PUT request results in 403 Forbidden - Need Apache to allow PUT requests

apache-2.2 httpd

I am building a RESTFUL API and need to get Apache to accept PUT requests. Whenever I put to a URL, I am getting a 403 Forbidden error.

curl -X PUT api.example.com/api/foo

I have tried to add the following to my Virtual Directory (To no avail):


<Limit GET POST PUT DELETE HEAD OPTIONS>
    Order allow,deny
    Allow from all
</Limit>
<LimitExcept GET POST PUT DELETE HEAD OPTIONS>
    Order deny,allow
    Deny from all
</LimitExcept>

What other config settings might be causing this?

EDIT

I am re-writing my URL's, all get re-written to index.php as follows:


RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !\.
RewriteRule ^(.*)$ /api/index.php/$1 [L,QSA]

Add this to the .htaccess file in this folder

-- For Apache 2.2

<Limit GET POST PUT OPTIONS DELETE PATCH HEAD>
    Order allow,deny
    Allow from all
</Limit>
<LimitExcept GET POST PUT OPTIONS DELETE PATCH HEAD>
    Order deny,allow
    Deny from all
</LimitExcept>

-- For Apache 2.4

<Limit GET POST PUT OPTIONS DELETE PATCH HEAD>
    Require all granted
</Limit>
<LimitExcept GET POST PUT OPTIONS DELETE PATCH HEAD>
    Require all denied
</LimitExcept>

Note: you can remove methods which you dont want


Edit:

Add this to your Apache conf:

 Script PUT /api/index.php

This assumes your actual handler script is called index.php and it's located on /api.


At least with the last Apache's version (2.4.38) with modsecurity enabled, only these methods are allowed by default: GET HEAD POST OPTIONS

When a PUT request is made the error log of Apache2 returns this message:

[Wed May 06 11:46:56.680835 2020] [:error] [pid 20162] [client 172.16.x.x:58147] [client 172.16.12.144] ModSecurity: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/usr/share/modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf"] [line "46"] [id "911100"] 
[msg "Method is not allowed by policy"] [data "PUT"] [severity "CRITICAL"] [ver "OWASP_CRS/3.1.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [tag "OWASP_CRS/POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag "PCI/12.1"] [hostname "192.168.x.x"] [uri "/app/api/widgets/grid"] [unique_id "XrKHkEqec4EieQ@yCDCkkQAAABI"], referer: https://192.168.x.x/app

The best way to solve it is changing this policy in modsecurity, so edit the file "/etc/modsecurity/crs/crs-setup.conf" and uncomment the following lines adding PUT as allowed:

SecAction \
"id:900200,\
phase:1,\
nolog,\
pass,\
t:none,\
setvar:'tx.allowed_methods=GET HEAD POST OPTIONS PUT DELETE'"

Related

Rescue disk is unable to see the lvm physical volumes
nginx restrict directory access by ip
Best way of integrating Mac OS X clients with Active Directory
Why would an .htaccess file result in 403 Forbidden when the only line is "Allow from all"?
Linux hardlink confusion
Impossible to stop raid device
IIS7 URL Rewrite breaks for URLs containing + characters
IP Address keeps getting assigned that is already in use
wireless between 2 buildings
MySQL show table status always returns Data_free 17825792
Which is the correct way to restart Solr
What are the semaphore arrays on Linux?