PUT request results in 403 Forbidden - Need Apache to allow PUT requests

I am building a RESTFUL API and need to get Apache to accept PUT requests. Whenever I put to a URL, I am getting a 403 Forbidden error.

curl -X PUT api.example.com/api/foo

I have tried to add the following to my Virtual Directory (To no avail):


<Limit GET POST PUT DELETE HEAD OPTIONS>
    Order allow,deny
    Allow from all
</Limit>
<LimitExcept GET POST PUT DELETE HEAD OPTIONS>
    Order deny,allow
    Deny from all
</LimitExcept>

What other config settings might be causing this?

EDIT

I am re-writing my URL's, all get re-written to index.php as follows:


RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !\.
RewriteRule ^(.*)$ /api/index.php/$1 [L,QSA]


Add this to the .htaccess file in this folder

-- For Apache 2.2

<Limit GET POST PUT OPTIONS DELETE PATCH HEAD>
    Order allow,deny
    Allow from all
</Limit>
<LimitExcept GET POST PUT OPTIONS DELETE PATCH HEAD>
    Order deny,allow
    Deny from all
</LimitExcept>

-- For Apache 2.4

<Limit GET POST PUT OPTIONS DELETE PATCH HEAD>
    Require all granted
</Limit>
<LimitExcept GET POST PUT OPTIONS DELETE PATCH HEAD>
    Require all denied
</LimitExcept>

Note: you can remove methods which you dont want


Edit:

Add this to your Apache conf:

 Script PUT /api/index.php

This assumes your actual handler script is called index.php and it's located on /api.


At least with the last Apache's version (2.4.38) with modsecurity enabled, only these methods are allowed by default: GET HEAD POST OPTIONS

When a PUT request is made the error log of Apache2 returns this message:

[Wed May 06 11:46:56.680835 2020] [:error] [pid 20162] [client 172.16.x.x:58147] [client 172.16.12.144] ModSecurity: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/usr/share/modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf"] [line "46"] [id "911100"] 
[msg "Method is not allowed by policy"] [data "PUT"] [severity "CRITICAL"] [ver "OWASP_CRS/3.1.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [tag "OWASP_CRS/POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag "PCI/12.1"] [hostname "192.168.x.x"] [uri "/app/api/widgets/grid"] [unique_id "XrKHkEqec4EieQ@yCDCkkQAAABI"], referer: https://192.168.x.x/app

The best way to solve it is changing this policy in modsecurity, so edit the file "/etc/modsecurity/crs/crs-setup.conf" and uncomment the following lines adding PUT as allowed:

SecAction \
"id:900200,\
phase:1,\
nolog,\
pass,\
t:none,\
setvar:'tx.allowed_methods=GET HEAD POST OPTIONS PUT DELETE'"