I put this:
RewriteEngine on
RewriteOptions AllowAnyURI # for * to be taken into account by mod_rewrite
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^ - [R=405,L]
RewriteRule ^[^/] - [R=403,L]
in my .htaccess file, but when I still telnet to mydomain 80, and try the
OPTIONS thing, it's still returning a 200. I also tried the <LimitExcept
GET POST> stuff but that didn't work either.
On Fri, Feb 12, 2016 at 6:47 AM, Yann Ylavic <[email protected]> wrote:
> On Fri, Feb 12, 2016 at 10:47 AM, Daniel <[email protected]> wrote:
> > The typical way to block OPTIONS in 2.2 does not need mod_rewrite at all
> > IIRC. You just add this in your location/directory:
> > <LimitExcept GET POST>
> > deny from all
> > </LimitExcept>
> >
> > and will return 403 if you try OPTIONS method there
>
> That wouldn't work because the replies to OPTIONS requests happen
> before in the map_to_storage hook, that is before the authz hooks
> (Toomas tried that already).
>
> Will discuss this on dev@, because ISTM that should work with something
> like:
> <LocationMatch ^> # matches / and *
> <Limit OPTIONS>
> Deny from all # 2.2
> Require all denied # 2.4
> </Limit>
> </LocationMatch>
>
> For now I could only make it work with:
> RewriteEngine on
> RewriteOptions AllowAnyURI # for * to be taken into account by
> mod_rewrite
> RewriteCond %{REQUEST_METHOD} OPTIONS
> RewriteRule ^ - [R=405,L]
> RewriteRule ^[^/] - [R=403,L]
> which should be the first rewrite rules for AllowAnyURI to not be
> "dangerous" for further rules (if any) failing to match the leading
> slash.
>
> Regards,
> Yann.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>
>
