added denial of TRACE and CONNECT methods

defaults/main/1_main.yml

@@ -91,5 +91,6 @@ defaults_apache:
 
   security:
     restricted_methods: ['GET', 'POST', 'HEAD']
+    dangerous_methods: ['TRACE', 'CONNECT']
 
 debug: false

defaults/main/2_site.yml

@@ -26,7 +26,8 @@ defaults_site:
   security:  # https://www.nixpal.com/apache-httpd-hardening/
     disable_root_index: true
     disable_ssi_cgi: true
-    restrict_methods: true
+    restrict_methods: true  # disable anything but GET/POST/HEAD methods; if you're running a web-application you might need to disable this filter
+    deny_dangerous_methods: true  # if 'restrict_methods' is disabled - this will still deny 'TRACE' & 'CONNECT' as they might open your server/services up to attacks
 
   redirect:
     target: 'https://github.com/ansibleguy'

templates/etc/apache2/sites-available/inc/site_https_config.j2

@@ -18,15 +18,26 @@
 {% endif %}
 
   # security config
-{% if site.security.restrict_methods %}
+{% if site.security.restrict_methods | bool %}
   <IfModule mod_rewrite.c>
     RewriteEngine On
-    RewriteCond %{REQUEST_METHOD} ^(?!{% for method in APACHE_CONFIG.security.restricted_methods %}{{ method }}{% if not loop.last %}|{% endif %}{% endfor %})
+    RewriteCond %{REQUEST_METHOD} ^(?!{{ for method in APACHE_CONFIG.security.restricted_methods | join('|') }})
-    RewriteRule .* - [F]
+    RewriteRule .* - [L,R=405]
   </IfModule>
   <Directory />
     <LimitExcept {% for method in APACHE_CONFIG.security.restricted_methods %}{{ method }} {% endfor %}>
       Require all denied
     </LimitExcept>
   </Directory>
+{% elif site.security.deny_dangerous_methods | bool %}
+  <IfModule mod_rewrite.c>
+    RewriteEngine On
+    RewriteCond %{REQUEST_METHOD} ^({{ for method in APACHE_CONFIG.security.dangerous_methods | join('|') }})
+    RewriteRule .* - [L,R=405]
+  </IfModule>
+  <Directory />
+    <Limit {% for method in APACHE_CONFIG.security.dangerous_methods %}{{ method }} {% endfor %}>
+      Require all denied
+    </Limit>
+  </Directory>
 {% endif %}