TechQA.

How to disable HTTP 1.0 protocol in Apache?

12.1k views Asked by At

HTTP 1.0 has security weakness related to session hijacking. I want to disable it on my web server.

apache network-protocols http-1.0
Original Q&A
3

There are 3 answers

0
wineguy On

This will (note the FUTURE tense - as of October 2018) be possible with Apache 2.5, using the PolicyVersion directive in mod_policy. The PolicyVersion directive sets the lowest level of the HTTP protocol that is accepted by the server, virtual host, or directory structure - depending on where the directive is placed.

First enable the policy module:

a2enmod mod_policy

Then in the server config, vhost, or directory (will not work in .htaccess), add:

PolicyVersion enforce HTTP/1.1

Finally restart the server:

systemctl restart apache2
0
hjpotter92 On

You can check against the SERVER_PROTOCOL variable in a mod-rewrite clause. Be sure to put this rule as the first one.

RewriteEngine On
RewriteCond %{SERVER_PROTOCOL} ^HTTP/1\.0$
RewriteCond %{REQUEST_URI} !^/path/to/403/document.html$
RewriteRule ^ - [F]

The additional negative check for !^/path/to/403/document.html$ is so that the forbidden page can be shown to the users. It would otherwise lead to a recursion.

0
AudioBubble On

If you are on a name-based virtual host (and each virtual server does not have its own separate IP address), then it is technically impossible to connect to your virtual host using HTTP/1.0; Only the default server --the first virtual server defined-- will be accessible. This is because HTTP/1.0 does not support the HTTP "Host" request header, and the Host header is required on name-based virtual hosts in order to "pick" which virtual host the request is being addressed to. In most cases, the response to a true HTTP/1.0 request will be a 400-Bad Request.If you did manage to get that code working, but you later tried to use custom error documents (see Apache core ErrorDocument directive), then the result of blocking a request would be an 'infinite' loop: The server would try to respond with a 403-Forbidden response code, and to serve the custom 403 error document. But this would result in another 403 error because access to all resources --including the custom 403 page-- is denied. So the server would generate another 403 error and then try to respond to it, creating another 403, and another, and another... This would continue until either the client or the server gave up.

I'd suggest something like:

 SetEnvIf Request_Protocol HTTP/1\.0$ Bad_Req
 SetEnvIf Request_URI ^/path-to-your-custom-403-error-page\.html$ 
 Allow_Bad_Req
 #Order Deny,Allow
 Deny from env=BadReq
 Allow from env=Allow_Bad_Req

In mod_rewrite, something like:

RewriteCond %{THE_REQUEST} HTTP/1\.0$
RewriteCond %{REQUEST_URI} !^/path-to-your-custom-403-error-page\.html$

Related Questions in APACHE

Related Questions in NETWORK-PROTOCOLS

Related Questions in HTTP-1.0

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions