IBM Support

Disabling OPTIONS method for Apache 2.4 HTTP server

How To


Summary

This document explains how to disable OPTIONS method for an apache HTTP server running on the IBM i.

Steps

 

1. Edit the httpd.conf file for the HTTP server.  This is typically in directory /www/<instanceName>/conf/httpd.conf

2. Add these three lines in the httpd.conf file.

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^OPTIONS
RewriteRule .* - [F]

This RewriteCond uses a built in server variable called REQUEST_METHOD. The line would be read as: "For http request methods OPTIONS...". The third line in the rule sets the action and the URI that this action should be applied to. The line above would be read as: "forbid access for all URIs". Taken together, this rule will: "forbid access to all URIs for  OPTIONS requests".

3. Restart the HTTP server to take effect.

Additional Information

To test an HTTP server to find out if OPTIONS method is enabled, cURL can be used. 

curl -i -X OPTIONS http://ipAddressOrHostName:port

HTTP/1.1 200 OK
Date: Mon, 08 Oct 2018 15:14:23 GMT
Server: Apache
Allow: OPTIONS,POST,GET,HEAD
Content-Length: 0
Content-Type: text/html

If it is disabled, the results would be similar to this:

HTTP/1.1 403 Forbidden
Date: Mon, 08 Oct 2018 15:25:00 GMT
Server: Apache
Content-Length: 208
Content-Type: text/html; charset=UTF-8

 

[{"Business Unit":{"code":"BU009","label":"Systems - Cognitive"},"Product":{"code":"SWG60","label":"IBM i"},"Component":"5770DG1","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"All Versions","Edition":""}]

Document Information

Modified date:
18 December 2019

UID

ibm10735209