On 7/21/2011 4:12 PM, Scott Ferguson wrote:
> On 07/21/2011 02:01 PM, Aaron Freeman wrote:
>> On 7/21/2011 12:27 PM, Scott Ferguson wrote:
>>> On 07/20/2011 10:39 AM, Aaron Freeman wrote:
>>>> I'd like to disabled the HTTP CONNECT method. I don't know the best
>>>> way to do that, but I tried this and it's not working:
>>>> <resin:Forbidden regexp='.*'>
>>>> <resin:IfMethod value="CONNECT"/>
>>>> The request is passed on and I receive a 200 OK response when I telnet
>>>> and test the CONNECT.
>>>> What is the most efficient way to get Resin to deny those requests?
>>> That config works for me. (You don't need the regexp if you're matching
>>> everything, but it doesn't matter for this issue.)
>>> There is the<resin:Forbidden> tag?
>>> -- Scott
>> The config doesn't bomb, but in resin-pro-4.0.18 when I run this:
>> > telnet localhost 80
>> CONNECT http://localhost/ HTTP/1.0
>> I then get the home page and a 200 OK, instead of a 403 FORBIDDEN.
>> You are able to get it to throw an appropriate HTTP 403?
> Where is the<resin:Forbidden> tag? (<cluster>,<host>,<web-app>,
> -- Scott
Ah now I get your question. :) I was confused.
I tried in the web-app-default and web-app based on the regex, but I am
guessing you are going to tell me that's too late and I need to put it
at the <host> level -- so I just tried that and it's working great.
Sorry for being slow and not thinking this one through more.
resin-interest mailing list