PUT and DELETE methods still not allowed for domain

dudek888

Verified User
Joined
Jun 21, 2009
Messages
29
Location
Szczecin / Poland
Hi,

Wanting to allow PUT and DELETE methods for one domain, I added to Custom HTTPD Configurations in the CUSTOM 3 section: "AllowMethods GET POST HEAD PUT DELETE" and I disabled CWAF for this domain but command "nmap -p 80 --script http-methods localhost" still show that only GET, HEAD and POST methods are allowed.
Any suggestions how to cure this?
 

ditto

Verified User
Joined
Apr 27, 2009
Messages
2,540
The new default settings for new DirectAdmin installs is now to allow all methods. The methods themselves does not pose any security risk. So I would just recommend that you change it to the new default like this:

Edit /usr/local/directadmin/custombuild/options.conf and change the line http_methods=GET:HEAD:POST to become http_methods=ALL - then do this:

Code:
cd /usr/local/directadmin/custombuild
./build update
./build rewrite_confs
 

ditto

Verified User
Joined
Apr 27, 2009
Messages
2,540
After you change to http_methods=ALL in options.conf and do ./build rewrite_confs you should have this line number 9 in /etc/httpd/conf/extra/httpd-directories.conf:

Code:
AllowMethods reset
Do you have that line? To my understanding "reset" means if any methods were set earlier, reset the limitations and allow to use them all. So I think DELETE should be allowed then.

Make sure that you do not have a custom overwrite of the file httpd-directories.conf
 

ditto

Verified User
Joined
Apr 27, 2009
Messages
2,540
Update: I get the same as you when I test with your command:

Code:
[root@server ~]# nmap -p 80 --script http-methods localhost

Starting Nmap 6.40 ( http://nmap.org ) at 2020-02-08 21:46 CET
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000072s latency).
PORT   STATE SERVICE
80/tcp open  http
|_http-methods: HEAD GET POST OPTIONS

Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds
[root@server ~]#
However I am not sure DELETE is not allowed even when it is not displayed in the output. I think it still is allowed even if it's not in your output. Have you tested it for real?
 

ditto

Verified User
Joined
Apr 27, 2009
Messages
2,540
It even says this in the DirectAdmin documentation at https://help.directadmin.com/item.php?id=700 :

Code:
To enable all the possible HTTP methods, just use:
cd /usr/local/directadmin/custombuild
./build set http_methods ALL
./build rewrite_confs
So I still think it should work if you test it for real.
 
Top