diff --git a/defaults/main/1_main.yml b/defaults/main/1_main.yml
index 8b490eb..94555d3 100644
--- a/defaults/main/1_main.yml
+++ b/defaults/main/1_main.yml
@@ -91,5 +91,6 @@ defaults_apache:
security:
restricted_methods: ['GET', 'POST', 'HEAD']
+ dangerous_methods: ['TRACE', 'CONNECT']
debug: false
diff --git a/defaults/main/2_site.yml b/defaults/main/2_site.yml
index 9b96fd5..706949f 100644
--- a/defaults/main/2_site.yml
+++ b/defaults/main/2_site.yml
@@ -26,7 +26,8 @@ defaults_site:
security: # https://www.nixpal.com/apache-httpd-hardening/
disable_root_index: true
disable_ssi_cgi: true
- restrict_methods: true
+ restrict_methods: true # disable anything but GET/POST/HEAD methods; if you're running a web-application you might need to disable this filter
+ deny_dangerous_methods: true # if 'restrict_methods' is disabled - this will still deny 'TRACE' & 'CONNECT' as they might open your server/services up to attacks
redirect:
target: 'https://github.com/ansibleguy'
diff --git a/templates/etc/apache2/sites-available/inc/site_https_config.j2 b/templates/etc/apache2/sites-available/inc/site_https_config.j2
index 26b318a..8f73a7a 100644
--- a/templates/etc/apache2/sites-available/inc/site_https_config.j2
+++ b/templates/etc/apache2/sites-available/inc/site_https_config.j2
@@ -18,15 +18,26 @@
{% endif %}
# security config
-{% if site.security.restrict_methods %}
+{% if site.security.restrict_methods | bool %}
RewriteEngine On
- RewriteCond %{REQUEST_METHOD} ^(?!{% for method in APACHE_CONFIG.security.restricted_methods %}{{ method }}{% if not loop.last %}|{% endif %}{% endfor %})
- RewriteRule .* - [F]
+ RewriteCond %{REQUEST_METHOD} ^(?!{{ for method in APACHE_CONFIG.security.restricted_methods | join('|') }})
+ RewriteRule .* - [L,R=405]
Require all denied
+{% elif site.security.deny_dangerous_methods | bool %}
+
+ RewriteEngine On
+ RewriteCond %{REQUEST_METHOD} ^({{ for method in APACHE_CONFIG.security.dangerous_methods | join('|') }})
+ RewriteRule .* - [L,R=405]
+
+
+
+ Require all denied
+
+
{% endif %}