PUT 请求导致 403 Forbidden - 需要 Apache 允许 PUT 请求

PUT 请求导致 403 Forbidden - 需要 Apache 允许 PUT 请求

我正在构建 RESTFUL API,需要让 Apache 接受 PUT 请求。每当我将其放入 URL 时,都会收到错误403 Forbidden

curl -X PUT api.example.com/api/foo

我尝试将以下内容添加到我的虚拟目录中(但没有成功):


<Limit GET POST PUT DELETE HEAD OPTIONS>
    Order allow,deny
    Allow from all
</Limit>
<LimitExcept GET POST PUT DELETE HEAD OPTIONS>
    Order deny,allow
    Deny from all
</LimitExcept>

哪些其他配置设置可能导致这种情况?

编辑

我正在重写我的 URL,所有内容都重写为 index.php,如下所示:


RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !\.
RewriteRule ^(.*)$ /api/index.php/$1 [L,QSA]

答案1

将其添加到此文件夹中的 .htaccess 文件中

-- 对于 Apache 2.2

<Limit GET POST PUT OPTIONS DELETE PATCH HEAD>
    Order allow,deny
    Allow from all
</Limit>
<LimitExcept GET POST PUT OPTIONS DELETE PATCH HEAD>
    Order deny,allow
    Deny from all
</LimitExcept>

-- 对于 Apache 2.4

<Limit GET POST PUT OPTIONS DELETE PATCH HEAD>
    Require all granted
</Limit>
<LimitExcept GET POST PUT OPTIONS DELETE PATCH HEAD>
    Require all denied
</LimitExcept>

注意:你可以删除不需要的方法

答案2

至少在启用 modsecurity 的最新版本 Apache (2.4.38) 中,默认情况下只允许使用这些方法:GET HEAD POST OPTIONS

当发出 PUT 请求时,Apache2 的错误日志返回此消息:

[Wed May 06 11:46:56.680835 2020] [:error] [pid 20162] [client 172.16.x.x:58147] [client 172.16.12.144] ModSecurity: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/usr/share/modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf"] [line "46"] [id "911100"] 
[msg "Method is not allowed by policy"] [data "PUT"] [severity "CRITICAL"] [ver "OWASP_CRS/3.1.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [tag "OWASP_CRS/POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag "PCI/12.1"] [hostname "192.168.x.x"] [uri "/app/api/widgets/grid"] [unique_id "XrKHkEqec4EieQ@yCDCkkQAAABI"], referer: https://192.168.x.x/app

解决这个问题的最好方法是在 modsecurity 中更改此策略,因此编辑文件“/etc/modsecurity/crs/crs-setup.conf“并取消注释以下行并添加允许的 PUT:

SecAction \
"id:900200,\
phase:1,\
nolog,\
pass,\
t:none,\
setvar:'tx.allowed_methods=GET HEAD POST OPTIONS PUT DELETE'"

答案3

编辑:

将其添加到你的 Apache 配置中:

 Script PUT /api/index.php

这假设您的实际处理程序脚本被调用index.php并且位于/api

相关内容