3

We're using Passenger 4.0.59 behind Apache 2.2 (CentOS 6.latest) with Rails 3.2.

In /etc/httpd/conf/httpd.conf we have:

TraceEnable off

We have one virtual host configured in httpd.conf and a second virtual host configured in /etc/httpd/conf.d/ssl.conf that's configured with Passenger.

I'm using commands of this form to test:

curl -I -X {method} https://{host}/{resource}

...and seeing the following behavior:

  1. When I TRACE a static image over http, i.e. http://host.domain.com/images/foo.png, I get a 405 response (as expected).

  2. When I TRACE the same static image over https, meaning it goes through the virtual host configured with Passenger, I get 405 (as expected).

  3. However, when I TRACE a Rails service in our app, e.g. https://host.domain.com/status.json, I get a 200 response w/ valid data.

I would expect Apache to shut down the request and return a 405 response before it even gets to Passenger/Rails, but that isn't happening.

What am I missing / misunderstanding?

jph
  • 2,181
  • 3
  • 30
  • 55
  • After reading [this thread](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=543577#30), can you grep all your Apache config under `/etc/apache` to ensure that there is NO other `TraceEnable` option that would set it to `on`? E.g. in `security.conf`? If not, can you post more relevant parts of your http config, including both of your virtual servers? – Matouš Borák Mar 19 '16 at 18:35

1 Answers1

0

What am I missing / misunderstanding?

TraceEnable off is the correct directive to use, but you may have another TraceEnable directive elsewhere in your configs.

You should check all of your apache config files to be sure there is no other TraceEnable directives.

Since the TraceEnable directive can be used within either the server config or the virtual host config, so you may just want to add it to both.

Tim Penner
  • 3,551
  • 21
  • 36