I'd like to disable Trace/ Track on apache 1.3.29. Googling on how to do that turns out a lot of results like

Now where exactly should I add it? Should I add it in the Global Section or the DocumentRoot section or VHost section? I have added it up in all the sections but I can still see trace/ track is enabled.

Most of the documentation seems to say that you can put it anywhere in the http config of htaccess files. However, I was tinkering around with the Rewrite rule and noticed if you put it inside the 'ifModule' container it will not work. Once I removed the ifModule container the Rewrite rule worked fine and you'll notice startup takes a little longer which is likely the Rewrite module loading. Also make sure to use 'httpd -t' to verify that your syntax is ok.

If you ever switch to a newer version of Apache (1.3.34+ or 2.0.22+) you should consider using the 'TraceEnable off' directive as it's a much better way of forbidding the Trace method and will use less resources than a Rewrite rule.

Also, as far as I am aware, the TRACK http method is not supported by Apache at all and is a Microsoft IIS thing. A quick test using the TRACK method on any of my Apache servers returns a 501 "Method Not Implemented" Error. So you may want to remove that from your rule.

I tried different ways -

or

doesn't solve the problem.

This is Apache/1.3.29 on OpenBSD running in a chroot environment.

Are you restarting the Apache daemon each time, so that it re-reads the config? Also how are you 'testing' whether the TRACE method works? Are you sure that the Rewrite module is uncommented under the LoadModule directives and is being loaded?

//Moderator note: Since this is a BSD question, I'm going to move this thread to the *BSD forum.

[1] Yup, restarting apache each time; eg "httpd -t" "apachectl stop" "apachectl start"

[2] Yes, testing with nikto

[3] Yes, the rewrite module is uncommented. I have actually compiled the module from source using apxs(8).

Could this be a module permission problem?

/usr/lib/apache/modules/mod_rewrite.so --> has permission of root:bin along with -rwxr-xr-x.

Apache runs on chroot jail.

I been testing and just realized that it behaves differently depending on where you put it.

From a document --

However, if I put it in <Direcroty /> or <Directory /path/to/homepage>, Nikto goes crazy. Should I put it under each and every <Directory ...> then?

I put mine in the global httpd.conf (you can put it in an included file too) and it looks like this:

RewriteEngine on
RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD)$
RewriteRule .* - [F]

YMMV of course.

Does it work if you simply put it in the httpd.conf without any container at all?

I've put mine in the either the main or global sections (without any containers at all) and it works equally as well. I would highly recommend against putting it in per-directory containers unless you absolutely need to as it will significantly affect the handling time due to the way Apache maps the requests.

Thanks! This seems to work fine. I have put it in the Main Container. Putting it in the Global Container gives syntax error.

Thanks again guys.