3

So I am trying to disable the TRACE method in Apache, which is also the problem in this question Disabling TRACE request method on Apache/2.0.52.

I have tried the rewrite rule in the VirtualHost block, Directory block, .htaccess file etc. In addition the TraceEnable Off option in httpd.conf does not work.

This is the output of my testing:

[root@localhost user]# nc www.domain.com 80
TRACE / HTTP/1.1
Host: www.domain.com
VAR1:test

HTTP/1.1 200 OK
Date: Wed, 22 Aug 2012 13:37:38 GMT
Server: Apache/2
Transfer-Encoding: chunked
Content-Type: message/http

3c
TRACE / HTTP/1.1
Host: www.domain.com
VAR1: test

0

The rewrite rule is :

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]

Any clues of what might be wrong?

Cheers!

Community
  • 1
  • 1
OMA
  • 543
  • 2
  • 6
  • 18
  • Did you ever find a solution to this? I'm facing the exact same issue with Apache 2.3. TraceEnable at the global level does not seem to have any affect. – Griff Oct 18 '12 at 00:19
  • As far as I remember the rewrite rule worked eventually. Please post it here if you get it to work. Do not have access to the server I had problems with now. – OMA Oct 22 '12 at 13:03

2 Answers2

4

For apache2 this can be done adding to the main httpd.conf file the following:

TraceEnable off

You can test if Trace is On/Off using Curl, like: 

curl -v -X TRACE http://www.yourserver.com

Ref.: http://www.ducea.com/2007/10/22/apache-tips-disable-the-http-trace-method/

Slipstream
  • 13,455
  • 3
  • 59
  • 45
0

This configuration changes are for "Apache/2.2.3 (Linux/SUSE)" / CENTOS

Edit the file /etc/sysconfig/apache2 look for the line below and add rewrite to the end. It will load the module "mod_rewrite.so". Explanation, in CENTOS the LoadModule config file (/etc/apache2/sysconfig.d/loadmodule.conf) gets overwrite by /usr/sbin/rcapache2

APACHE_MODULES="apparmor actions alias auth_basic authn_file authz_host authz_groupfile authz_default authz_user authn_dbm autoindex cgi dir env expires include log_config mime negotiation setenvif ssl suexec userdir php5 rewrite"

In the /etc/apache2/httpd.conf.local add/replace the following IfModule statement, so it avoids throwing an error in case the module is not loaded.

<IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteCond %{REQUEST_METHOD} ^TRACE
    RewriteRule .* - [F]
</IfModule>

To test you can go to http://web-sniffer.net/ and select the TRACE radio button. if works, you should see a Status: HTTP/1.1 403 Forbidden.

dinnouti
  • 1,707
  • 2
  • 15
  • 21