The Apache Haus Forum

Advanced search  

News:

Welcome to Apache Haus Distribution Forum

Pages: [1]   Go Down

Author Topic: Securing HTTP Requests with Mod_Rewrite  (Read 1334 times)

Donglecow

  • Newbie
  • *
  • Offline Offline
  • Posts: 2
Securing HTTP Requests with Mod_Rewrite
« on: January 25, 2017, 12:18:07 PM »

Hi everyone,

I have a page*: http://example.com/es/ that I need to expose to the internet for testing. This is an Elasticsearch instance.

I want to restrict some HTTP request methods to help prevent malicious attacks on my Elasticsearch cluster.

I want to:
Disable PUT, DELETE, TRACE requests.
Allow GET requests
Restrict POST requests to http://example.com/es/_search

How would I go about achieving the restriction on the POST requests? My current mod_rewrite config is below.

RewriteEngine on
RewriteCond %{THE_REQUEST} !^(POST|GET)\ /.*\ HTTP/1\.1$
RewriteRule .* - [F]

Thanks in advance for any advice.

 * - This page is just an example of the URL/URI structure. My app isn't actually hosted at example.com.
Logged

mario

  • Administrator
  • Member Elite
  • *****
  • Offline Offline
  • Posts: 575
Re: Securing HTTP Requests with Mod_Rewrite
« Reply #1 on: January 25, 2017, 05:06:45 PM »

Normaly you use Limit[1] in a <Directory>

For sure you can use the <Directory> directive

And you can add a second condition for the url

RewriteCond %{REQUEST_URI} ^/es

and

RewriteCond %{REQUEST_URI} ^/es/_search


if you still have a question please ask again.

[1] https://httpd.apache.org/docs/2.4/mod/core.html#limit
Logged

Donglecow

  • Newbie
  • *
  • Offline Offline
  • Posts: 2
Re: Securing HTTP Requests with Mod_Rewrite
« Reply #2 on: January 26, 2017, 10:39:53 AM »

Normaly you use Limit[1] in a <Directory>

For sure you can use the <Directory> directive

And you can add a second condition for the url

RewriteCond %{REQUEST_URI} ^/es

and

RewriteCond %{REQUEST_URI} ^/es/_search


if you still have a question please ask again.

[1] https://httpd.apache.org/docs/2.4/mod/core.html#limit

Thank you for the reply. I wasn't aware I could use a second condition, that will be helpful!

Just a question though. Why would I use the <Directory> directive? Should it not be <Location>, as ES is a webapp that is being proxied through to example.com/es/, rather than files on the filesystem that need to be served up?

Thanks again.
Logged
Pages: [1]   Go Up
 

Sitemap 1 2 3 4 5 6 7 8 9 10 11 12 13