Part of my default .htaccess contain the following lines
IndexIgnore .htaccess /.? ~ # /HEADER /README /_vti

<Limit GET POST>
order deny,allow
deny from all
allow from all
</Limit>
<Limit PUT DELETE>
order deny,allow
deny from all
</Limit>

What do they do? Why having "deny from all" and "allow from all" in the same script?


What is the different of <Limit GET POST> and <Limit GET HEAD POST>?


There are some conflicts with the below lines.
When I add it, my site is down.
Could you help me?
Thanks.

<Limit GET POST>
order deny,allow
deny from all
allow from all
</Limit>
<Limit PUT DELETE>
order deny,allow
deny from all
</Limit>

<Limit GET HEAD POST>
order allow,deny
deny from 116.193.8.0/21
deny from 125.31.0.0/18
deny from 161.64.0.0/16
deny from 192.203.232.0/24
deny from 202.75.248.0/22
deny from 202.86.128.0/18
deny from 202.171.252.0/22
deny from 202.172.0.0/22
deny from 202.173.0.0/22
deny from 202.174.0.0/22
deny from 202.175.0.0/22
deny from 202.175.4.0/22
deny from 202.175.8.0/21
deny from 202.175.16.0/20
deny from 202.175.32.0/19
deny from 202.175.64.0/19
deny from 202.175.96.0/19
deny from 202.175.160.0/19
allow from all
</LIMIT>

🙂

    strawberry wrote:

    What do they do?

    <LIMIT> allows you to limit access to certain HTTP "verbs" or methods. IndexIgnore is part of the mod_autoindex module that handles displaying pretty HTML indexes when no index file is found; it instructs the webserver which files it should not show in these listings... presumably because they either a) have no value for the end user, or b) are private in nature and don't need to be shown to the world.

    For more information on either of them (or other Apache directives used in .htaccess or httpd.conf), visit the manual links I provided or search the Apache documentation.

    strawberry wrote:

    Why having "deny from all" and "allow from all" in the same script?

    No idea; not only does it not make sense, it's probably not doing anything you intended it to. As such, you should get rid of it.

    strawberry wrote:

    What is the different of <Limit GET POST> and <Limit GET HEAD POST>?

    The former of the two places the ensuing limitations on the GET and POST verbs/methods, while the latter of the two also includes HEAD as well.

      Thank you.

      Why <Limit GET POST> and <Limit GET HEAD POST> can not coexist?

      If my .htaccess include <Limit GET POST> and <Limit GET HEAD POST>, then I can't connect to my site.

        strawberry wrote:

        Why <Limit GET POST> and <Limit GET HEAD POST> can not coexist?

        No one said they couldn't.

        strawberry wrote:

        If my .htaccess include <Limit GET POST> and <Limit GET HEAD POST>, then I can't connect to my site.

        The presence of both of those tags has nothing to do with whether you can access the site - it's what's inside those tags that make the difference.

        I believe what is happening that the "order" statement in the last <Limit GET HEAD POST> tag is overriding the order of the first tag. Since the first LIMIT tag includes "deny from all", it's probably processed last (which means it's denying access from everyone).

        Again, however, the first <LIMIT GET POST> tag is pointless (other than to cause errors like what you're seeing now).

          I see. 🙂

          It's really helpful to me, thanks for teaching me.

            3 years later
            KernelJay;11011281 wrote:

            Please be advised that use of the Limit directive can be bypassed when using PHP.

            Not (completely) true, depending upon which verbs are included in the tag.

              bradgrafelman;11011289 wrote:

              Not (completely) true, depending upon which verbs are included in the tag.

              Interesting... Could you elaborate on what verbs you would include in the tag?

              From my testing, I was able to bypass any restrictions specified in any limit directive I could think of. Even if the directive specifies all of the verbs indicated in the HTTP RFC, an attacker can make up a new verb. In this case, Apache doesn't understand the verb and passes it into PHP for processing (if the requested filename leads to a PHP handler). This is of course discussed at further length in the aforementioned blog post: http://blog.ncircle.com/t5/VERT-Security-Research-Blog/Turn-That-S-T-Off-Apache-htaccess-Limit-Tag/ba-p/4942

                KernelJay;11011291 wrote:

                In this case, Apache doesn't understand the verb and passes it into PHP for processing

                I guess I didn't realize this was true, but in hindsight I guess I could justify why this might happen.

                The real source of my ignorance on the issue, however, is the fact that I've never had the need or desire (or even considered) to use <Limit> in such a fashion. Sounds like there are good reasons why I should never change that fact, too.

                  Write a Reply...