally you will have this enabled by default, but if you want to test if it is really enabled on your server you just have to telnet on the port your web server is running and request for “TRACE / HTTP/1.0” if you get a positive reply it means TRACE is enabled on your system. The output of a server with TRACE enabled will look like:

telnet 127.0.0.1 80
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
TRACE / HTTP/1.0
Host: foo
Any text entered here will be echoed back in the response <- ENTER twice to finish

HTTP/1.1 200 OK
Date: Sat, 20 Oct 2007 20:39:36 GMT
Server: Apache/2.2.6 (Debian) PHP/4.4.4-9 mod_ruby/1.2.6 Ruby/1.8.6(2007-06-07)
Connection: close
Content-Type: message/http

TRACE / HTTP/1.0
Host: foo
Any text entered here will be echoed back in the response

Connection closed by foreign host.

Traditionally experts will suggest to disable this using some rewrite rules like:

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
(this needs to be added somewhere in your main apache config file outside of any vhost or directory config).

Still this has the disadvantage that you need to have mod_rewrite enabled on the server just to mention one. But for apache versions newer than 1.3.34 for the legacy branch, and 2.0.55 (or newer) for apache2 this can be done very easily because there is a new apache variable that controls if TRACE method is enabled or not:
TraceEnable off
This needs to be added in the main server config and the default is enabled (on). TraceEnable off causes apache to return a 403 FORBIDDEN error to the client.

After setting this and reloading the apache config the same server as above shows:

telnet 127.0.0.1 80
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
TRACE / HTTP/1.0
Host: foo
testing... <- ENTER twice

HTTP/1.1 403 Forbidden
Date: Sat, 20 Oct 2007 20:38:31 GMT
Server: Apache/2.2.6 (Debian) PHP/4.4.4-9 mod_ruby/1.2.6 Ruby/1.8.6(2007-06-07)
Content-Length: 320
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML(link) PUBLIC "-//IETF//DTD HTML(link) 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /
on this server.</p>
<hr>
<address>Apache/2.2.6 (Debian) PHP/4.4.4-9 mod_ruby/1.2.6 Ruby/1.8.6(2007-06-07) Server at foo Port 80</address>
</body></html>
Connection closed by foreign host.

**************************************************************************************************** ********************

Don't forget to restart the service after changes has been made to the configuration file and test the same locally.
 
Old 10-29-2011, 02:13 AM   #6
innominate
LQ Newbie
 
Registered: Oct 2011
Posts: 1

Rep: Reputation: Disabled
This is an old thread, but it still ranks 1st on Google for 'apache disable head request'


Here is the recipe to allow only GET and POST and disable HTTP/1.0. It also disables proxy requests.
It uses Apache internal variable THE_REQUEST:


Code:
RewriteEngine on
RewriteCond %{THE_REQUEST} !^(POST|GET)\ /.*\ HTTP/1\.1$ 
RewriteRule .* - [F]

Last edited by innominate; 10-29-2011 at 02:21 AM.
 
Old 01-28-2020, 04:50 AM   #7
adityakamble
LQ Newbie
 
Registered: Jan 2020
Posts: 11

Rep: Reputation: Disabled
Quote:
Originally Posted by ankit.thakkar View Post
Thanks raskin for your support.

We successfully disabled PUT,DELETE,TRACE,OPTIONS using

<LimitExcept GET POST>
deny from all
</LimitExcept>

But using above configuration HEAD request is still allowed on web server.
As GET - HEAD both are almost same. But client insisting us to disable HEAD also.

We tried to disable using

<LimitExcept GET POST>
deny from all
</LimitExcept>


<Limit HEAD>
deny from all
</Limit>

But it blocked GET,POST also.

Can you please suggest some solution to restrict only HEAD.
I want to block httpd method except GET and POST please give me solution i am using apache httpd VirtualHost
 
Old 01-28-2020, 07:59 AM   #8
sevendogsbsd
Senior Member
 
Registered: Sep 2017
Distribution: FreeBSD
Posts: 2,252

Rep: Reputation: 1011Reputation: 1011Reputation: 1011Reputation: 1011Reputation: 1011Reputation: 1011Reputation: 1011Reputation: 1011
This is a 9 year old thread and you have asked this question in another thread already. Posting multiple threads of the same subject isn't going to get your question answered any faster...
 
1 members found this post helpful.
Old 01-28-2020, 08:01 AM   #9
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 26,553

Rep: Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946
Quote:
Originally Posted by adityakamble View Post
I want to block httpd method except GET and POST please give me solution i am using apache httpd VirtualHost
Have you read the posts in this thread??? Have you read the LQ Rules about duplicate postings, and not re-opening old threads, or hijacking them with your own questions???

The solution is describe here in this thread and in the Apache docs.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Disabling HTTP TRACE method in Apache bzlaskar Linux - Server 15 01-25-2010 08:44 AM
HTTP PUT Methods inaki Linux - Security 1 05-03-2007 08:09 AM
Restricting HTTP methods dominant Linux - Software 2 07-26-2004 11:29 AM
Can't see WebServer from outside... Can see WebServer locally as http://localhost friddick Linux - Networking 13 08-19-2003 06:27 PM
Setting up Apache HTTP Webserver darklord75 Linux - Networking 6 04-19-2003 05:13 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:00 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration