How to Configure Apache HTTP Server to Allow All RFC 2616 Methods (GET, POST, PUT, DELETE, etc)


2 views

The Apache HTTP Server by default doesn't enable all HTTP methods defined in RFC 2616. When examining your current configuration and OPTIONS response, we can see only GET, HEAD, POST, and OPTIONS are allowed.


        Dav On
    
        Allow from all

This configuration has several limitations:

  • WebDAV (Dav On) is enabled but not properly configured for full method support
  • PUT is technically allowed but doesn't appear in OPTIONS response
  • DELETE, TRACE, and CONNECT methods are completely missing

Here's how to properly configure Apache to support all standard HTTP methods:

Option 1: Using mod_dav for full WebDAV support (recommended for PUT/DELETE operations)


    Dav On
    Options Indexes FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all
    
        Require all granted

Option 2: Manual method configuration without WebDAV


    Options Indexes FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all
    
        AllowMethods GET POST PUT DELETE HEAD OPTIONS TRACE CONNECT

After making changes, verify with:

curl -v -X OPTIONS http://yourserver.com/

Expected response headers should include:

HTTP/1.1 200 OK
Allow: GET,HEAD,POST,PUT,DELETE,OPTIONS,TRACE,CONNECT
  • Ensure mod_dav is loaded: a2enmod dav
  • Check for conflicting .htaccess files
  • Verify proper filesystem permissions for write operations
  • Check Apache error logs for specific method rejection messages

When enabling all HTTP methods:

  • TRACE method can expose security risks (Cross-Site Tracing)
  • CONNECT should be carefully controlled for proxy functionality
  • PUT and DELETE operations should implement proper authentication
  • Consider using to restrict methods for specific URLs

The current configuration in your .htaccess file shows you're using LimitExcept directive which actually restricts methods rather than enables them. The Allow header in your telnet output confirms only GET, HEAD, POST, and OPTIONS are currently supported.

In Apache 2.2, several factors can prevent full HTTP method support:

1. Missing DAV module (for WebDAV methods like PUT, DELETE)
2. Overly restrictive Limit/LimitExcept directives
3. Missing Require valid-user for authenticated methods
4. Module conflicts (e.g., mod_rewrite interfering)

Here's how to properly enable all methods in Apache 2.2:


    LoadModule dav_module modules/mod_dav.so



    Dav On
    Options Indexes FollowSymLinks
    
    
        Require all granted
    
    
    # Alternative if you need authentication:
    # 
    #     AuthType Basic
    #     AuthName "Restricted"
    #     AuthUserFile /path/to/.htpasswd
    #     Require valid-user
    #

After making changes, verify using cURL:

curl -v -X OPTIONS http://yourserver.com/
curl -v -X PUT -d "test" http://yourserver.com/testfile.txt
curl -v -X DELETE http://yourserver.com/testfile.txt

If methods still don't appear in OPTIONS response:

1. Check Apache error logs: tail -f /var/log/apache2/error.log
2. Verify mod_dav is loaded: apache2ctl -M | grep dav
3. Test with minimal configuration to rule out conflicts
4. Check for overriding .htaccess files in parent directories

While enabling all methods is useful for development, consider these security measures for production:


    
        Require valid-user
        # Restrict to specific IP ranges if needed
        Require ip 192.168.1.0/24
    
    
    
        Require valid-user
        Require group admins