While updating an Apache httpd from 2.2 to 2.4 we encountered a strange problem. The web server is used as a reverse proxy for a WebDAV application. Therefore the original httpd 2.2 directive allowed a couple of WebDAV methods. It looked similarly to this:
<Location "/dav"> <LimitExcept HEAD GET POST CONNECT PUT DELETE OPTIONS PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK TRACE> Order deny,allow Allow from all </LimitExcept> </Location>
Adapting this to httpd 2.4 was not a big deal:
<Location "/dav"> AllowMethods HEAD GET POST CONNECT PUT DELETE OPTIONS PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK TRACE Require all granted </Location>
But this didn’t work as expected. While
OPTIONS did work,
PROPPATCH, etc. were not. My tests with curl always returned HTTP 405.
curl -X PROPFIND https://example.org/dav <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>405 Method Not Allowed</title> </head><body> <h1>Method Not Allowed</h1> <p>The requested method PROPFIND is not allowed for the URL /.</p> </body></html>
As it turns out, there’s a bug report from 2013 in the Apache bug tracker for a similar issue. For whatever reason an enabled
DirectoryIndex directive blocks the WebDAV methods.
This bug has been fixed in the httpd 2.5 trunk, but not in http 2.4 (and probably never will). Therefore disabling
DirectoryIndex is the mandatory workaround:
<Location "/dav"> DirectoryIndex disabled AllowMethods HEAD GET POST CONNECT PUT DELETE OPTIONS PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK TRACE Require all granted </Location>
As this issue didn’t arise until production hours and a quick fix was needed, I’ve yet to confirm if
mod_dav_fs are even needed. I suspect they are not.