1

I have a default Apache installation on Ubuntu 10.04.

I use the following Nmap scan to determine the available Apache methods:

nmap -p80 --script=http-methods 192.168.1.66

The result is:

http-methods: GET HEAD POST OPTIONS

I'm trying to eliminate the HEAD method. So in /etc/apache2/apache.conf I added the following:

<Directory "/var/www/*">
<LimitExcept GET POST OPTIONS>
Deny from all
</LimitExcept>
...
</Directory>

I then restarted the web server. However the nmap scan still prints the same results.

Does anyone know what I'm missing here?

lisa1987
  • 881
  • 1
  • 9
  • 17
  • I think Get and Head must be treated similarly, as Head is essentially a Get with no content returned (To check for updates). so, I think there is some dependency between the two - that must be accounted for in configuration. – slotishtype Jul 18 '11 at 13:43
  • Why do you want to remove HEAD? What benefit do you think you will gain from this? – Zoredache Jul 18 '11 at 17:46
  • I don't use it, so I want to disable it. – lisa1987 Jul 18 '11 at 18:39
  • @brahims - *you* might not use it, but your browser uses it all the time. The only time you should disable it is if you have 100% control over every client application that is going to access it (for example, it's a web service that's used exclusively by your own software), but there's no security risk in `head`, so it's a bit of a misnomer anyway. – Mark Henderson Jul 20 '11 at 02:14

1 Answers1

3

The documentation for <Limit> explicitly states:

If GET is used it will also restrict HEAD requests

This very strongly implies that for the purposes of <Limit> and <LimitExcept> that GET and HEAD are treated the same. Restrictions applied to GET will apply to HEAD, and therefore if GET is unrestricted so HEAD will also be unrestricted.

Further, the HTTP/1.1 RFC 2616 explicitly states (section 9.4):

The HEAD method is identical to GET except that the server MUST NOT return
a message-body in the response.

Further clarifying the direct relationship between GET and HEAD.

The final piece of information to clarify this, also from RFC 2616, (section 5.1.1):

The methods GET and HEAD MUST be supported by all general-purpose servers.

This information all together tends to strongly imply that what you wish to accomplish will not be possible by configuration changes alone.

Mike Insch
  • 1,254
  • 8
  • 10
  • OK. I've tried with and still same nmap output :) Do you think it is possible to configure any of these 4 methods (GET HEAD POST OPTIONS) by configuration changes? –  Jul 18 '11 at 15:35
  • Try moving your `` directive out of the `` specification and into your `` definition instead... – Mike Insch Jul 18 '11 at 15:46
  • I've tried that as well.. I guess I'm just out of luck :/ Thanks for the answers anyway Mike – lisa1987 Jul 18 '11 at 16:00