Apache Block Unnecessary Request Methods

Web Services / October 22, 2019 / By:

Apache  base web server  accepts a wide range  of  request  methods  like DEBUG, DELETE, MOVE, PUT, TRACE, TRACK, HEAD, POST, GET. It doesn't  mean that you need all these request methods. Many type of request methods  could  be unnecessary and even harmless  but some of them should be closed  to increase security liability of your web sites. This post explains  how to block some  request methods  and redirect them to the HTTP 405 code. 

At this  post  we will show an example  of  Apache Module mod_rewrite to redirect one request to another and restrict access to our website exactly as we want. 

Step 1: Check which methods  allowed  for the  Apache

# nmap -p443 --script http-methods <IPAddress>

Starting Nmap 6.40 ( http://nmap.org ) at 2019-10-23 08:59 +03
Nmap scan report for <IPAddress>
Host is up (0.0032s latency).
PORT    STATE SERVICE
443/tcp open  https
| http-methods: GET POST OPTIONS HEAD TRACE
| Potentially risky methods: TRACE
|_See http://nmap.org/nsedoc/scripts/http-methods.html

Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds

Step 2: Check  configuration file and find <virtualhost> for your web service

By default SSL  based web service configuration file will be  located under  conf.d/ssl.conf . On the other hand it is  possible to add  virtualhost to the  httpd.conf file. You need to check both files  to find out  virtualhost  configuration.

Add this line to the configuration that where you defined  loaded  modules; by default  it  will be  httpd.conf or  00-base.conf  under conf.modules.d directory.

LoadModule rewrite_module modules/mod_rewrite.so

Step 3: Add new rules to the  virtualhost  configuration

  RewriteEngine on
  RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|PUT|DELETE|CONNECT|OPTIONS|HEAD)
  RewriteRule .* - [L,R=405]

Which  methods will be blocked ? 

  • TRACE
  • TRACK
  • PUT
  • DELETE
  • CONNECT
  • OPTIONS
  • HEAD

When one of these request method accepts  by Apache  it will automatically  redirect to  HTTP 405 (return  HTTP  405 code) . Basically you can redirect  all  these type request to the  any page that you want. Just change  "RewriteRule .* - [L,R=405]". Also there is  a  good documentation for  RewriteRule  on  Apache  web sites

 

Step 4: Restart Apache

CentOS7 & RHEL7
#systemctl restart httpd
CentOS6-5 & RHEL6-5
#/etc/init.d/httpd restart

Step 5: Check new configuration with curl and nmap

# nmap -p443 --script http-methods <IPAddress>

Starting Nmap 6.40 ( http://nmap.org ) at 2019-10-23 09:03 +03
Nmap scan report for <IPAddress>
Host is up (0.0019s latency).
PORT    STATE SERVICE
443/tcp open  https
| http-methods: 
| Potentially risky methods: 
|_See http://nmap.org/nsedoc/scripts/http-methods.html

Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds

 

# curl  -X HEAD  -k -v  https://<IPAddress>
> HEAD / HTTP/1.1
> User-Agent: curl/7.29.0
> Accept: */*
> 
< HTTP/1.1 405 Method Not Allowed
< Date: Wed, 23 Oct 2019 06:12:35 GMT
< Server: Apache
< Allow:

 

 

Tagged In:

I'm a IT Infrastructure and Operations Architect with extensive experience and administration skills and works for Turk Telekom. I provide hardware and software support for the IT Infrastructure and Operations tasks.

205 Total Posts
Follow Me