httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From 吴昊 <wu...@7500.com.cn>
Subject RE: [users@httpd] TraceEnable off directive not work
Date Wed, 24 Feb 2016 00:21:19 GMT
Ive tested on 2.2.29, TraceEnable works perfectly WITH rewrite rules together. I’ll try this
on 2.2.31 if it still works which I presume it will, our production 2.2.27s definitely need
an upgrade.

Thanks for the help guys, appreciated that

Cheers

Chris

发件人: Katherine Manfre [mailto:Katherine.Manfre@sita.aero]
发送时间: Wednesday, February 24, 2016 6:19 AM
收件人: users@httpd.apache.org
主题: Re: [users@httpd] TraceEnable off directive not work

Try removing the rewrite rules and see what you get. I've tested simply "TraceEnable Off"
without the rewrites on a build of apache 2.2.27 for RHEL and it works as expected:

Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
TRACE /
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>405 Method Not Allowed</title>
</head><body>
<h1>Method Not Allowed</h1>
<p>The requested method TRACE is not allowed for the URL /.</p>
</body></html>
Connection closed by foreign host.

The behavior is also the same in 2.2.31, which is the latest in the Apache 2.2.x branch.


Katherine Manfre


From: Rich Bowen [mailto:rbowen@rcbowen.com]
Sent: Tuesday, February 23, 2016 8:38 AM
To: users@httpd.apache.org<mailto:users@httpd.apache.org>
Subject: Re: [users@httpd] TraceEnable off directive not work


Sorry, brain cramp there. Tomcat. I see.

I wonder if you've had an opportunity to try this on 2.4 httpd. 2.2.27 is from nearly 3 years
ago.
On Feb 23, 2016 08:30, "Rich Bowen" <rbowen@rcbowen.com<mailto:rbowen@rcbowen.com>>
wrote:

What the heck is Apache-Coyote/1.1
On Feb 18, 2016 02:47, "吴昊" <wuhao@7500.com.cn<mailto:wuhao@7500.com.cn>>
wrote:
Hello,

I Just experienced a weird behavior of TraceEnable directive.

Before use this directive, i use mod_rewtire to disable trace and other unwanted HTTP method.
Since this directive been added, TRACE method start getting 200 return.
Ive tried both jmeter and telnet, the results are same, protection was gone.

Im running apache 2.2.27 on a Linux box, I add both TraceEnable directive along with Rewrite
directives together, thought it would be “more proper way to dong this” and a double protection

related configs in http.conf as follows:

TraceEnable off
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|PUT|DELETE)
RewriteRule .* - [R=405,L]

and results as follows:

TRACE / HTTP/1.1
HOST:www.domain.com.cn<http://www.domain.com.cn>

HTTP/1.1 200 OK
Date: Thu, 18 Feb 2016 07:36:35 GMT
Server: Apache-Coyote/1.1
X-Frame-Options: SAMEORIGIN
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 08:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: JSESSIONID=739A627F3C3DE5933230BE579D7D1693; Secure; HttpOnly
Transfer-Encoding: chunked

in access_log, can clearly see
[18/Feb/2016:15:36:29 +0800] "TRACE / HTTP/1.1" 200 10219 www.domain.com.cn<http://www.domain.com.cn>

after I removed this directive, just leave Rewrite directives, redirect are normal.

TRACE / HTTP/1.1
HOST:www.domain.com.cn<http://www.domain.com.cn>

HTTP/1.1 405 TRACE method is not allowed
Date: Thu, 18 Feb 2016 07:39:40 GMT
Server: Apache-Coyote/1.1
X-Frame-Options: SAMEORIGIN
Allow: OPTIONS
Content-Length: 0
Content-Type: text/plain

In access_log
[18/Feb/2016:15:39:32 +0800] "TRACE / HTTP/1.1" 405 - www.domain.com.cn<http://www.domain.com.cn>


I think this could indicates that "TraceEnable off" is bugged/not working.

Any thoughts? please advise.
Thank you

Cheers

Chris

Confidential Communication: The contents of this e-mail including any attachment are confidential
and intended solely for the person(s) to whom they are addressed. Any reader of this email
who is not the intended recipient is notified that any dissemination, distribution or copying
of this communication is strictly prohibited. If you have received this e-mail in error, please
notify the sender immediately and delete all copies from your computer system. Subsequent
alterations to this email after its transmission will be disregarded.
Mime
View raw message