httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Spork Schivago <sporkschiv...@gmail.com>
Subject Re: [users@httpd] Block access to "OPTIONS *"
Date Fri, 12 Feb 2016 06:41:48 GMT
Thank you.   I do see the 200 OK response.

OPTIONS / HTTP/1.0

HTTP/1.1 200 OK
Date: Fri, 12 Feb 2016 06:35:33 GMT
Server: Apache
Allow: GET,HEAD,POST,OPTIONS
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Content-Length: 0
Connection: close
Content-Type: text/html

Connection closed by foreign host.

How do I go about fixing this again?   I'd like the fix to be server wide,
so I'd want to put this in my httpd.conf file?

RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule .* - [R=405,L]
RewriteRule ^[^/] - [R=403,L]

I'm currently redirecting all http traffic to the https version of my site
using this in .htaccess files:

RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule ^(.*) https://%{HTTP_HOST}/$1 [R]

I'd like to add that to make it server wide as well I think.   Just gotta
figure out where to put it in the httpd.conf file (or the vhosts .conf
files).   I use cPanel / WHM and EasyApache so it makes things much harder
to figure out.


On Fri, Feb 12, 2016 at 12:33 AM, Toomas Aas <toomas.aas@reach-u.com> wrote:

>
> On 02/12/2016 03:38 AM, Spork Schivago wrote:
>
> Sorry to put in here, but is there away for me to test to see if my
>> server is affected by this OPTIONS issue?
>>
>
>
> Testing is easy. Just telnet to port 80 of your server, type "OPTIONS /
> HTTP/1.0" and press Enter twice.
>
> $ telnet www.yoursite.com 80
> Trying 12.34.56.78...
> Connected to www.yoursite.com.
> Escape character is '^]'.
> OPTIONS / HTTP/1.0
>
> HTTP/1.0 200 OK
> Allow: OPTIONS, GET, HEAD, POST
> Content-Length: 0
> Connection: close
> Date: Fri, 12 Feb 2016 05:29:26 GMT
> Server: Apache
>
> If you see the "200 OK" response, you are affected
>
> --
> Toomas Aas | support engineer
> www.reach-u.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

Mime
View raw message