Stopping “connect” attacks: PHP vs Apache2

If mod_proxy is commented out but you are using php5. Tried putting this statement http.allowed_methods = GET & POST into /*/php.ini But it had no effect? The best solution was to add an location declarative with a LimitExcept. The location in the httpd-conf where to place this is very important.

First find this in the conf file

# Each directory to which Apache has access, can be configured with respect
# to which services and features are allowed and/or disabled in that
# directory (and its subdirectories).
# First, we configure the "default" to be a very restrictive set of
# permissions for directories.

<Directory />
    Options FollowSymLinks
    AllowOverride None
    Order allow,deny
    Deny from all

Then add the following right after it and restart apache to activate.

# Second, we configure the "default" Location to restrict the methods
# to stop CONNECT method attacks.

<Location />
    <LimitExcept GET POST>
       Order allow,deny
       Deny from all

All CONNECT requests from this point on will get a status code of 403
Forbidden for both perl and php CONNECT attacks.

Добавить комментарий

Ваш адрес email не будет опубликован. Обязательные поля помечены *


Scroll to top