Hi everyone,
I have a page*: http://example.com/es/ that I need to expose to the internet for testing. This is an Elasticsearch instance.
I want to restrict some HTTP request methods to help prevent malicious attacks on my Elasticsearch cluster.
I want to:
Disable PUT, DELETE, TRACE requests.
Allow GET requests
Restrict POST requests to http://example.com/es/_search
How would I go about achieving the restriction on the POST requests? My current mod_rewrite config is below.
RewriteEngine on
RewriteCond %{THE_REQUEST} !^(POST|GET)\ /.*\ HTTP/1\.1$
RewriteRule .* - [F]
Thanks in advance for any advice.
* - This page is just an example of the URL/URI structure. My app isn't actually hosted at example.com.
Normaly you use Limit[1] in a <Directory>
For sure you can use the <Directory> directive
And you can add a second condition for the url
RewriteCond %{REQUEST_URI} ^/es
and
RewriteCond %{REQUEST_URI} ^/es/_search
if you still have a question please ask again.
[1] https://httpd.apache.org/docs/2.4/mod/core.html#limit
Quote from: mario on January 25, 2017, 05:06:45 PM
Normaly you use Limit[1] in a <Directory>
For sure you can use the <Directory> directive
And you can add a second condition for the url
RewriteCond %{REQUEST_URI} ^/es
and
RewriteCond %{REQUEST_URI} ^/es/_search
if you still have a question please ask again.
[1] https://httpd.apache.org/docs/2.4/mod/core.html#limit
Thank you for the reply. I wasn't aware I could use a second condition, that will be helpful!
Just a question though. Why would I use the <Directory> directive? Should it not be <Location>, as ES is a webapp that is being proxied through to example.com/es/, rather than files on the filesystem that need to be served up?
Thanks again.