Rich - many thanks - replies interspersed below:
On 2026-05-13 09:22, [email protected] wrote:
Paul,
The <LimitExcept GET HEAD> approach would deny all POST/PUT/DELETE
requests to the cgi-bin directory entirely -- including the legitimate
ones from your own form. That would effectively break your application
since your form uses POST.
Agreed
One thing worth checking: you mentioned Require ip 127.0.0.1 is
"functional" -- are you testing from the server itself, or is there
a reverse proxy in front of Apache that might be making all requests
appear to come from localhost? That would explain why it seems to
work but wouldn't actually protect you from external POSTs arriving
directly. Worth verifying it still blocks when tested from outside
your network.
Yes -- that was the case. Now there is a proper proxy_pass from nginx.
If the goal is to block external actors while allowing your form's
POST through, you have a few practical options in order of robustness:
1. CSRF tokens (as Nutchanon described) -- the strongest solution,
but requires modifying your Perl script.
Now being implemented. Seems to work well in our sandbox, a bit more
testing before production.
2. Referer check via mod_rewrite -- lighter-weight, can be done
in .htaccess:
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{HTTP_REFERER} !^https?://your.domain.com/ [NC]
RewriteRule ^cgi-bin/ - [F,L]
This isn't bulletproof (Referer can be spoofed), but it stops
casual abuse.
We tried this, but our "abusers", a well distributed attack, were
spoofing the referer. I've stopped (dropped) them at the moment with a
rather ugly bit of logic in the perl/cgi, but if they're serious, it
won't take them long to wake up.
3. Require expr with Referer (an alternate Apache 2.4 native approach):
<Directory "/www/mysite/cgi-bin">
<If "%{REQUEST_METHOD} == 'POST' && %{HTTP_REFERER} !~ m#^https?://
your.domain.com/#">
Require all denied
</If>
</Directory>
Looks as though this is fairly trivial and should be added, even if it
becomes overkill. I'm close to hardening nginx so that apache never
gets the requests. Then at least I don't have to analyze two sets of
logs ;=}
Again, many thanks,
Paul
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
