I've been trying to use a <limit> tag to disable PUT and DELETE calls from being executed through our Apache server and have been unsuccessful.
Apache Version: 2.2
I am currently adding something like this to the inside of my httpd.conf file:
<Directory />
Options none
AllowOverride none
Order deny,allow
Deny from all
<Limit PUT DELETE TRACE>
Order deny,allow
Deny from all
</Limit>
</Directory>
But I have been unable to get a successful restart on Apache while this line is in the file. Now, I know very little about Apache and I've been trying to follow along in some of the Apache docs I've found but have been unsuccessful.
With none of my changes this section of the httpd.conf looks like this:
<Directory />
Options FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
</Directory>
Any help would be appreciated.
http://wiki.linuxquestions.org/wiki/Securing_Apache#Disabling_PUT_and_DELETE
<Directory /usr/apache/www/myserver.com/htdocs>
...bunch of useful stuff
<Limit PUT DELETE>
Require user terribleUnguessableUsername235452309875wesaef
</Limit>
</Directory>
According to Apache docs found at a hyperlink I do not have enough rep to include, you cannot restrict TRACE using a Limit directive.
If you can't restart Apache, there will be a line in the error log telling you what the problem is.
That said, I think a limit is not allowed inside a directory, but I'm not sure.
Note that TRACE can't be limited.
Trace can be limited in server.xml by adding allowTrace = false in connector tag.
Related
I'm exposing files using Apache's httpd <Directory> as below
Alias /getfiles "/web/playbooks/tmpfiles"
<Directory "/web/playbooks/tmpfiles">
Options Indexes MultiViews
AllowOverride None
Require all granted
</Directory>
With this I'm able to access all files/folder inside /web/playbooks/tmpfiles through web browser URL like the below.
http://<server>:<port>/getfiles/<anyfile.txt>
Is it possible to refresh the above URL so I could see latest changes to files/folder inside /web/playbooks/tmpfiles periodically?
Any solution would be great.
You could try to make the client autorefresh by itself through instructions in the html itself instead of trying to do something weird which is not probably in the http spec. (I might be wrong).
For example, according to your directory entry, load module_autoindex module and then use this config:
<Directory /web/playbooks/tmpfiles>
Options Indexes MultiViews
IndexOptions FancyIndexing
IndexHeadInsert "<meta http-equiv=\"refresh\" content=\"10\">"
AllowOverride None
Require all granted
</Directory>
This way Apache httpd will add that tag in the html and the client will know it has to autorefresh the page each 10 seconds. Generally it is not recommended to set this too low, so perhaps 10 seconds and above is alright for you.
I have the current configuration in my httpd.conf file.I am trying to remove the vulnerability Authentication Bypass Using HTTP Verb Tampering. I only want to allow certain HTTP request headers, Get and Post in the below example and a different header should throw an error.
DocumentRoot "c:/dev"
<Directory "C:/dev">
Options Indexes FollowSymLinks MultiViews Includes
AllowOverride Limit
<LimitExcept GET POST>
Order deny,allow
Deny from all
</LimitExcept>
Order allow,deny
Allow from all
</Directory>
This configuration is still allowing other http request headers like put, options etc. I am using postman api to test my changes. Please help!
This is how you can limit to GET/POST/OPTIONS. Note: NIST Stigs V-26396 states that this should not be applied to the root but only the others such as in my example (/etc/apache2/apache2.conf):
It appears that this would work as well :
<Location /var/www/>
Order allow,deny
Allow from all
<LimitExcept POST GET>
Deny from all
</LimitExcept>
</Location>
<Location /usr/share/>
Order allow,deny
Allow from all
<LimitExcept POST GET>
Deny from all
</LimitExcept>
</Location>
Further reading :
https://vaulted.io/library/disa-stigs-srgs/apache_22_server_for_unix_security_technical_implementation_guide/V-26396
http://httpd.apache.org/docs/current/mod/core.html#limitexcept
Try this settings
<Location />
Order allow,deny
Allow from all
<LimitExcept POST GET>
Deny from all
</LimitExcept>
</Location>
The LimitExcept directive is the inverse of Limit directive. It allows applying a set of access restrictions to all listed http methods except for the ones listed with the LimitExcept directive. See this link: http://httpd.apache.org/docs/current/mod/core.html#limitexcept. So the access restrictions are applied to all http methods except for the ones listed with LimitExcept.
In your case the problem seems to be with the access control directives. See this link for more information: http://httpd.apache.org/docs/current/mod/mod_access_compat.html#order
You can try to remove the directives below
I have Apache 2.4 installed using Homebrew on my Mac. The following does not work, it allows access to the entire filesystem:
<Directory />
AllowOverride None
Require all denied
</Directory>
If I enable access_compat_module then change the above block to the block below, it works as expected. I didn't make any other changes to httpd.conf.
<Directory />
AllowOverride None
Order deny,allow
Deny from all
</Directory>
I thought these were equivalent but clearly something is not working. I have authz_core_module enabled in both cases. Any ideas what I am doing wrong? Thanks.
if you want only share '/path/to/share'
then you need not to touch
< Directory / >
instead update the
< Directory "/Library/WebServer/Documents" >
to let it be:
< Directory "/Library/WebServer/Documents" >
Options FollowSymLinks Indexes
MultiviewsMatch Any
AllowOverride None
Require all granted
< /Directory >
then you can create a soft link under the
/Library/WebServer/Documents
to let it point to
/path/to/share
and give the
/path
/path/to
/path/to/share
enough permission to make it possible to access from
http://<your domain name>/
this is System level to share some special directory.
there is also other ways to share some special directory in your server
, e.g. Alias or user level
http://<your domain name>/~<username>
reference documents
I'm new to this.
We did a system scan last night. However, during the scanning, the system is down and we are facing 403 forbidden error when access the web.
Please kindly assist how and where should i check.
Version: Apache/2.4.7 (Ubuntu)
Ubuntu 4.2
The application was working fine all these while and no changes was done on the server.
YOur help on this is much appreciated.
thank you!
Here's the config file for further help:
/etc/apache2/apache.conf
<Directory />
Options FollowSymLinks
AllowOverride None
# Require all denied
Require all granted
</Directory>
<Directory /usr/share>
AllowOverride None
Require all granted
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
/etc/apache2/sites-available/000-default.conf
<Directory "/var/www/html">
Options All
AllowOverride All
Require all granted
</Directory>
As you already added some conf-files to your question and extended comments should be avoided on SO (and you don't have the required 20 reputation for moving to chat) next suggestions here: add also your .htaccess, and maybe this is of help: Apache2: 'AH01630: client denied by server configuration'
In addition, it might be of help if you open (depending on your browser and development tools) e.g. the Firebug Net Panel to check what happens when you call your site's url - if the 403 occurs directly or if there is any kind of redirect taking place. Could also be of help to trace the address in a shell / command prompt to see what's going on.
Now this is likely to be a dumb question as I'm new to Apache and web hosting in general. I'm trying to set configuration options for apache but none of them are working.
The first option I'm trying to set is disabling directory indexes. The directory /var/www/schedules/ has no index.html and I'm trying to get it to display a 403 Forbidden on accessing /schedules. I put Options -Indexes at the beginning of /etc/apache2/apache2.conf but it has no effect. I then tried
<Directory />
Options -Indexes
</Directory>
but it also had no effect. I replaced <Directory /> with <Directory /var/www/> but it also had no effect. The only thing that worked was replacing it with <Directory /var/www/schedules/>. This doesn't seem to disable directory indexing globally however.
The other thing I'm trying to do is blocking access by IP. However even the simplest things don't work. I added to apache2.conf this:
<Directory />
Order allow,deny
Deny from all
</Directory>
but it didn't work; I could still access all the pages. Tried <Directory /var/www>, also didn't work.
Using Ubuntu 12.04.3 LTS.
<Directory ~ "/var/www/.*">
#...options...
</Directory>