PUT 请求导致 403 Forbidden - 需要 Apache 允许 PUT 请求

Question 1

将其添加到此文件夹中的 .htaccess 文件中

-- 对于 Apache 2.2

<Limit GET POST PUT OPTIONS DELETE PATCH HEAD>
    Order allow,deny
    Allow from all
</Limit>
<LimitExcept GET POST PUT OPTIONS DELETE PATCH HEAD>
    Order deny,allow
    Deny from all
</LimitExcept>

-- 对于 Apache 2.4

<Limit GET POST PUT OPTIONS DELETE PATCH HEAD>
    Require all granted
</Limit>
<LimitExcept GET POST PUT OPTIONS DELETE PATCH HEAD>
    Require all denied
</LimitExcept>

注意：你可以删除不需要的方法

Answer

将其添加到此文件夹中的 .htaccess 文件中

-- 对于 Apache 2.2

<Limit GET POST PUT OPTIONS DELETE PATCH HEAD>
    Order allow,deny
    Allow from all
</Limit>
<LimitExcept GET POST PUT OPTIONS DELETE PATCH HEAD>
    Order deny,allow
    Deny from all
</LimitExcept>

-- 对于 Apache 2.4

<Limit GET POST PUT OPTIONS DELETE PATCH HEAD>
    Require all granted
</Limit>
<LimitExcept GET POST PUT OPTIONS DELETE PATCH HEAD>
    Require all denied
</LimitExcept>

注意：你可以删除不需要的方法

Question 2

至少在启用 modsecurity 的最新版本 Apache (2.4.38) 中，默认情况下只允许使用这些方法：GET HEAD POST OPTIONS

当发出 PUT 请求时，Apache2 的错误日志返回此消息：

[Wed May 06 11:46:56.680835 2020] [:error] [pid 20162] [client 172.16.x.x:58147] [client 172.16.12.144] ModSecurity: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/usr/share/modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf"] [line "46"] [id "911100"] 
[msg "Method is not allowed by policy"] [data "PUT"] [severity "CRITICAL"] [ver "OWASP_CRS/3.1.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [tag "OWASP_CRS/POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag "PCI/12.1"] [hostname "192.168.x.x"] [uri "/app/api/widgets/grid"] [unique_id "XrKHkEqec4EieQ@yCDCkkQAAABI"], referer: https://192.168.x.x/app

解决这个问题的最好方法是在 modsecurity 中更改此策略，因此编辑文件“/etc/modsecurity/crs/crs-setup.conf“并取消注释以下行并添加允许的 PUT：

SecAction \
"id:900200,\
phase:1,\
nolog,\
pass,\
t:none,\
setvar:'tx.allowed_methods=GET HEAD POST OPTIONS PUT DELETE'"

Answer

至少在启用 modsecurity 的最新版本 Apache (2.4.38) 中，默认情况下只允许使用这些方法：GET HEAD POST OPTIONS

当发出 PUT 请求时，Apache2 的错误日志返回此消息：

[Wed May 06 11:46:56.680835 2020] [:error] [pid 20162] [client 172.16.x.x:58147] [client 172.16.12.144] ModSecurity: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/usr/share/modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf"] [line "46"] [id "911100"] 
[msg "Method is not allowed by policy"] [data "PUT"] [severity "CRITICAL"] [ver "OWASP_CRS/3.1.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [tag "OWASP_CRS/POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag "PCI/12.1"] [hostname "192.168.x.x"] [uri "/app/api/widgets/grid"] [unique_id "XrKHkEqec4EieQ@yCDCkkQAAABI"], referer: https://192.168.x.x/app

解决这个问题的最好方法是在 modsecurity 中更改此策略，因此编辑文件“/etc/modsecurity/crs/crs-setup.conf“并取消注释以下行并添加允许的 PUT：

SecAction \
"id:900200,\
phase:1,\
nolog,\
pass,\
t:none,\
setvar:'tx.allowed_methods=GET HEAD POST OPTIONS PUT DELETE'"

Question 3

编辑：

将其添加到你的 Apache 配置中：

 Script PUT /api/index.php

这假设您的实际处理程序脚本被调用index.php并且位于/api。

Answer

编辑：

将其添加到你的 Apache 配置中：

 Script PUT /api/index.php

这假设您的实际处理程序脚本被调用index.php并且位于/api。

PUT 请求导致 403 Forbidden - 需要 Apache 允许 PUT 请求

答案1

答案2

答案3

相关内容