我正在构建 RESTFUL API,需要让 Apache 接受 PUT 请求。每当我将其放入 URL 时,都会收到错误403 Forbidden
。
curl -X PUT api.example.com/api/foo
我尝试将以下内容添加到我的虚拟目录中(但没有成功):
<Limit GET POST PUT DELETE HEAD OPTIONS>
Order allow,deny
Allow from all
</Limit>
<LimitExcept GET POST PUT DELETE HEAD OPTIONS>
Order deny,allow
Deny from all
</LimitExcept>
哪些其他配置设置可能导致这种情况?
编辑
我正在重写我的 URL,所有内容都重写为 index.php,如下所示:
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !\.
RewriteRule ^(.*)$ /api/index.php/$1 [L,QSA]
答案1
将其添加到此文件夹中的 .htaccess 文件中
-- 对于 Apache 2.2
<Limit GET POST PUT OPTIONS DELETE PATCH HEAD>
Order allow,deny
Allow from all
</Limit>
<LimitExcept GET POST PUT OPTIONS DELETE PATCH HEAD>
Order deny,allow
Deny from all
</LimitExcept>
-- 对于 Apache 2.4
<Limit GET POST PUT OPTIONS DELETE PATCH HEAD>
Require all granted
</Limit>
<LimitExcept GET POST PUT OPTIONS DELETE PATCH HEAD>
Require all denied
</LimitExcept>
注意:你可以删除不需要的方法
答案2
至少在启用 modsecurity 的最新版本 Apache (2.4.38) 中,默认情况下只允许使用这些方法:GET HEAD POST OPTIONS
当发出 PUT 请求时,Apache2 的错误日志返回此消息:
[Wed May 06 11:46:56.680835 2020] [:error] [pid 20162] [client 172.16.x.x:58147] [client 172.16.12.144] ModSecurity: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/usr/share/modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf"] [line "46"] [id "911100"]
[msg "Method is not allowed by policy"] [data "PUT"] [severity "CRITICAL"] [ver "OWASP_CRS/3.1.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [tag "OWASP_CRS/POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag "PCI/12.1"] [hostname "192.168.x.x"] [uri "/app/api/widgets/grid"] [unique_id "XrKHkEqec4EieQ@yCDCkkQAAABI"], referer: https://192.168.x.x/app
解决这个问题的最好方法是在 modsecurity 中更改此策略,因此编辑文件“/etc/modsecurity/crs/crs-setup.conf“并取消注释以下行并添加允许的 PUT:
SecAction \
"id:900200,\
phase:1,\
nolog,\
pass,\
t:none,\
setvar:'tx.allowed_methods=GET HEAD POST OPTIONS PUT DELETE'"
答案3
编辑:
将其添加到你的 Apache 配置中:
Script PUT /api/index.php
这假设您的实际处理程序脚本被调用index.php
并且位于/api
。