Debugging Apache AllowMethods error

Question

We are running an API for our mobile app, and with the right HTTP headers, have been able to enable developing it locally using the live API without the need of a 'CORS plugin'.

Now, it does not work anymore, probably since moving the domain name from one user to another (using DirectAdmin), but I cannot figure out how to fix it. Moving the domain back to the original user does not fix it. We have been running Apache 2.4 for quite a while already, that's nothing new.

I tried adding the following to httpd.conf:

<Location /api>
    AllowMethods GET POST OPTIONS DELETE PUT
    Require all granted
</Location>
<Directory /home/username/domains/example.com/private_html/www/api>
    AllowMethods GET POST OPTIONS DELETE PUT
    Require all granted
</Directory>

I verified being in the right VirtualHost block by successfully changing the ErrorLog file location.

I also added Require all granted to all .htaccess documents from the private_html folder to the api folder, but the error log keeps saying: [allowmethods:error] [pid ...] [client ...] AH01623: client method denied by server configuration: 'OPTIONS' to /home/username/domains/example.com/private_html/www/api

Note that our mobile app actually still works (GET and POST), but PUT and DELETE don't, just like OPTIONS. It seems like the requests never even hit my domain folder, but get stuck in Apache config.

How can I debug this? How can I get Apache to tell me which policy is preventing that method?

Answer 1

I ran into the same error recently and I was able to fix it with this steps;

1. Log in to your cPanel account. 2.Navigate to the "Security" section and click on "ModSecurity" or "ModSecurity Tools."
2. Locate the "Rules List" or "Rule IDs" section. 4.Search for the specific rules that are causing the "405 Method Not Allowed" error for PUT and DELETE methods. These rules might be blocking or restricting these HTTP methods.
3. Once you have identified the rules, disable or whitelist them to allow PUT and DELETE requests. You can either disable the rules entirely or modify them to exclude PUT and DELETE methods.
4. Save the changes and test your API endpoints that use PUT and DELETE methods to ensure they are no longer blocked.

Answer 2

@Sygmoral This also fixed my problem!

If you ever get this message inside a new DirectAdmin environment getting the response on a OPTIONS method:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>405 Method Not Allowed</title>
</head><body>
<h1>Method Not Allowed</h1>
<p>The requested method OPTIONS is not allowed for this URL.</p>
</body></html>

Or if you've checked the apache error logs containing: AH01623: client method denied by server configuration: 'OPTIONS'

You should head out to the section in DirectAdmin " Custom HTTPD Configurations " (as admin) and add the lines to your domains custom httpd.conf:

<Location "/">
    AllowMethods GET POST OPTIONS DELETE PUT
    Require all granted
</Location>

Answer 3

I finally solved the issue with this httpd.conf block:

<Location "/">
    AllowMethods GET POST OPTIONS DELETE PUT
    Require all granted
</Location>

I was originally trying to limit that to just the API URL, but apparently that gets complicated because of RewriteRules. The first request on /api is passed through, but I needed a new block for each RewriteRule that happens. So I just used Location "/" to fully allow it... hope that doesn't introduce security issues.