Sorry, brain cramp there. Tomcat. I see. I wonder if you've had an opportunity to try this on 2.4 httpd. 2.2.27 is from nearly 3 years ago. On Feb 23, 2016 08:30, "Rich Bowen" <rbo...@rcbowen.com> wrote:
> What the heck is Apache-Coyote/1.1 > On Feb 18, 2016 02:47, "吴昊" <wu...@7500.com.cn> wrote: > >> Hello, >> >> >> >> I Just experienced a weird behavior of TraceEnable directive. >> >> >> >> Before use this directive, i use mod_rewtire to disable trace and other >> unwanted HTTP method. Since this directive been added, TRACE method start >> getting 200 return. >> >> Ive tried both jmeter and telnet, the results are same, protection was >> gone. >> >> >> >> Im running apache 2.2.27 on a Linux box, I add both TraceEnable directive >> along with Rewrite directives together, thought it would be “more proper >> way to dong this” and a double protection >> >> >> >> related configs in http.conf as follows: >> >> >> >> TraceEnable off >> >> RewriteEngine on >> >> RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|PUT|DELETE) >> >> RewriteRule .* - [R=405,L] >> >> >> >> and results as follows: >> >> >> >> TRACE / HTTP/1.1 >> >> HOST:www.domain.com.cn >> >> >> >> HTTP/1.1 200 OK >> >> Date: Thu, 18 Feb 2016 07:36:35 GMT >> >> Server: Apache-Coyote/1.1 >> >> X-Frame-Options: SAMEORIGIN >> >> Pragma: No-cache >> >> Cache-Control: no-cache >> >> Expires: Thu, 01 Jan 1970 08:00:00 GMT >> >> Content-Type: text/html;charset=UTF-8 >> >> Set-Cookie: JSESSIONID=739A627F3C3DE5933230BE579D7D1693; Secure; HttpOnly >> >> Transfer-Encoding: chunked >> >> >> >> in access_log, can clearly see >> >> [18/Feb/2016:15:36:29 +0800] "TRACE / HTTP/1.1" 200 10219 >> www.domain.com.cn >> >> >> >> after I removed this directive, just leave Rewrite directives, redirect >> are normal. >> >> >> >> TRACE / HTTP/1.1 >> >> HOST:www.domain.com.cn >> >> >> >> HTTP/1.1 405 TRACE method is not allowed >> >> Date: Thu, 18 Feb 2016 07:39:40 GMT >> >> Server: Apache-Coyote/1.1 >> >> X-Frame-Options: SAMEORIGIN >> >> Allow: OPTIONS >> >> Content-Length: 0 >> >> Content-Type: text/plain >> >> >> >> In access_log >> >> [18/Feb/2016:15:39:32 +0800] "TRACE / HTTP/1.1" 405 - www.domain.com.cn >> >> >> >> >> >> I think this could indicates that "TraceEnable off" is bugged/not working. >> >> >> >> Any thoughts? please advise. >> >> Thank you >> >> >> >> Cheers >> >> >> >> Chris >> >> >> >