You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by 吴昊 <wu...@7500.com.cn> on 2016/02/18 08:46:50 UTC
[users@httpd] TraceEnable off directive not work
Hello,
I Just experienced a weird behavior of TraceEnable directive.
Before use this directive, i use mod_rewtire to disable trace and other unwanted HTTP method. Since this directive been added, TRACE method start getting 200 return.
Ive tried both jmeter and telnet, the results are same, protection was gone.
Im running apache 2.2.27 on a Linux box, I add both TraceEnable directive along with Rewrite directives together, thought it would be “more proper way to dong this” and a double protection
related configs in http.conf as follows:
TraceEnable off
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|PUT|DELETE)
RewriteRule .* - [R=405,L]
and results as follows:
TRACE / HTTP/1.1
HOST:www.domain.com.cn
HTTP/1.1 200 OK
Date: Thu, 18 Feb 2016 07:36:35 GMT
Server: Apache-Coyote/1.1
X-Frame-Options: SAMEORIGIN
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 08:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: JSESSIONID=739A627F3C3DE5933230BE579D7D1693; Secure; HttpOnly
Transfer-Encoding: chunked
in access_log, can clearly see
[18/Feb/2016:15:36:29 +0800] "TRACE / HTTP/1.1" 200 10219 www.domain.com.cn
after I removed this directive, just leave Rewrite directives, redirect are normal.
TRACE / HTTP/1.1
HOST:www.domain.com.cn
HTTP/1.1 405 TRACE method is not allowed
Date: Thu, 18 Feb 2016 07:39:40 GMT
Server: Apache-Coyote/1.1
X-Frame-Options: SAMEORIGIN
Allow: OPTIONS
Content-Length: 0
Content-Type: text/plain
In access_log
[18/Feb/2016:15:39:32 +0800] "TRACE / HTTP/1.1" 405 - www.domain.com.cn
I think this could indicates that "TraceEnable off" is bugged/not working.
Any thoughts? please advise.
Thank you
Cheers
Chris
Re: [users@httpd] TraceEnable off directive not work
Posted by Rich Bowen <rb...@rcbowen.com>.
Sorry, brain cramp there. Tomcat. I see.
I wonder if you've had an opportunity to try this on 2.4 httpd. 2.2.27 is
from nearly 3 years ago.
On Feb 23, 2016 08:30, "Rich Bowen" <rb...@rcbowen.com> wrote:
> What the heck is Apache-Coyote/1.1
> On Feb 18, 2016 02:47, "吴昊" <wu...@7500.com.cn> wrote:
>
>> Hello,
>>
>>
>>
>> I Just experienced a weird behavior of TraceEnable directive.
>>
>>
>>
>> Before use this directive, i use mod_rewtire to disable trace and other
>> unwanted HTTP method. Since this directive been added, TRACE method start
>> getting 200 return.
>>
>> Ive tried both jmeter and telnet, the results are same, protection was
>> gone.
>>
>>
>>
>> Im running apache 2.2.27 on a Linux box, I add both TraceEnable directive
>> along with Rewrite directives together, thought it would be “more proper
>> way to dong this” and a double protection
>>
>>
>>
>> related configs in http.conf as follows:
>>
>>
>>
>> TraceEnable off
>>
>> RewriteEngine on
>>
>> RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|PUT|DELETE)
>>
>> RewriteRule .* - [R=405,L]
>>
>>
>>
>> and results as follows:
>>
>>
>>
>> TRACE / HTTP/1.1
>>
>> HOST:www.domain.com.cn
>>
>>
>>
>> HTTP/1.1 200 OK
>>
>> Date: Thu, 18 Feb 2016 07:36:35 GMT
>>
>> Server: Apache-Coyote/1.1
>>
>> X-Frame-Options: SAMEORIGIN
>>
>> Pragma: No-cache
>>
>> Cache-Control: no-cache
>>
>> Expires: Thu, 01 Jan 1970 08:00:00 GMT
>>
>> Content-Type: text/html;charset=UTF-8
>>
>> Set-Cookie: JSESSIONID=739A627F3C3DE5933230BE579D7D1693; Secure; HttpOnly
>>
>> Transfer-Encoding: chunked
>>
>>
>>
>> in access_log, can clearly see
>>
>> [18/Feb/2016:15:36:29 +0800] "TRACE / HTTP/1.1" 200 10219
>> www.domain.com.cn
>>
>>
>>
>> after I removed this directive, just leave Rewrite directives, redirect
>> are normal.
>>
>>
>>
>> TRACE / HTTP/1.1
>>
>> HOST:www.domain.com.cn
>>
>>
>>
>> HTTP/1.1 405 TRACE method is not allowed
>>
>> Date: Thu, 18 Feb 2016 07:39:40 GMT
>>
>> Server: Apache-Coyote/1.1
>>
>> X-Frame-Options: SAMEORIGIN
>>
>> Allow: OPTIONS
>>
>> Content-Length: 0
>>
>> Content-Type: text/plain
>>
>>
>>
>> In access_log
>>
>> [18/Feb/2016:15:39:32 +0800] "TRACE / HTTP/1.1" 405 - www.domain.com.cn
>>
>>
>>
>>
>>
>> I think this could indicates that "TraceEnable off" is bugged/not working.
>>
>>
>>
>> Any thoughts? please advise.
>>
>> Thank you
>>
>>
>>
>> Cheers
>>
>>
>>
>> Chris
>>
>>
>>
>
Re: [users@httpd] TraceEnable off directive not work
Posted by Rich Bowen <rb...@rcbowen.com>.
What the heck is Apache-Coyote/1.1
On Feb 18, 2016 02:47, "吴昊" <wu...@7500.com.cn> wrote:
> Hello,
>
>
>
> I Just experienced a weird behavior of TraceEnable directive.
>
>
>
> Before use this directive, i use mod_rewtire to disable trace and other
> unwanted HTTP method. Since this directive been added, TRACE method start
> getting 200 return.
>
> Ive tried both jmeter and telnet, the results are same, protection was
> gone.
>
>
>
> Im running apache 2.2.27 on a Linux box, I add both TraceEnable directive
> along with Rewrite directives together, thought it would be “more proper
> way to dong this” and a double protection
>
>
>
> related configs in http.conf as follows:
>
>
>
> TraceEnable off
>
> RewriteEngine on
>
> RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|PUT|DELETE)
>
> RewriteRule .* - [R=405,L]
>
>
>
> and results as follows:
>
>
>
> TRACE / HTTP/1.1
>
> HOST:www.domain.com.cn
>
>
>
> HTTP/1.1 200 OK
>
> Date: Thu, 18 Feb 2016 07:36:35 GMT
>
> Server: Apache-Coyote/1.1
>
> X-Frame-Options: SAMEORIGIN
>
> Pragma: No-cache
>
> Cache-Control: no-cache
>
> Expires: Thu, 01 Jan 1970 08:00:00 GMT
>
> Content-Type: text/html;charset=UTF-8
>
> Set-Cookie: JSESSIONID=739A627F3C3DE5933230BE579D7D1693; Secure; HttpOnly
>
> Transfer-Encoding: chunked
>
>
>
> in access_log, can clearly see
>
> [18/Feb/2016:15:36:29 +0800] "TRACE / HTTP/1.1" 200 10219
> www.domain.com.cn
>
>
>
> after I removed this directive, just leave Rewrite directives, redirect
> are normal.
>
>
>
> TRACE / HTTP/1.1
>
> HOST:www.domain.com.cn
>
>
>
> HTTP/1.1 405 TRACE method is not allowed
>
> Date: Thu, 18 Feb 2016 07:39:40 GMT
>
> Server: Apache-Coyote/1.1
>
> X-Frame-Options: SAMEORIGIN
>
> Allow: OPTIONS
>
> Content-Length: 0
>
> Content-Type: text/plain
>
>
>
> In access_log
>
> [18/Feb/2016:15:39:32 +0800] "TRACE / HTTP/1.1" 405 - www.domain.com.cn
>
>
>
>
>
> I think this could indicates that "TraceEnable off" is bugged/not working.
>
>
>
> Any thoughts? please advise.
>
> Thank you
>
>
>
> Cheers
>
>
>
> Chris
>
>
>