Home / server / Questions / 291485
Accepted
lisa1987
Asked: 2011-07-19 04:43:22 +0800 CST

Limiting HTTP methods in Apache2

  • 772

I have a default Apache installation on Ubuntu 10.04.

I use the following Nmap scan to determine the available Apache methods:

nmap -p80 --script=http-methods 192.168.1.66

The result is:

http-methods: GET HEAD POST OPTIONS

I'm trying to eliminate the HEAD method. So in /etc/apache2/apache.conf I added the following:

<Directory "/var/www/*">
<LimitExcept GET POST OPTIONS>
Deny from all
</LimitExcept>
...
</Directory>

I then restarted the web server. However the nmap scan still prints the same results.

Does anyone know what I'm missing here?

ubuntu apache-2.2 configuration

1 Answers

  1. Best Answer

    The documentation for <Limit> explicitly states:

    If GET is used it will also restrict HEAD requests

    This very strongly implies that for the purposes of <Limit> and <LimitExcept> that GET and HEAD are treated the same. Restrictions applied to GET will apply to HEAD, and therefore if GET is unrestricted so HEAD will also be unrestricted.

    Further, the HTTP/1.1 RFC 2616 explicitly states (section 9.4):

    The HEAD method is identical to GET except that the server MUST NOT return
a message-body in the response.

    Further clarifying the direct relationship between GET and HEAD.

    The final piece of information to clarify this, also from RFC 2616, (section 5.1.1):

    The methods GET and HEAD MUST be supported by all general-purpose servers.

    This information all together tends to strongly imply that what you wish to accomplish will not be possible by configuration changes alone.

    • 3