如何在 Apache 2.4.29 中禁用 CONNECT 方法并返回 405 状态?

如何在 Apache 2.4.29 中禁用 CONNECT 方法并返回 405 状态?

我使用 Apache 2.4 作为反向代理,并根据帖子中,我不需要 HTTP CONNECT 方法。因此,当我使用以下方法构建 Apache 时,我尝试禁用 proxy_connect 模块配置(静态)选项。

$ ./apachectl -v
Server version: Apache/2.4.29 (Unix)
Server built:   Feb  8 2018 12:40:42

$ ./apachectl -M
Loaded Modules:
 core_module (static)
 authn_core_module (static)
 authz_host_module (static)
 authz_core_module (static)
 access_compat_module (static)
 socache_shmcb_module (static)
 so_module (static)
 http_module (static)
 mime_module (static)
 log_config_module (static)
 log_debug_module (static)
 env_module (static)
 headers_module (static)
 setenvif_module (static)
 proxy_module (static)           ###########
 proxy_http_module (static)      ###########
 proxy_balancer_module (static)  ###########
 slotmem_shm_module (static)
 ssl_module (static)
 lbmethod_byrequests_module (static)
 lbmethod_bytraffic_module (static)
 lbmethod_bybusyness_module (static)
 lbmethod_heartbeat_module (static)
 mpm_event_module (static)
 unixd_module (static)
 rewrite_module (static)

如您所见,我只启用了:proxy、proxy_http 和 proxy_balancer 模块。

但是,当我运行 nmap 扫描时,它会报告 CONNECT 的 400(错误请求),而我预期的是 405(方法不允许)。

$ nmap -p 443 --script http-methods --script-args 'http-methods.test-all=true,http-methods.retest=1' 10.x.x.xxx

Starting Nmap 7.60 ( https://nmap.org ) at 2018-02-09 17:23 EST
Nmap scan report for serverA (10.x.x.xxx)
Host is up (0.00013s latency).

PORT    STATE SERVICE
443/tcp open  https
| http-methods: 
|   Supported Methods: TRACE GET HEAD POST CONNECT
|   Potentially risky methods: TRACE CONNECT
|   Status Lines: 
|     POST: HTTP/1.1 302 Moved Temporarily
|     HEAD: HTTP/1.1 302 Moved Temporarily
|     CONNECT: HTTP/1.1 400 Bad Request
|     GET: HTTP/1.1 302 Moved Temporarily
|_    TRACE: HTTP/1.1 405 Method Not Allowed

Nmap done: 1 IP address (1 host up) scanned in 0.79 seconds

这是我在 apache/conf/extra/httpd-vhosts.conf 开头所写的内容:

<VirtualHost *:443>
  RewriteEngine On
  RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD)
  RewriteRule .* - [R=405,L]

以下是 nmap 扫描的 Apache 访问日志:

[09/Feb/2018:17:29:47 -0500] "OPTIONS / HTTP/1.1" 405 225
[09/Feb/2018:17:29:47 -0500] "CBZF / HTTP/1.1" 405 222
[09/Feb/2018:17:29:47 -0500] "GET / HTTP/1.1" 302 109
[09/Feb/2018:17:29:47 -0500] "HEAD / HTTP/1.1" 302 -
[09/Feb/2018:17:29:47 -0500] "POST / HTTP/1.1" 302 109
[09/Feb/2018:17:29:47 -0500] "OPTIONS / HTTP/1.1" 405 225
[09/Feb/2018:17:29:47 -0500] "DELETE / HTTP/1.1" 405 224
[09/Feb/2018:17:29:47 -0500] "PUT / HTTP/1.1" 405 221
[09/Feb/2018:17:29:48 -0500] "CONNECT / HTTP/1.1" 400 226
[09/Feb/2018:17:29:48 -0500] "TRACE / HTTP/1.1" 405 223

除了 CONNECT 的 400 状态之外,我对其他一切都很满意。

有什么方法可以让 Apache 返回 CONNECT 的 405 或 501 状态吗?

相关内容