My setup details:
- OS : RHEL7
- Webserver : Apache http server(SSL enabled)
- AppContainer : NodeJS
- Webserver connects to NodeJS via mod_proxy.
I blocked the connect method in apache http server using below config. But still the connect method vulnerability persists. Do I need to do anything on NodeJS side?
RewriteCond %{REQUEST_METHOD} !^(GET|POST|PUT|DELETE|HEAD)
RewriteRule .* – [R=405,L]
Best Answer
The most common reason for generic problem like this is not enabling mod_rewrite with
RewriteEngine on
in the context youRewriteRule
was placed.However even if that is the case, I would suggest using
<Limit>
or<LimitExcept>
blocks, or even better do not loadmod_proxy_connect
at all so that theCONNECT
method has no way of being used. If it's handled by you app of course, that would also need disabling.Additional information after comments:
Do not modify the
<Directory />
block that comes with your configuration, it should be left as is.Also, do not (as I said in my comments) put the
<Limit>
block inside another block (in your case a<Directory>
block. Configuration directives in a<Directory>
block only take effect if the request is mapped to the file system, but you are proxying/
to another service on example.com, which means no requests are mapped to the file system and so your<Limit>
block will never take effect.