Hi,
Some time ago I noticed a large number of OPTIONS requests coming into my
web servers and clogging my connections, e.g. OPTIONS / HTTP/1.0.
I don't have anything on my sites for which OPTIONS would be appropriate, so
I put this into my default site's .htaccess file:
<LimitExcept GET POST HEAD>
Deny from all
</LimitExcept>
and that seemed to do the trick:
$ telnet ... 80
Trying ...
Connected to ...
Escape character is '^]'.
OPTIONS / HTTP/1.0
HTTP/1.1 403 Forbidden
Date: Mon, 13 Oct 2008 14:59:40 GMT
Server: Apache
Content-Length: 202
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /
on this server.</p>
</body></html>
Connection closed by foreign host.
$
however this afternoon my servers again came under load, and checking the
Apache status pages there were lots of lines like this:
8-0 - 0/0/102 . 0.00 1 0 0.0 0.00 0.36 ::1
www.mysite.com OPTIONS * HTTP/1.0
and in checking that I see that although OPTIONS / is denied, OPTIONS * is
allowed:
$ telnet ... 80
Trying ...
Connected to ...
Escape character is '^]'.
OPTIONS * HTTP/1.0
HTTP/1.1 200 OK
Date: Mon, 13 Oct 2008 14:59:47 GMT
Server: Apache
Content-Length: 0
Connection: close
Content-Type: text/plain
Connection closed by foreign host.
$
Could anyone advise me on what this command does or means, and how I can
keep these requests out?
Thanks.
