Hi,
I have a quick question regarding multiple mod_rewrite rules. Our
security nazis have told us that we need to disable the HTTP TRACE
method on our servers. The version we are using (2.0.52-41.ent, i.e.
RedHat's rpm) doesn't have the TraceEnable option so we need to use
the RewriteRule method.
We have one server though that already has a RewriteRule in place,
this rule forces all connections from http (port 80) to https (port
443). If I put the trace rule ahead of this rule, than this
redirection ceases to function. If I put the trace rule after it, I
get back a 302 Found (Document moved) message - which according to the
security folks is still a 'vulnerable' system. I don't want to argue
about the stupidity of that, I agree it's a stupid point of view. I
just need to get this to pass the annoying security review.
Here are the two rules that I'm trying to make work together (both are
in /etc/httpd/conf/httpd.conf):
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^/(.*)$ https://pps-mail.nascom.nasa.gov/$1 [L,R]
There is an [L] option in this rewrite rule which means that it will be the last one to be executed. Any following rewrite rules will be disregarded, so just try and remove the [L]. The order has to be kept, though, because if you put the TRACE rule ahead of the other one, the client will get a 403 Forbidden, so there won't be any further request and thus no redirection.
Sascha --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|