On Fri, Feb 12, 2016 at 10:47 AM, Daniel <dferradal@xxxxxxxxx> wrote:
> The typical way to block OPTIONS in 2.2 does not need mod_rewrite at all
> IIRC. You just add this in your location/directory:
> <LimitExcept GET POST>
> deny from all
> </LimitExcept>
>
> and will return 403 if you try OPTIONS method there
That wouldn't work because the replies to OPTIONS requests happen
before in the map_to_storage hook, that is before the authz hooks
(Toomas tried that already).
Will discuss this on dev@, because ISTM that should work with something like:
<LocationMatch ^> # matches / and *
<Limit OPTIONS>
Deny from all # 2.2
Require all denied # 2.4
</Limit>
</LocationMatch>
For now I could only make it work with:
RewriteEngine on
RewriteOptions AllowAnyURI # for * to be taken into account by mod_rewrite
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^ - [R=405,L]
RewriteRule ^[^/] - [R=403,L]
which should be the first rewrite rules for AllowAnyURI to not be
"dangerous" for further rules (if any) failing to match the leading
slash.
Regards,
Yann.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|