LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 02-26-2008, 05:31 AM   #1
bzlaskar
Member
 
Registered: May 2006
Location: Bangalore, INDIA
Distribution: Fedora Core
Posts: 69
Blog Entries: 2

Rep: Reputation: 16
Disabling HTTP TRACE method in Apache


Greetings,

I am trying to disable the HTTP TRACE method in Apache.
For that I add the following configuration lines in httpd.conf


<Directory />
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
</Directory>

After that I tried to check whether TRACE method is disabled or not.
using the following commands.

telnet 172.16.16.25 80
Trying 172.16.16.25...
Connected to 172.16.16.25 (172.16.16.25).
Escape character is '^]'.
TRACE / HTTP/1.1
Host: 172.16.16.25

HTTP/1.1 200 OK
Date: Tue, 26 Feb 2008 21:06:29 GMT
Server: Apache
Transfer-Encoding: chunked
Content-Type: message/http

28
TRACE / HTTP/1.1
Host: 172.16.16.25

0

Connection closed by foreign host.

The output confirms that TRACE method was not disabled.
Please clarify me how to disable HTTP TRACE method.
I am using the following Apache version

Server version: Apache/2.2.8 (Unix)
Server built: Feb 18 2008 12:23:43

With Thanks in Advance.

regards
zaman
 
Old 02-27-2008, 07:18 AM   #2
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,907

Rep: Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326
In newer apache servers you can use
Code:
TraceEnable Off
 
Old 02-27-2008, 06:47 PM   #3
mlnutt
Member
 
Registered: May 2006
Posts: 34

Rep: Reputation: 15
I never got those three rewrite lines (that everybody on the internet sites) to work. I finally resorted to mod_security. It's good to know now about TraceEnable...but does it actually work...
 
Old 02-27-2008, 08:08 PM   #4
gilead
Senior Member
 
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,123

Rep: Reputation: 151Reputation: 151
I use TraceEnable off here and it works fine. I used to use RewriteCond/RewriteRule, but my notes don't have the date for when I changed.
 
Old 01-20-2010, 02:05 PM   #5
Thasaidon
LQ Newbie
 
Registered: Aug 2006
Posts: 20

Rep: Reputation: 0
Hi,

I recently found out I have the same problem with Apache.
The only drawback is, I'm running an older version of Apache
Apache/1.3.27 (Unix) mod_perl/1.27 PHP/4.3.1 mod_mp3/0.39
so the TraceEnable Off is not an option for me.

Has anybody got the rewrite method to work?
because no matter what I try, it just doesn't seem to work.

btw...
upgrading Apache is not an option because I'm running Freesco Linux with a very old kernel.
 
Old 01-20-2010, 05:10 PM   #6
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,907

Rep: Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326
Hi,

It looks like TraceEnable is available for apache version > 1.3.34, so consider upgrading if it's possible
Regarding the mod_rewrite way to block TRACE, it also works, but you have to put the directives outside a <Directory ...> </Directory> definition, as opposed to post #1.

Regards
 
Old 01-21-2010, 05:43 AM   #7
Thasaidon
LQ Newbie
 
Registered: Aug 2006
Posts: 20

Rep: Reputation: 0
Quote:
Originally Posted by bathory View Post
Hi,

It looks like TraceEnable is available for apache version > 1.3.34, so consider upgrading if it's possible
Regarding the mod_rewrite way to block TRACE, it also works, but you have to put the directives outside a <Directory ...> </Directory> definition, as opposed to post #1.

Regards
The problem is, Apache 1.3.27 is the only Apache package available for Freesco Linux (as far as I know), so Upgrading is a no-go becuse I've got no experiance with compiling what so ever.

As for putting the 3 lines of code outside a </Dir...,
I've tried...
Code:
<Directory />
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
</Directory>
and
Code:
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} ^TRACE
    RewriteRule .* - [F]
</IfModule>
and even
Code:
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} ^TRACE
    RewriteRule .* - [F]
And I've tried it in various places in my httpd.conf. At the start, bottom and other places.
But each time I restarted Apache (or the machine) it didn't work.
 
Old 01-21-2010, 06:05 AM   #8
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,907

Rep: Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326
Hi,

I've just downloaded apache-1.3.27, compiled it using --enable-module=so --enable-module=rewrite and tested the rewrite rule. And it works!!!
I've added the directives just after the closing <Directory> tag of the DocumentRoot:
Code:
DocumentRoot "/opt/apache/htdocs"
...
<Directory "/opt/apache/htdocs">
Options Indexes FollowSymLinks MultiViews
...
</Directory>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
Note that you need "Options FollowSymLinks" for mod_rewrite.

Regards
 
Old 01-22-2010, 02:15 AM   #9
Thasaidon
LQ Newbie
 
Registered: Aug 2006
Posts: 20

Rep: Reputation: 0
Well, despite some differences everything that is needed seems to be there. This is my origional httpd.conf in /usr/local/apache/conf
Code:
...

LoadModule vhost_alias_module libexec/mod_vhost_alias.so
LoadModule rewrite_module     libexec/mod_rewrite.so     <<<<<-----
LoadModule proxy_module       libexec/libproxy.so
LoadModule info_module        libexec/mod_info.so
LoadModule mp3_module         libexec/mod_mp3.so

...

ClearModuleList
AddModule mod_vhost_alias.c
AddModule mod_env.c
AddModule mod_log_config.c
AddModule mod_mime.c
AddModule mod_negotiation.c
AddModule mod_status.c
AddModule mod_include.c
AddModule mod_autoindex.c
AddModule mod_dir.c
AddModule mod_cgi.c
AddModule mod_asis.c
AddModule mod_imap.c
AddModule mod_actions.c
AddModule mod_userdir.c
AddModule mod_alias.c
AddModule mod_rewrite.c     <<<<<-----
AddModule mod_access.c
AddModule mod_auth.c
AddModule mod_proxy.c
AddModule mod_so.c
AddModule mod_setenvif.c
AddModule mod_info.c
AddModule mod_mp3.c

<IfDefine SSL>
#AddModule mod_ssl.c
AddModule mod_php4.c
AddModule mod_perl.c
</IfDefine>
# must be last!
AddModule mod_dosevasive.c

...

DocumentRoot "/www"

#
# Each directory to which Apache has access, can be configured with respect
# to which services and features are allowed and/or disabled in that
# directory (and its subdirectories).
#
# First, we configure the "default" to be a very restrictive set of
# permissions.
#
<Directory />
    Options FollowSymLinks     <<<<<-----
    AllowOverride None
</Directory>

#
# Note that from this point forward you must specifically allow
# particular features to be enabled - so if something's not working as
# you might expect, make sure that you have specifically enabled it
# below.
#

#
# This should be changed to whatever you set DocumentRoot to.
#
<Directory "/www">

#
# This may also be "None", "All", or any combination of "Indexes",
# "Includes", "FollowSymLinks", "ExecCGI", or "MultiViews".
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
    Options Indexes FollowSymLinks MultiViews     <<<<<-----

#
# This controls which options the .htaccess files in directories can
# override. Can also be "All", or any combination of "Options", "FileInfo",
# "AuthConfig", and "Limit"
#
    AllowOverride All

#
# Controls who can get stuff from this server.
#
    Order allow,deny
    Allow from all
</Directory>
So I added the 3 lines right below the </Directory> part, but that didn't work.
I also changed the lines according to what you quoted in your post, but again... it didn't work.

If you want to have a look at my full httpd.conf, just let me know.

Running Freesco Linux 0.3.8 (www.freesco.org)
Kernel 2.0.39
Apache 1.3.27 (Unix) mod_perl/1.27 PHP/4.3.1 mod_mp3/0.39
Perl 5.6.1
Mysql 3.23.37

Thanx for the help so far.

Last edited by Thasaidon; 01-22-2010 at 02:54 AM.
 
Old 01-22-2010, 03:30 AM   #10
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,907

Rep: Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326
Is mod_rewrite compiled as a module or it's static. Because you don't need both "LoadModule rewrite_module libexec/mod_rewrite.so" and "AddModule mod_rewrite.c". What gives:
Code:
httpd -l|grep rewrite
Anyway you can add mod_rewrite logging and look what rewrite does:
Code:
RewriteLogLevel 9
RewriteLog logs/rewrite_log
 
Old 01-23-2010, 04:23 AM   #11
Thasaidon
LQ Newbie
 
Registered: Aug 2006
Posts: 20

Rep: Reputation: 0
Quote:
Originally Posted by bathory View Post
Is mod_rewrite compiled as a module or it's static.
Well, that's where my knowledge ends .

Quote:
What gives:
Code:
httpd -l|grep rewrite
Well on Freesco that gives nothing because I think it's actually thttpd that is running the show, and it's called by rc_httpd.
So I'm not sure how to get this info.

Quote:
Anyway you can add mod_rewrite logging and look what rewrite does:
Code:
RewriteLogLevel 9
RewriteLog logs/rewrite_log
I added these lines and restarted the webserver, but all this does is create the rewrite_log file in /usr/local/apache/logs. But the file stays empty (0 bytes), even after trying the trace command several times.
 
Old 01-23-2010, 07:52 AM   #12
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,907

Rep: Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326
Oops, you don't run apache, but thttpd!!!
So everything in the above post will not work, because it's specific to apache.
I've read that there is an apache package for Freesco, if you want to install and use instead of thttpd

Regards
 
Old 01-24-2010, 03:05 AM   #13
Thasaidon
LQ Newbie
 
Registered: Aug 2006
Posts: 20

Rep: Reputation: 0
Quote:
Originally Posted by bathory View Post
Oops, you don't run apache, but thttpd!!!
So everything in the above post will not work, because it's specific to apache.
Well, Freesco is a different story and I'm not sure how things actually run. (That's the n00b part in me )
And I think I might have made a false conclusion...

Freesco can run 2 web-server.
One public on port 80 (www)
and one private (for setup and control) on port 82 (wwa).

When having installed Apache, it seems the public server (httpd) is replaced by Apache.
whilst the private server is still running thttpd.
And it seems that rc-httpd calls them both...
Code:
[n00b@linux]rc_httpd status
Running control http server:
  3207   S      1               thttpd  thttpd-p82-uroot-d/wwa
  3240   S      1               httpd   /usr/local/apache/bin/httpd-DSSL
  3254   S      3240            httpd   /usr/local/apache/bin/httpd-DSSL
  3255   S      3240            httpd   /usr/local/apache/bin/httpd-DSSL
  4596   S      3240            httpd   /usr/local/apache/bin/httpd-DSSL

                 Apache Server Status for thasaidon.homeip.net

   Server Version: Apache/1.3.27 (Unix) mod_perl/1.27 PHP/4.3.1
   mod_mp3/0.39
   Server Built: Apr 13 2003 12:43:15
     _________________________________________________________________

   Current Time: Sunday, 24-Jan-2010 11:09:02 ???
   Restart Time: Sunday, 24-Jan-2010 05:11:36 ???
   Parent Server Generation: 0
   Server uptime: 5 hours 57 minutes 26 seconds
   1 requests currently being processed, 2 idle servers
W__.............................................................
................................................................
................................................................
................................................................

   Scoreboard Key:
   "_" Waiting for Connection, "S" Starting up, "R" Reading Request,
   "W" Sending Reply, "K" Keepalive (read), "D" DNS Lookup,
   "L" Logging, "G" Gracefully finishing, "." Open slot with no current
   process
[n00b@linux]
So yes, Apache is defenately installed and running on Freesco.

Sorry about the confusion I caused

Last edited by Thasaidon; 01-24-2010 at 03:14 AM.
 
Old 01-24-2010, 03:18 PM   #14
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,907

Rep: Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326
So since it's apache running on port 80 and "httpd -l|grep rewrite" gives nothing, then mod_rewrite is compiled as a DSO.
Comment out the "AddModule mod_rewrite.c" and restart apache using:
Code:
/usr/local/apache/bin/apachectl restart
to rule out any strange options that rc_httpd may use.
How do you do your tests. I'm using:
Code:
telnet x.x.x.x 80
TRACE / HTTP/1.0
host: whatever
<enter>
 
Old 01-25-2010, 08:22 AM   #15
Thasaidon
LQ Newbie
 
Registered: Aug 2006
Posts: 20

Rep: Reputation: 0
If I comment out the line "AddModule mod_rewrite.c" and restart Apache,
Apache complains about errors in the config.
These errors are about the lines:
Code:
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
RewriteLogLevel 9
RewriteLog /usr/local/apache/logs/rewrite_log
So I commented them out too.

I restarted Apache, and now it seems to have started ok.
but when I run an apache statustest" I get this:
Code:
[n00b@linux] apache configtest
Syntax OK
[Mon Jan 25 16:18:08 2010] [error] Cannot remove module mod_rewrite.c: not found in module list
[n00b@linux]
So it would seems that mod_rewrite.c is required...
Code:
[n00b@linux] apache stop
Stopping Apache...                      /usr/local/apache/bin/apachectl stop: httpd stopped
Done
[n00b@linux] apache start
Starting Apache...                      [: syntax error
/usr/local/apache/bin/apachectl start: httpd started
Done  Port 80
[n00b@linux] apache configtest
Syntax OK
[Mon Jan 25 16:28:26 2010] [error] Cannot remove module mod_rewrite.c: not found in module list
[n00b@linux]
As for testing, I found this "problem" when I was fooling around with w3af (w3af.sourceforge.net) on my Ubuntu laptop.
but to do a quick test, I too use telnet.
Code:
telnet 127.0.0.1 80
TRACE / HTTP/1.1 [enter]
Host: 127.0.0.1 [enter]
testing123 [enter]
testing123 [enter]
which gives the "testing123" back in the trace.
Code:
telnet 127.0.0.1 80
TRACE / HTTP/1.1
Host: 127.0.0.1
testing123
testing123
HTTP/1.1 400 Bad Request
Date: Mon, 25 Jan 2010 16:21:09 GMT
Server: Apache/1.3.27 (Unix) mod_perl/1.27 PHP/4.3.1 mod_mp3/0.39
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1

173
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>400 Bad Request</TITLE>
</HEAD><BODY>
<H1>Bad Request</H1>
Your browser sent a request that this server could not understand.<P>
Request header field is missing colon separator.<P>
<PRE>
testing123</PRE>
<P>
<HR>
<ADDRESS>Apache/1.3.27 Server at thasaidon.homeip.net Port 80</ADDRESS>
</BODY></HTML>

0

Connection closed by foreign host.

Last edited by Thasaidon; 01-25-2010 at 08:30 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
apache: http://localhost (work) http://ipaddress (not working) sarmad Linux - Newbie 7 02-05-2013 07:47 AM
Error 400: HTTP method GET is not supported by this URL?? coolblue Linux - General 7 05-10-2007 02:29 AM
Error 400: HTTP method GET is not supported by this URL?? coolblue Linux - Networking 1 05-08-2007 08:51 AM
looking for http debugger (with get/post method) tommmmmm Linux - Software 0 10-31-2004 09:33 AM
Does slackware have a http or ftp install method? edkhosting Slackware 10 12-16-2003 10:37 PM


All times are GMT -5. The time now is 11:54 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration