|
Hello, I Just experienced a weird behavior of TraceEnable directive.
Before use this directive, i use mod_rewtire to disable trace and other unwanted HTTP method. Since this directive been added, TRACE method start getting 200 return. Ive tried both jmeter and telnet, the results are same, protection was gone. Im running apache 2.2.27 on a Linux box, I add both TraceEnable directive along with Rewrite directives together, thought it would be “more proper way to dong this” and a double protection related configs in http.conf as follows: TraceEnable off RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|PUT|DELETE) RewriteRule .* - [R=405,L] and results as follows: TRACE / HTTP/1.1 HOST:www.domain.com.cn HTTP/1.1 200 OK Date: Thu, 18 Feb 2016 07:36:35 GMT Server: Apache-Coyote/1.1 X-Frame-Options: SAMEORIGIN Pragma: No-cache Cache-Control: no-cache Expires: Thu, 01 Jan 1970 08:00:00 GMT Content-Type: text/html;charset=UTF-8 Set-Cookie: JSESSIONID=739A627F3C3DE5933230BE579D7D1693; Secure; HttpOnly Transfer-Encoding: chunked in access_log, can clearly see [18/Feb/2016:15:36:29 +0800] "TRACE / HTTP/1.1" 200 10219 www.domain.com.cn after I removed this directive, just leave Rewrite directives, redirect are normal. TRACE / HTTP/1.1 HOST:www.domain.com.cn HTTP/1.1 405 TRACE method is not allowed Date: Thu, 18 Feb 2016 07:39:40 GMT Server: Apache-Coyote/1.1 X-Frame-Options: SAMEORIGIN Allow: OPTIONS Content-Length: 0 Content-Type: text/plain In access_log [18/Feb/2016:15:39:32 +0800] "TRACE / HTTP/1.1" 405 - www.domain.com.cn I think this could indicates that "TraceEnable off" is bugged/not working. Any thoughts? please advise.
Thank you Cheers Chris |
|