7

I am building a RESTFUL API and need to get Apache to accept PUT requests. Whenever I put to a URL, I am getting a 403 Forbidden error.

curl -X PUT api.example.com/api/foo

I have tried to add the following to my Virtual Directory (To no avail):


<Limit GET POST PUT DELETE HEAD OPTIONS>
    Order allow,deny
    Allow from all
</Limit>
<LimitExcept GET POST PUT DELETE HEAD OPTIONS>
    Order deny,allow
    Deny from all
</LimitExcept>

What other config settings might be causing this?

EDIT

I am re-writing my URL's, all get re-written to index.php as follows:


RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !\.
RewriteRule ^(.*)$ /api/index.php/$1 [L,QSA]
Community
  • 1
mmattax
  • 1,304
  • 7
  • 19
  • 30

3 Answers3

5

Add this to the .htaccess file in this folder

-- For Apache 2.2

<Limit GET POST PUT OPTIONS DELETE PATCH HEAD>
    Order allow,deny
    Allow from all
</Limit>
<LimitExcept GET POST PUT OPTIONS DELETE PATCH HEAD>
    Order deny,allow
    Deny from all
</LimitExcept>

-- For Apache 2.4

<Limit GET POST PUT OPTIONS DELETE PATCH HEAD>
    Require all granted
</Limit>
<LimitExcept GET POST PUT OPTIONS DELETE PATCH HEAD>
    Require all denied
</LimitExcept>

Note: you can remove methods which you dont want

th3pirat3
  • 103
  • 4
user55993
  • 151
  • 1
  • 2
  • 2
    Are you certain your [`Require`](http://httpd.apache.org/docs/2.2/mod/core.html#require) Directive syntax was already valid for Apache 2.2 (see the tag in the question) because as far as I know `Require all` was introduced with [Apacge 2.4](http://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#require) – HBruijn Sep 12 '15 at 06:11
  • Works great in centos7 / Apache 2.4 / Prestashop webservices context, since some methods are forbidden by default (it wasn't in 2.2/Debian). @HBruijn : Limit and LimitExcept are in the official Apache 2.2 documentation, so it should also work with the adapted syntax (https://httpd.apache.org/docs/2.2/en/mod/core.html#limit). – tisc0 Mar 13 '18 at 23:30
  • Perfect, That worked for me on Centos7 – Abanoub Hany Sep 24 '22 at 13:00
3

At least with the last Apache's version (2.4.38) with modsecurity enabled, only these methods are allowed by default: GET HEAD POST OPTIONS

When a PUT request is made the error log of Apache2 returns this message:

[Wed May 06 11:46:56.680835 2020] [:error] [pid 20162] [client 172.16.x.x:58147] [client 172.16.12.144] ModSecurity: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/usr/share/modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf"] [line "46"] [id "911100"] 
[msg "Method is not allowed by policy"] [data "PUT"] [severity "CRITICAL"] [ver "OWASP_CRS/3.1.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [tag "OWASP_CRS/POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag "PCI/12.1"] [hostname "192.168.x.x"] [uri "/app/api/widgets/grid"] [unique_id "XrKHkEqec4EieQ@yCDCkkQAAABI"], referer: https://192.168.x.x/app

The best way to solve it is changing this policy in modsecurity, so edit the file "/etc/modsecurity/crs/crs-setup.conf" and uncomment the following lines adding PUT as allowed:

SecAction \
"id:900200,\
phase:1,\
nolog,\
pass,\
t:none,\
setvar:'tx.allowed_methods=GET HEAD POST OPTIONS PUT DELETE'"
HarryKalahan
  • 31
  • 3
  • 1
    Thank you, this led my to the issue. I would never have thought for the modsecurity module – Stefan S Aug 03 '20 at 09:18
  • This helped me as well. Along with this post in cpanel https://forums.cpanel.net/threads/modsecurity-update-causing-403-forbidden-for-put-requests-to-server-requires-editing-tx-allowed_methods.683113/post-2810641 – CodeGodie Mar 30 '22 at 03:37
2

Edit:

Add this to your Apache conf:

 Script PUT /api/index.php

This assumes your actual handler script is called index.php and it's located on /api.

Eduardo Ivanec
  • 14,881
  • 1
  • 37
  • 43