Pages

[Donglecow]

Hi everyone,

I have a page*: http://example.com/es/ that I need to expose to the internet for testing. This is an Elasticsearch instance.

I want to restrict some HTTP request methods to help prevent malicious attacks on my Elasticsearch cluster.

I want to:
Disable PUT, DELETE, TRACE requests.
Allow GET requests
Restrict POST requests to http://example.com/es/_search

How would I go about achieving the restriction on the POST requests? My current mod_rewrite config is below.

RewriteEngine on
RewriteCond %{THE_REQUEST} !^(POST|GET)\ /.*\ HTTP/1\.1$
RewriteRule .* - [F]

Thanks in advance for any advice.

* - This page is just an example of the URL/URI structure. My app isn't actually hosted at example.com.

[mario]

Normaly you use Limit[1] in a <Directory>

For sure you can use the <Directory> directive

And you can add a second condition for the url

RewriteCond %{REQUEST_URI} ^/es

and

RewriteCond %{REQUEST_URI} ^/es/_search


if you still have a question please ask again.

[1] https://httpd.apache.org/docs/2.4/mod/core.html#limit

[Donglecow]

Normaly you use Limit[1] in a <Directory>

For sure you can use the <Directory> directive

And you can add a second condition for the url

RewriteCond %{REQUEST_URI} ^/es

and

RewriteCond %{REQUEST_URI} ^/es/_search


if you still have a question please ask again.

[1] https://httpd.apache.org/docs/2.4/mod/core.html#limit

Thank you for the reply. I wasn't aware I could use a second condition, that will be helpful!

Just a question though. Why would I use the <Directory> directive? Should it not be <Location>, as ES is a webapp that is being proxied through to example.com/es/, rather than files on the filesystem that need to be served up?

Thanks again.