enforcing access is via urlbase

jay ball jay at veggiespam.com
Fri Oct 1 17:59:40 UTC 2004


bugzilla at glob.com.au wrote:

>>Another point is that if the end-user is using HTTP/1.0 to access 
>>Bugzilla, then there is no way for Bugzilla to know which hostname they 
>>used. (although we can certainly tell if they're using SSL or not)
> 
> 
> ah.  i'd forgotten about that.  that would be a show stopper.
> 

what about

RewriteCond %{THE_REQUEST}	!.*HTTP/...$	[OR]
RewriteCond %{HTTP:Server}	!.*		[OR]
RewriteCond %{THE_REQUEST}	.*HTTP/1.0$
RewriteRule ^/.*	/http-1.1-required.html

The first line might handle HTTP 0.9 or requests without the HTTP doodad 
on the request line, the second looks for a server header, and the final 
does HTTP 1.0.  Someone with less nachos in the stomach might be able to 
perfect it the suggestion; i have not tested it.

Max write:
> 	You know, to be fair, with our CSS redesign plans, we're going to be
> dropping support for most clients that would be using HTTP/1.0 anyhow.

So, if this is true, then just ban HTTP/1.0.  Q: how many v1.0 or v0.9 
requests do many of you get any longer?

Random thought.

-j



More information about the developers mailing list