Apache LimitExcept only to GET and POST methods - apache

I have the current configuration in my httpd.conf file.I am trying to remove the vulnerability Authentication Bypass Using HTTP Verb Tampering. I only want to allow certain HTTP request headers, Get and Post in the below example and a different header should throw an error.
DocumentRoot "c:/dev"
<Directory "C:/dev">
Options Indexes FollowSymLinks MultiViews Includes
AllowOverride Limit
<LimitExcept GET POST>
Order deny,allow
Deny from all
</LimitExcept>
Order allow,deny
Allow from all
</Directory>
This configuration is still allowing other http request headers like put, options etc. I am using postman api to test my changes. Please help!

This is how you can limit to GET/POST/OPTIONS. Note: NIST Stigs V-26396 states that this should not be applied to the root but only the others such as in my example (/etc/apache2/apache2.conf):
It appears that this would work as well :
<Location /var/www/>
Order allow,deny
Allow from all
<LimitExcept POST GET>
Deny from all
</LimitExcept>
</Location>
<Location /usr/share/>
Order allow,deny
Allow from all
<LimitExcept POST GET>
Deny from all
</LimitExcept>
</Location>
Further reading :
https://vaulted.io/library/disa-stigs-srgs/apache_22_server_for_unix_security_technical_implementation_guide/V-26396
http://httpd.apache.org/docs/current/mod/core.html#limitexcept

Try this settings
<Location />
Order allow,deny
Allow from all
<LimitExcept POST GET>
Deny from all
</LimitExcept>
</Location>

The LimitExcept directive is the inverse of Limit directive. It allows applying a set of access restrictions to all listed http methods except for the ones listed with the LimitExcept directive. See this link: http://httpd.apache.org/docs/current/mod/core.html#limitexcept. So the access restrictions are applied to all http methods except for the ones listed with LimitExcept.
In your case the problem seems to be with the access control directives. See this link for more information: http://httpd.apache.org/docs/current/mod/mod_access_compat.html#order
You can try to remove the directives below

Related

apache v2.4 remove old v2.2 'Deny from env=BlockCountry' directive

I protect my HTTP(s) vhosts with geoIP
<Directory /srv/www/vhosts>
MaxMindDBEnable On
MaxMindDBFile DB /usr/local/share/maxminddb/GeoLite2-Country.mmdb
MaxMindDBEnv MM_COUNTRY_CODE DB/country/iso_code
SetEnvIf MM_COUNTRY_CODE ^(RU|CN|HK|IN) BlockCountry
Deny from env=BlockCountry
Options FollowSymLinks
AllowOverride None
Require all granted
</Directory>
1.) Am I correct that I mix v2.2 Deny from env=BlockCountry and v2.4 Require all granted directives here.
If yes I searched the web to replace the Deny from env=BlockCountry with an apache2.4 alternative but cannot find one. How can I get rid of the old Deny directicve ?
2.) Am I correct that my GeoIP code in my apache2.conf works with this version inconsistent directives just by some "luck" , because I never set the order which rule ( Require or Deny ) comes first like I would do in v2.2 apache order allow deny
3.) Require env BlockCountry works but than all the blocked Countries have access and all the other not ( I test always with VPN )
So I tried Require not env BlockCountry but this leads to an error when I restart apache web server
You could negate your rule.
Instead of
SetEnvIf MM_COUNTRY_CODE ^(RU|CN|HK|IN) BlockCountry
Deny from env=BlockCountry
set.
SetEnvIf MM_COUNTRY_CODE !^(RU|CN|HK|IN) AllowCountry
Require env AllowCountry

Apache 2.2 WebDav Anonymous access

I sorta have a HTTP config working for Apache 2.2 that allows WebDav. At least I can use the WinSCP client to attach with the DAV account listed below.
But I also have much older clunkier clients that may only work for anonymous access. And they are not working.
Windows 7 (Map drive), it pops up the credentials but does not log in.
FalconView (probably only understands anonymous login
Any idea what I am doing wrong here with the anon access? I am a novice at HTTPD.conf
(the environment variable ${EGPL_JobsPath} resolves to a windows path:
E.g. F:\Jobs
Alias /jobs ${EGPL_JobsPath}
<IfModule dav_lock_module>
DavLockDB "${EGPL_JobsPath}"
</IfModule>
<Directory "${EGPL_JobsPath}">
Header set Access-Control-Allow-Origin "*"
Dav On
Require valid-user
Options Indexes FollowSymLinks
Order allow,deny
Allow from all
<LimitExcept GET PROPFIND OPTIONS REPORT>
Require user me
</LimitExcept>
AuthType Basic
AuthName DAV
AuthUserFile conf/users.passwords
</Directory>
The only way I could get this to work, is to turn off all Authentication and leave the webdav folder open to the world. I would still like to hear from people with better ideas:
Alias /jobs ${EGPL_JobsPath}
<IfModule dav_lock_module>
DavLockDB "${EGPL_LibrarianPath}"
</IfModule>
<Directory "${EGPL_JobsPath}">
Header set Access-Control-Allow-Origin "*"
Dav On
</Directory>

/etc/httpd/conf/httpd.conf versus /etc/httpd/conf.d/owncloud.http /Directory directives

Below is a segment from the owncloud.conf file in /etc/httpd/conf.d. It is the intent to lock out all access except the 10.0 intranet and a limited set of external ip address xx.yy.0.0. However the configuration is not locking out other access. All external address are being allowed. Is there something obvious with this configuration.
<Directory /var/www/http/owncloud/>
Options Indexes FollowSymLinks MultiViews
AllowOverride none
Require all denied
Order Deny,Allow
Deny from all
Allow from 10.0.0.0/16
Allow from xx.yy.0.0/16
</Directory>
It's either being overridden in a different configuration section (like Location or LocationMatch) or your clients are coming through proxies that make them appear to match your rules.
Try this
Deny from none
How ever swap around your ip config and change it to deny
Allow from 10.0.0.0/16
Allow from xx.yy.0.0/16

How to block all IP adresses from secureserver.net using htaccess?

This usually would work using allow,deny:
order allow,deny
deny from secureserver.net
allow from all
But for this specific domain the logs show that it is still allowing access, for example:
ip-50-63-174-95.ip.secureserver.net gets an 200 ok response to requests.
Try this:
<Limit GET POST>
order allow,deny
allow from all
deny from .secureserver.edu
</Limit>

Apache limit PUT and DELETE

I've been trying to use a <limit> tag to disable PUT and DELETE calls from being executed through our Apache server and have been unsuccessful.
Apache Version: 2.2
I am currently adding something like this to the inside of my httpd.conf file:
<Directory />
Options none
AllowOverride none
Order deny,allow
Deny from all
<Limit PUT DELETE TRACE>
Order deny,allow
Deny from all
</Limit>
</Directory>
But I have been unable to get a successful restart on Apache while this line is in the file. Now, I know very little about Apache and I've been trying to follow along in some of the Apache docs I've found but have been unsuccessful.
With none of my changes this section of the httpd.conf looks like this:
<Directory />
Options FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
</Directory>
Any help would be appreciated.
http://wiki.linuxquestions.org/wiki/Securing_Apache#Disabling_PUT_and_DELETE
<Directory /usr/apache/www/myserver.com/htdocs>
...bunch of useful stuff
<Limit PUT DELETE>
Require user terribleUnguessableUsername235452309875wesaef
</Limit>
</Directory>
According to Apache docs found at a hyperlink I do not have enough rep to include, you cannot restrict TRACE using a Limit directive.
If you can't restart Apache, there will be a line in the error log telling you what the problem is.
That said, I think a limit is not allowed inside a directory, but I'm not sure.
Note that TRACE can't be limited.
Trace can be limited in server.xml by adding allowTrace = false in connector tag.