[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

disable HTTP trace on Apache

Posted on 2005-04-08
4
Medium Priority
?
657 Views
Last Modified: 2008-02-01
I have been told that enabling HTTP TRACE support on Apache poses a security risk. I want to disable this and I know that its not as simple as modifying the httpd.conf file. Here are the instruction I got for disabling HTTP TRACE:
---------------------------------------------------------------------
If you are using Apache, you can use mod_rewrite to disable the TRACE and TRACK methods. Add the following lines in the main part of your configuration file and for each virtual host (if you use virutal hosts):

RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F]

Be sure to add these lines in the main part of the configuration file and, if you use virutal hosts, in every VirtualHost section.
---------------------------------------------------------------------
I am not quite sure if I understand the directions. How do I use the mod_rewrite module? Do I have to install it separately? If someone can give me details on how I can make this work, I would really apprecite. I am not too familiar with managing Apache webserver :(
The instruction also talks about add the code to the 'VirtualHost section'. Where exactly is that??
0
Comment
Question by:IUAATech
  • 2
  • 2
4 Comments
 
LVL 27

Expert Comment

by:caterham_www
ID: 13740883
you'll need some linebreakes here

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

To check if mod_rewrite is loaded: Just place the rules into your <virtualhosts>-Sections.
> The instruction also talks about add the code to the 'VirtualHost section'. Where exactly is that??
It looks like, thar you're not using virtualhosts. This is a section at the bottom of httpd.conf. It is inside a <virtualhost ...>....</virtualhost>-Container.

If you don't use virtual hosts, just place the rules somewhere into "Section 2 Main Server Config" in your httpd.conf. But make sure, it's outside a <Directory>....</Directory>-container
0
 

Author Comment

by:IUAATech
ID: 13740936
>To check if mod_rewrite is loaded: Just place the rules into your <virtualhosts>-Sections.
Do you mean I should add
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
in the virtualhosts section of the httpd.conf file?
0
 
LVL 27

Accepted Solution

by:
caterham_www earned 800 total points
ID: 13740958
only, if you're unsing the virtualhosts. if they hava a '#' before each line, you're not unsig them. Add it inside a <Virtualhost> container like

<Virtualhost *>
   Documentroot /home...
   Servername www.sthing.com 
   RewriteEngine on
   RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
   RewriteRule .* - [F]
</Virtualhost>

But if you are not unsing vortualhosts, add the rewriteRules somewhere in "Section 2" of your httpd.conf
0
 

Author Comment

by:IUAATech
ID: 13741011
thanks!
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Over the last year I have answered a couple of basic URL rewriting questions several times so I thought I might as well have a stab at: explaining the basics, providing a few useful links and consolidating some of the most common queries into a sing…
It is possible to boost certain documents at query time in Solr. Query time boosting can be a powerful resource for finding the most relevant and "best" content. Of course the more information you index, the more fields you will be able to use for y…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …
Suggested Courses
Course of the Month18 days, 22 hours left to enroll

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question