Apache limit PUT and DELETE

Question

I've been trying to use a <limit> tag to disable PUT and DELETE calls from being executed through our Apache server and have been unsuccessful.

Apache Version: 2.2

I am currently adding something like this to the inside of my httpd.conf file:

 <Directory />
   Options none
   AllowOverride none
   Order deny,allow
   Deny from all
   <Limit PUT DELETE TRACE>
        Order deny,allow
        Deny from all
    </Limit>
</Directory>

But I have been unable to get a successful restart on Apache while this line is in the file. Now, I know very little about Apache and I've been trying to follow along in some of the Apache docs I've found but have been unsuccessful.

With none of my changes this section of the httpd.conf looks like this:

 <Directory />
    Options FollowSymLinks
    AllowOverride None
    Order deny,allow
    Deny from all
</Directory>

Any help would be appreciated.

Answer 1

http://wiki.linuxquestions.org/wiki/Securing_Apache#Disabling_PUT_and_DELETE

<Directory /usr/apache/www/myserver.com/htdocs>
    ...bunch of useful stuff
    <Limit PUT DELETE>
        Require user terribleUnguessableUsername235452309875wesaef
    </Limit>
</Directory>

According to Apache docs found at a hyperlink I do not have enough rep to include, you cannot restrict TRACE using a Limit directive.

Answer 2

If you can't restart Apache, there will be a line in the error log telling you what the problem is.

That said, I think a limit is not allowed inside a directory, but I'm not sure.

Note that TRACE can't be limited.

Answer 3

Trace can be limited in server.xml by adding allowTrace = false in connector tag.