httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rich Bowen <rbo...@rcbowen.com>
Subject Re: [users@httpd] TraceEnable off directive not work
Date Tue, 23 Feb 2016 13:30:57 GMT
What the heck is Apache-Coyote/1.1
On Feb 18, 2016 02:47, "吴昊" <wuhao@7500.com.cn> wrote:

> Hello,
>
>
>
> I Just experienced a weird behavior of TraceEnable directive.
>
>
>
> Before use this directive, i use mod_rewtire to disable trace and other
> unwanted HTTP method. Since this directive been added, TRACE method start
> getting 200 return.
>
> Ive tried both jmeter and telnet, the results are same, protection was
> gone.
>
>
>
> Im running apache 2.2.27 on a Linux box, I add both TraceEnable directive
> along with Rewrite directives together, thought it would be “more proper
> way to dong this” and a double protection
>
>
>
> related configs in http.conf as follows:
>
>
>
> TraceEnable off
>
> RewriteEngine on
>
> RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|PUT|DELETE)
>
> RewriteRule .* - [R=405,L]
>
>
>
> and results as follows:
>
>
>
> TRACE / HTTP/1.1
>
> HOST:www.domain.com.cn
>
>
>
> HTTP/1.1 200 OK
>
> Date: Thu, 18 Feb 2016 07:36:35 GMT
>
> Server: Apache-Coyote/1.1
>
> X-Frame-Options: SAMEORIGIN
>
> Pragma: No-cache
>
> Cache-Control: no-cache
>
> Expires: Thu, 01 Jan 1970 08:00:00 GMT
>
> Content-Type: text/html;charset=UTF-8
>
> Set-Cookie: JSESSIONID=739A627F3C3DE5933230BE579D7D1693; Secure; HttpOnly
>
> Transfer-Encoding: chunked
>
>
>
> in access_log, can clearly see
>
> [18/Feb/2016:15:36:29 +0800] "TRACE / HTTP/1.1" 200 10219
> www.domain.com.cn
>
>
>
> after I removed this directive, just leave Rewrite directives, redirect
> are normal.
>
>
>
> TRACE / HTTP/1.1
>
> HOST:www.domain.com.cn
>
>
>
> HTTP/1.1 405 TRACE method is not allowed
>
> Date: Thu, 18 Feb 2016 07:39:40 GMT
>
> Server: Apache-Coyote/1.1
>
> X-Frame-Options: SAMEORIGIN
>
> Allow: OPTIONS
>
> Content-Length: 0
>
> Content-Type: text/plain
>
>
>
> In access_log
>
> [18/Feb/2016:15:39:32 +0800] "TRACE / HTTP/1.1" 405 - www.domain.com.cn
>
>
>
>
>
> I think this could indicates that "TraceEnable off" is bugged/not working.
>
>
>
> Any thoughts? please advise.
>
> Thank you
>
>
>
> Cheers
>
>
>
> Chris
>
>
>

Mime
View raw message