Hello All,
I have a quick question regarding multiple mod_rewrite rules. Our
security nazis have told us that we need to disable the HTTP TRACE
method on our servers. The version we are using (2.0.52-41.ent, i.e.
RedHat's rpm) doesn't have the TraceEnable option so we need to use
the RewriteRule method.
We have one server though that already has a RewriteRule in place,
this rule forces all connections from http (port 80) to https (port
443). If I put the trace rule ahead of this rule, than this
redirection ceases to function. If I put the trace rule after it, I
get back a 302 Found (Document moved) message - which according to the
security folks is still a 'vulnerable' system. I don't want to argue
about the stupidity of that, I agree it's a stupid point of view. I
just need to get this to pass the annoying security review.
Here are the two rules that I'm trying to make work together (both are
in /etc/httpd/conf/httpd.conf):
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^/(.*)$ https://pps-mail.nascom.nasa.gov/$1 [L,R]
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
Any help would be greatly appreciated.
-Tony
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|