On 7/20/05, Karasulu, Alex <akarasulu@xxxxxxxxxxxxxxxxxxxx> wrote:
> In Apache 1.3 TraceEnable off was a valid option but it does not seem to
> be carried into 2.0?
TraceEnable was added only very recently to 1.3 and in fact is not in
any released version. Although it can be used to disable TRACE, its
main purpose is actually to enable extended TRACEing for debugging
purposes. It will probably make it into 2.0 in the near future.
>
> The only option available is a rewrite which has to go into 100's of our
> virtual host files and this means:
>
> 1. Allot of work
> 2. Dealing with mod rewrite
>
> Here's what we do today to get around not having TraceEnable in 2.0:
>
> RewriteEngine on
> ReWriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
> ReWriteRule .* - [F]
Obviously you're reading some garbage suggestion from a silly security
scanner, since apache httpd has no "TRACK" method.
Really, you are wasting your time with this. For some reasonable
information see:
http://www.apacheweek.com/issues/03-01-24#news
But to directly answer your question, no there is no other method that
I know of to restrict TRACE in apache httpd.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|