disable HTTP trace on Apache

I have been told that enabling HTTP TRACE support on Apache poses a security risk. I want to disable this and I know that its not as simple as modifying the httpd.conf file. Here are the instruction I got for disabling HTTP TRACE:
---------------------------------------------------------------------
If you are using Apache, you can use mod_rewrite to disable the TRACE and TRACK methods. Add the following lines in the main part of your configuration file and for each virtual host (if you use virutal hosts):

RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F]

Be sure to add these lines in the main part of the configuration file and, if you use virutal hosts, in every VirtualHost section.
---------------------------------------------------------------------
I am not quite sure if I understand the directions. How do I use the mod_rewrite module? Do I have to install it separately? If someone can give me details on how I can make this work, I would really apprecite. I am not too familiar with managing Apache webserver :(
The instruction also talks about add the code to the 'VirtualHost section'. Where exactly is that??
IUAATechAsked:
Who is Participating?
 
caterham_wwwCommented:
only, if you're unsing the virtualhosts. if they hava a '#' before each line, you're not unsig them. Add it inside a <Virtualhost> container like

<Virtualhost *>
   Documentroot /home...
   Servername www.sthing.com 
   RewriteEngine on
   RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
   RewriteRule .* - [F]
</Virtualhost>

But if you are not unsing vortualhosts, add the rewriteRules somewhere in "Section 2" of your httpd.conf
0
 
caterham_wwwCommented:
you'll need some linebreakes here

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

To check if mod_rewrite is loaded: Just place the rules into your <virtualhosts>-Sections.
> The instruction also talks about add the code to the 'VirtualHost section'. Where exactly is that??
It looks like, thar you're not using virtualhosts. This is a section at the bottom of httpd.conf. It is inside a <virtualhost ...>....</virtualhost>-Container.

If you don't use virtual hosts, just place the rules somewhere into "Section 2 Main Server Config" in your httpd.conf. But make sure, it's outside a <Directory>....</Directory>-container
0
 
IUAATechAuthor Commented:
>To check if mod_rewrite is loaded: Just place the rules into your <virtualhosts>-Sections.
Do you mean I should add
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
in the virtualhosts section of the httpd.conf file?
0
 
IUAATechAuthor Commented:
thanks!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.