Re: Deny CONNECT & GET http requests

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 6/19/07, Bob <bob@xxxxxxxxxxxxxxx> wrote:


You are wrong


Really? Interesting.

Well, no actually, I'm not. But it's nice how confident you are about
your knowledge on this issue.


, my original post showed the CONNECT requests having a 200
status code which means apache did service them successfully


As I've told you repeatedly, php was almost certainly treating the
CONNECT request just like a GET request. So the CONNECT was not
succeeding in the sense of connecting to a third-party server. It was
simply serving your index.php page.


My book says a 500 code is a common error when a client calls a flawed
CGI script.


And this is not the "correct" status code. The correct status code is
403 (forbidden). But as I already said, the status code is not that
important since the robots don't care. (And, in fact, the original 200
status code wasn't really a problem either unless your index.php
script uses up lots of resources. So you could have just left things
as they were.)


I have read the php manual concerning selecting individual
methods. I could not find any mention of how to tell php to limit it self to
only using desired methods.  A link to the php manual where it explains how
to restrict php to only allow the use of selected methods would go a long
way to support your view point. Providing a how to fix it post like I did is
far better then a reply spouting apache dogma. Results are what count here.


I'm not here to win a debate with you. I'm just here to try to help
you understand how your server is working. For php configuration
questions you are better off on a php list. But I have already given
you explicit instructions: "I believe you
can set http.allowed_methods in your php config to the list of methods
php should handle. (GET and POST would be a good basic list.)" This is
documented here:
http://www.php.net/manual/en/ini.php

As I've also already told you, your current config should be fine. But
don't go recommending it to others as the proper solution when there
are many cleaner and safer solutions available (and listed in the
FAQ).

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux