This is not a mailing list for reporting bugs, it's the mailing list used by bugzilla. Avoid Limit/LimitExcept in 2.4. In the config below, if the Location / comes second, it means the authorization config replaces the one defined in server-info, not merged with it, and GET is no longer limited.
On Fri, Nov 2, 2018 at 8:28 AM Lothar Belle <[email protected]> wrote: > We want to Allow only specific Methods i.e. HEAD POST GET. > so we are using. > <Location /> > <LimitExcept HEAD POST GET> > Require all denied > </LimitExcept> > </Location> > Location is required, because we use mod_proxy, so no directory access is > performed. > Strangely it overrules a previous defined. > <Location /server-info> > SetHandler server-info > Require local > </Location> > So as a result server-info is accessible from everywhere. > According to my understanding, and documentation this behavior is not > correct. > *https://httpd.apache.org/docs/2.4/en/mod/core.html#limitexcept > <https://httpd.apache.org/docs/2.4/en/mod/core.html#limitexcept>:* > *<LimitExcept> and </LimitExcept> are used to enclose a group of access > control directives which will then apply to any HTTP access method not > listed in the arguments * > > Thanks a lot! > Regards, > Lothar > > > > -- Eric Covener [email protected]
