You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Hugh E Cruickshank <hu...@forsoft.com> on 2008/09/15 05:16:48 UTC
[users@httpd] Upgrade Apache 2.0.46 to 2.0.59 (on RHEL3.9 )
Apache 2.0.46 on RHEL3.9
Hi All:
For security reasons it looks like I may need to upgrade the Apache
httpd software on one of my production servers. The server in
question is currently running RHEL3 Update 9 which includes Apache
2.0.46. I have been asked to disable the HTTP TRACE which appears
to be enabled by default. I have located the TraceEnable config
parameter but this appears to be only available in 2.0.55+. I have
check the Apache site and they have an RPM available for 2.0.59.
I am hesitant to upgrade a production sever with other than Red Hat
supplied and tested packages for the primary server components. I
do not mind doing this for add-ons and utilities but not something
as key as the web server software.
My questions are:
1. Is this really required or can I disable the HTTP TRACE using
another method?
2. Has anyone done this type of upgrade and did you encounter any
problems?
Any additional comments or suggestions welcome.
TIA
Regards, Hugh
--
Hugh E Cruickshank, Forward Software, www.forward-software.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Upgrade Apache 2.0.46 to 2.0.59 (on RHEL3.9 )
Posted by Hugh E Cruickshank <hu...@forsoft.com>.
From: Gene LeDuc Sent: September 15, 2008 09:43
>
> Before I discovered TraceEnable, I found something on the web that
> showed
> how to block TRACE using mod_rewrite. Here's what I got to work
> (assuming
> that your install was compiled with --enable-rewrite):
>
[big snip]
Hi Gene:
Thanks for the info. I will definitely give that a try before doing
the "non-standard" upgrade.
Regards, Hugh
--
Hugh E Cruickshank, Forward Software, www.forward-software.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Upgrade Apache 2.0.46 to 2.0.59 (on RHEL3.9 )
Posted by Gene LeDuc <gl...@mail.sdsu.edu>.
Hi Hugh,
Before I discovered TraceEnable, I found something on the web that showed
how to block TRACE using mod_rewrite. Here's what I got to work (assuming
that your install was compiled with --enable-rewrite):
Include the following lines in your httpd.conf file in a "server"
configuration area (near other <IfModule>...</IfModule> blocks would
probably be appropriate):
<IfModule rewrite_module>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
</IfModule>
Include the following lines in every virtual host definition
block (<VirtualHost>...</VirtualHost>):
<IfModule rewrite_module>
RewriteEngine On
RewriteOptions Inherit
</IfModule>
Repeat the above step for any ssl virtual host definitions.
It's a pain if you have a lot of vhosts.
Regards,
Gene
At 08:16 PM 9/14/2008, Hugh E Cruickshank wrote:
>Apache 2.0.46 on RHEL3.9
>
>Hi All:
>
>For security reasons it looks like I may need to upgrade the Apache
>httpd software on one of my production servers. The server in
>question is currently running RHEL3 Update 9 which includes Apache
>2.0.46. I have been asked to disable the HTTP TRACE which appears
>to be enabled by default. I have located the TraceEnable config
>parameter but this appears to be only available in 2.0.55+. I have
>check the Apache site and they have an RPM available for 2.0.59.
>
>I am hesitant to upgrade a production sever with other than Red Hat
>supplied and tested packages for the primary server components. I
>do not mind doing this for add-ons and utilities but not something
>as key as the web server software.
>
>My questions are:
>
>1. Is this really required or can I disable the HTTP TRACE using
> another method?
>
>2. Has anyone done this type of upgrade and did you encounter any
> problems?
>
>Any additional comments or suggestions welcome.
>
>TIA
>
>Regards, Hugh
>
>--
>Hugh E Cruickshank, Forward Software, www.forward-software.com
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
--
Gene LeDuc, GSEC
Security Analyst
San Diego State University
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org