Comment posted Disable Apache HTTP TRACE method to improve Apache security by .
Recent comments by
Tags: Disable Apache HTTP TRACE method to improve Apache security
Thursday, 25th April 2024
Comment posted Disable Apache HTTP TRACE method to improve Apache security by .
If you're new here, you may want to subscribe to my RSS feed. Thanks for visiting!
Tags: Disable Apache HTTP TRACE method to improve Apache security
This entry was posted on Thursday, April 25th, 2024 at 3:10 am and is filed under System Administration. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.
If ye then be risen with Christ, seek those things which are above,
where Christ sitteth on the right hand of God.
-- Colossians 3:1
☩ Walking in Light with Christ – Faith, Computing, Diary 2006-2020 Powered by:
Pc Freak Solutions and Comments (RSS).
Verbatim copying and distribution of this entire article is permitted in any medium, provided this notice is preserved.
Copyright (C) 2020 by Georgi Georgiev - Website Privacy Policy
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)
In method #1, the rewrite rules will not work if they are put into the .htaccess file. They must go into httpd.conf.
View CommentView CommentMozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.14) Gecko/2009091008 Iceweasel/3.0.14 (Debian-3.0.14-1)
Thanks for the note Chad!
View CommentView CommentStill, are you sure that the rewrite engine is enabled for the directory where you try to put the rewrite rules?
It could be also due to difference in Apache version or Linux distrubution. Which versions are you using?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)
I definitely have the rewrite engine enabled, because the same rule works for the TRACK request method. I admit that it could be the version of Apache or the OS, but it’s from my hosting company, and I don’t have access to that information.
While researching this, I’ve found many accounts of people who implemented the .htaccess rules and found that they didn’t work. I also found several instances where people “in the know” said that the rewrite directives had to go into httpd.conf and that it wouldn’t work in .htaccess.
View CommentView CommentMozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.14) Gecko/2009091008 Iceweasel/3.0.14 (Debian-3.0.14-1)
I see. OK it’s nice you share, this issue. Hopefully someone else would benefit from it.
Thanks for your comments.
Will see you around !
Best
View CommentView CommentMozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.14) Gecko/2009091008 Iceweasel/3.0.14 (Debian-3.0.14-1)
By the way I just checked your website. There is pretty cool stuff on it. That Christian Band Servant is quite interesting. I’m glad you’re a Christian too 🙂 You can check my blog christian section if you haven’t checked it yet.
View CommentView CommentMozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.6) Gecko/20100203 Iceweasel/3.5.8 (like Firefox/3.5.8)
On Debian/Lenny there is a file /etc/apache2/conf.d/security that has:
# Allow TRACE method
#
# Set to “extended” to also reflect the request body (only for testing and
# diagnostic purposes).
#
# Set to one of: On | Off | extended
#
#TraceEnable Off
TraceEnable On
You can simple uncomment the option you want.
View CommentView CommentMozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Safari/531.2+ Debian/squeeze/sid () Epiphany/2.29.92
That’s a good tip thanks a bunch!
View CommentView CommentMozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.16) Gecko/20110319 Firefox/3.6.16
Insertion of the rewrite rule in the .htaccess file worked for me. However, it only seemed to work for the http connection. The trace is still working on the https connection.
How to disable it for both?
I am using this site to test: http://web-sniffer.net/
View CommentView CommentMozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6
Check if the mod_rewrite is enabled for https? Also does the https access recognize mod rewrite rules you place in .htaccess?
View CommentView CommentMozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.16) Gecko/20110319 Firefox/3.6.16
I don’t have access to the httpd.conf file. It’s a shared hosting setup so I can only modify .htaccess
I inserted this code into .htaccess:
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* – [F]
I then went to this site to test:
http://web-sniffer.net/
An http request gave the desired “405 Method Not Allowed” response. An https request did not.
So, I’m stumped. Is there some way in the .htaccess to explicitly spell out rewrite conditions for https requests? Is that what is needed?
View CommentView CommentMozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6
Maybe your shared hosting provider has somehow disabled the use of .htaccess rules for the https?
View CommentView CommentCan you contact them and ask them if there are some restrictions, this might be a possible cause?
Mozilla/5.0 (Windows; U; Windows NT 5.1; es-AR; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4
Brillante Angelegenheit. Ich finde es fabelhaft, was ihr alles Aufbaut. Ihr habt einen Fan mehr
View CommentView Comment