limit_access inconsistency/issues
Maxim Dounin
mdounin at mdounin.ru
Wed Feb 9 17:45:42 MSK 2011
Hello!
On Wed, Feb 09, 2011 at 12:37:18PM +0000, Pavel Kolla wrote:
> I am trying to use limit_access to control availability of some locations via
> certain methods (in my scenario there are places where only POST is allowed by
> app logic). However this is what i encountered:
>
> location /t/
> {
> limit_except GET
> {
> deny all;
> }
> }
>
> # curl -I -X GET pkolla:88/t/index.html
> HTTP/1.1 200 OK
> # curl -I -X POST pkolla:88/t/index.html
> HTTP/1.1 403 Forbidden
Expected: GET is allowed, POST is rejected due to "deny all" in
"limit_except GET" block.
> location /t/
> {
> limit_except POST
> {
> deny all;
> }
> }
>
> # curl -I -X GET pkolla:88/t/index.html
> HTTP/1.1 403 Forbidden
> # curl -I -X POST pkolla:88/t/index.html
> HTTP/1.1 405 Not Allowed
Expected: GET is rejected due to "deny all" in "limit except POST"
block, POST isn't supported for static files and hence returns 405
(method not allowed).
> IMHO in first case responses should be 200/405 and in second 405/200, even if
> access returns 403 rather than 405 (being related to http_access_module ) it
> still should be consistent and return 200 for POST in second case instead of
> 405.
>
> Am i totally missing the concept or there is something else i didn't get?
405 is used solely to as an indicator that requested method isn't
supported by a resource. For access restrictions codes 401 (for
authorization-based restrictions) and 403 (for other restrictions)
are used. Directive limit_expect allows you to specify different
access restrictions for different methods, but it's still access
restrictions.
Maxim Dounin
More information about the nginx
mailing list