You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by James Pifer <je...@obrien-pifer.com> on 2005/01/19 16:49:24 UTC
[users@httpd] disabling Trace
Sorry for the repeat topic, but I've searched the archive and google and
found a lot of stuff on the issue of Trace with Apache. Early 2004 it
seemed like most people with knowledge of Apache thought it was a lot
about nothing and that having it enabled was not a big deal, even more
of a browser issue.
Well, I have a web server that got hit by an audit and besides updating
Apache to 2.0.52, they "suggested" disabling the Trace methods. We don't
use it, and since it's been "suggested" I just want to do it and be
done. I've tried doing what they say, as well as what Nessus says to do,
but then Apache2 will not start.
I added the Rewrite commands in the VirtualHost sections.
<VirtualHost *:80>
ServerAdmin admin@packagingcorp.com
DocumentRoot "E:/Program Files/Apache Group/Apache2/htdocs"
ServerName www.packagingcorp.com
ErrorLog logs/www.packagingcorp.com-error_log
CustomLog logs/www.packagingcorp.com-access_log common
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
</VirtualHost>
<VirtualHost *:80>
ServerAdmin admin@packagingcorp.com
DocumentRoot "E:/Program Files/Apache Group/Apache2/htdocs/tref"
ServerName tref.packagingcorp.com
ErrorLog logs/tref.packagingcorp.com-error_log
CustomLog logs/tref.packagingcorp.com-access_log common
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
</VirtualHost>
Can anyone tell me what I'm doing wrong?
Also, I saw some people say don't trust nessus and manually check to see
if trace is running, but I have yet to find an explanation of how to do
it. I know to telnet to the web server, but after that I don't know.
Thanks,
James
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] disabling Trace
Posted by Rich Bowen <rb...@rcbowen.com>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
James Pifer wrote:
| Well, I have a web server that got hit by an audit and besides updating
| Apache to 2.0.52, they "suggested" disabling the Trace methods. We don't
| use it, and since it's been "suggested" I just want to do it and be
| done. I've tried doing what they say, as well as what Nessus says to do,
| but then Apache2 will not start.
What happens when you try? More specifically, what does the error log
say? Perhaps you don't have mod_rewrite installed.
| Also, I saw some people say don't trust nessus and manually check to see
| if trace is running, but I have yet to find an explanation of how to do
| it. I know to telnet to the web server, but after that I don't know.
telnet servername 80
TRACE /something <return><return>
- --
Who can say where the road goes
Where the day flows
Only time
~ --Pilgrim (Enya - A Day Without Rain)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFB7pTsXP03+sx4yJMRAqfzAKCsjECZmh9VGnvFt/8zjHFCMnWW2wCfbYyf
rWXJgnWT6q8CNmqKwgCAhQU=
=4p/H
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org