<Limit><LimitExcept> not working

Forum Moderators: phranque

Message Too Old, No Replies

<Limit><LimitExcept> not working

martinjamesroberts

11:04 am on Jun 19, 2008 (gmt 0)

How do I get <Limit><LimitExcept> to work on OSX server? I have apache version 1.3.33. I'm having a lot of problems with people using "CONNECT" etc through my site. I know that this is the only way to go but with Apache's instructions it just doesn't work. Please can anyone help?

jdMorgan

9:57 pm on Jun 19, 2008 (gmt 0)

Please post your best-effort code as a basis for discussion. It's hard to tell what the malady is if we can't see the patient...

<Limit> and <LimitExcept> are part of Apache core, and as such, are not "optionally-supported" -- They are supported if Apache is installed. So it's unlikely that the problem is in Apache or is OSX-related.

Jim

martinjamesroberts

7:43 am on Jun 20, 2008 (gmt 0)

Hi Jim, thanks for the response, I really only have a basic understanding of Apache and it's features. I presume this means I will need to install or enable apache core?

Anyway, this is the basic code I added to to httpd.conf as specified in the 'apache core' manual:-

<LimitExcept POST GET>
Require valid-user
</LimitExcept>

I just got an error message saying something similar to 'Require can not be used on this server'.

May I also ask if you would recommend that I 'limit' HEAD requests as I get quite a few of these too..

Thanks in advance

Martin

jdMorgan

2:01 pm on Jun 20, 2008 (gmt 0)

Apache core is the "core" of Apache. If you install Apache, you get the core -- It's built-in, and not optional.

Your problem is not with <LimitExcept> but rather with Require. See the Require directive documentation [httpd.apache.org] to find the reason for this problem -- As stated there, you need to add two additional directives in order to use Require.

You could also simply deny access instead of forcing a login:
<LimitExcept POST GET>
Order Allow,Deny
Deny from all
</LimitExcept>

The behaviour for HEAD requests is controlled by the restrictions you specify for GET, again as documented. HEAD is used by a client (e.g a browser) to check to see if a resource on your server has been updated and needs to be reloaded from the server. It is similar to a GET, except that the server does not return any content -- It only returns HTTP headers to tell the client about the current status of the requested resource. This mechanism is used to prevent wasting a large amount of bandwidth on the internet, and also to reduce the load on your server. Therefore, Limits on GET and HEAD should be identical, and in Apache, they must be identical -- There is no choice.

If you have only a basic understanding of Apache, then a week spent studying the documentation would be a good idea. There is basically no way to get a server properly working without a thorough understanding of the Apache directives. The Apache documentation can be a bit obscure at first -- See if the tutorials help. Once you understand how it works, the fact that the documentation is compact and somewhat terse becomes an asset, because it's easier to find the information you need. You'll also realize that every little note contains information that may be critical, for example, the fact that HEAD and GET are treated identically.

With respect, there is no way to succeed without thoroughly reading the docs for each and every directive you want to use.

Jim