Apache TRACE method not disabled on port 80

Question

I've tried multiple methods to disable the TRACE method on my Apache webserver but for some reason it's disabled for port 443 but not port 80.

I've added the following directive to the top of my configuration file:

TraceEnable off

Then added the following to both the :80 and :443 VirtualHost blocks:

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS|DELETE)
RewriteRule .* - [F]

When I run a curl --insecure -v -X TRACE on my webserver, I properly get a 403 Forbidden for https, but a 200 OK for http. It might be important to note that I do have a redirect permanent for all http connections to https. This webserver is also running as a reverse proxy. Edit: I tried changing the redirect permanent to a mod_rewrite rule and it still fails the curl TRACE test.

Config file:

NameVirtualHost XX.XX.XX.XX:80
NameVirtualHost XX.XX.XX.XX:443

SSLSessionCache "shm:logs/ssl_scache(512000)"

Timeout 2400
ProxyTimeout 2400
ProxyBadHeader Ignore

FileETag None

Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
Header always append X-Frame-Options SAMEORIGIN
Header set X-XSS-Protection "1; mode=block"

TraceEnable off

<VirtualHost XX.XX.XX.XX:80>
   ServerName www.xxxxxxx.com:80
   ServerAlias www.xxxxxx.com
   ServerAdmin localhost@root
   RewriteEngine On
   RewriteCond %{HTTPS} !=on
   RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R]
   RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS|DELETE)
   RewriteRule .* - [F]


   ErrorLog "|/usr/sbin/rotatelogs /etc/httpd/logs/error.%Y-%m-%d.log 86400"
   CustomLog "|/usr/sbin/rotatelogs /etc/httpd/logs/access.%Y-%m-%d.log 86400" common

   #Redirect permanent / https://www.xxxxxxx.com:443/
</VirtualHost>

<VirtualHost XX.XX.XX.XX:443>
    Options Includes FollowSymLinks MultiViews
    ServerName www.xxxxxxxx.com:443
    ServerAlias www.xxxxxxxx.com
    ServerAdmin localhost@root

    SSLProxyEngine On
    SSLEngine On
    SSLProtocol all -SSLv2 -SSLv3
    SSLHonorCipherOrder On
    SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
"/etc/httpd/ssl_certs/hdsisd/Apache_Plesk_Install.txt"
    SSLCertificateFile "/etc/httpd/ssl_certs/xxxxx.crt"
    SSLCertificateKeyFile "/etc/httpd/ssl_certs/server.key"
    SSLCertificateChainFile "/etc/httpd/ssl_certs/Apache_Plesk_Install.txt"

    ErrorLog "|/usr/sbin/rotatelogs /etc/httpd/logs/error.%Y-%m-%d.log 86400"
    CustomLog "|/usr/sbin/rotatelogs /etc/httpd/logs/access.%Y-%m-%d.log 86400" common

    RewriteEngine On
    RewriteCond %{THE_REQUEST} !HTTP/1.1$
    RewriteRule .* - [F]
    RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS|DELETE)
    RewriteRule .* - [F]
    ProxyPreserveHost On
    <Location />
        ProxyPass https://XX.XX.XX.XX/ Keepalive=On
        ProxyPassReverse https://XX.XX.XX.XX/
        Order allow,deny
        Allow from all
    </Location>
</VirtualHost>

Answer 1

I know that I'm pretty late on this. But here is the answer for someone who might need this in the future. The problem is because of the config file, if you notice the questioner is using the following redirect conditions:

RewriteCond %{HTTPS} !=on
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R]

to redirect HTTP traffic to HTTPS and this forces the server to recdirect to the HTTPS protocol and ignores everything below these lines. Hence he is unable to disable the trace method on his HTTP request. So the fix is to move the trace comment above the redirect like so:

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS|DELETE)
RewriteCond %{HTTPS} !=on
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R]
RewriteRule .* - [F]