Re: [users@httpd] TraceEnable off directive not work

Tue, 23 Feb 2016 05:43:26 -0800 

Sorry, brain cramp there. Tomcat. I see.

I wonder if you've had an opportunity to try this on 2.4 httpd. 2.2.27 is
from nearly 3 years ago.
On Feb 23, 2016 08:30, "Rich Bowen" <rbo...@rcbowen.com> wrote:

> What the heck is Apache-Coyote/1.1
> On Feb 18, 2016 02:47, "吴昊" <wu...@7500.com.cn> wrote:
>
>> Hello,
>>
>>
>>
>> I Just experienced a weird behavior of TraceEnable directive.
>>
>>
>>
>> Before use this directive, i use mod_rewtire to disable trace and other
>> unwanted HTTP method. Since this directive been added, TRACE method start
>> getting 200 return.
>>
>> Ive tried both jmeter and telnet, the results are same, protection was
>> gone.
>>
>>
>>
>> Im running apache 2.2.27 on a Linux box, I add both TraceEnable directive
>> along with Rewrite directives together, thought it would be “more proper
>> way to dong this” and a double protection
>>
>>
>>
>> related configs in http.conf as follows:
>>
>>
>>
>> TraceEnable off
>>
>> RewriteEngine on
>>
>> RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|PUT|DELETE)
>>
>> RewriteRule .* - [R=405,L]
>>
>>
>>
>> and results as follows:
>>
>>
>>
>> TRACE / HTTP/1.1
>>
>> HOST:www.domain.com.cn
>>
>>
>>
>> HTTP/1.1 200 OK
>>
>> Date: Thu, 18 Feb 2016 07:36:35 GMT
>>
>> Server: Apache-Coyote/1.1
>>
>> X-Frame-Options: SAMEORIGIN
>>
>> Pragma: No-cache
>>
>> Cache-Control: no-cache
>>
>> Expires: Thu, 01 Jan 1970 08:00:00 GMT
>>
>> Content-Type: text/html;charset=UTF-8
>>
>> Set-Cookie: JSESSIONID=739A627F3C3DE5933230BE579D7D1693; Secure; HttpOnly
>>
>> Transfer-Encoding: chunked
>>
>>
>>
>> in access_log, can clearly see
>>
>> [18/Feb/2016:15:36:29 +0800] "TRACE / HTTP/1.1" 200 10219
>> www.domain.com.cn
>>
>>
>>
>> after I removed this directive, just leave Rewrite directives, redirect
>> are normal.
>>
>>
>>
>> TRACE / HTTP/1.1
>>
>> HOST:www.domain.com.cn
>>
>>
>>
>> HTTP/1.1 405 TRACE method is not allowed
>>
>> Date: Thu, 18 Feb 2016 07:39:40 GMT
>>
>> Server: Apache-Coyote/1.1
>>
>> X-Frame-Options: SAMEORIGIN
>>
>> Allow: OPTIONS
>>
>> Content-Length: 0
>>
>> Content-Type: text/plain
>>
>>
>>
>> In access_log
>>
>> [18/Feb/2016:15:39:32 +0800] "TRACE / HTTP/1.1" 405 - www.domain.com.cn
>>
>>
>>
>>
>>
>> I think this could indicates that "TraceEnable off" is bugged/not working.
>>
>>
>>
>> Any thoughts? please advise.
>>
>> Thank you
>>
>>
>>
>> Cheers
>>
>>
>>
>> Chris
>>
>>
>>
>

Reply via email to