RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|PUT|OPTIONS|DELETE|HEAD)
RewriteRule .*$ - [F,L]
# curl -I -X OPTIONS localhost:80
HTTP/1.1 200 OK
Date: Tue, 24 Jul 2018 08:14:02 GMT
Server: Apache
Allow: GET,POST,OPTIONS,HEAD,TRACE
Content-Length: 0
Content-Type: httpd/unix-directory
# curl -I -X PUT localhost:80
HTTP/1.1 403 Forbidden
Date: Tue, 24 Jul 2018 08:14:14 GMT
Server: Apache
Content-Length: 209
Content-Type: text/html; charset=iso-8859-1
Disabling the TRACE Method or XSS Using for HTTP
Technote (troubleshooting)
Problem(Abstract)
This document provides directives to disable the Trace method in the Apache HTTP server. The Trace method is also known as "Cross-Site Tracing" or XSS.
Resolving the problem
The following directive can be used to disable the Trace method in the HTTP configuration (i.e /www/servername/conf/httpd.conf). It is also known as the Trace Track method or XST for Cross-Site Tracing. It is also referred to as XSS.
TraceEnable Off
This directive can be put in the global server area. It is inherited in Virtual Host containers.
Note: TraceEnable support was added to 5.4 using PTF SI37038 (It is included in the BASE HTTP product at V6R1 and above).
Alternate Method:
The following lines can be added to the configuration to disable TRACE and TRACK:
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
RewriteCond %{REQUEST_METHOD} ^TRACK
RewriteRule .* - [F]
===
Technote (FAQ)
Question
How to disable HTTP method TRACE?
Answer
Disable HTTP TRACE :-
In IBM HTTP Server 7.0 and later, the "TraceEnable" directive is provided to disable the TRACE HTTP method.
IHS can be configured to disable normal TRACE request processing so that the request fails with 403 (forbidden) and any private information sent in the TRACE request does not appear in the response. The way to disable normal TRACE request processing is to add several mode_rewrite directives to the web server configuration file, at main scope as well as in every <VirtualHost >container. If you use the IHS Administration Server, and it listens on a client accessible interface, the directives should be added there as well if the listening port can't be restricted to an internally facing interface.
In IBM HTTP Server 7.0 and later, the "TraceEnable" directive is provided to disable the TRACE HTTP method.
IHS can be configured to disable normal TRACE request processing so that the request fails with 403 (forbidden) and any private information sent in the TRACE request does not appear in the response. The way to disable normal TRACE request processing is to add several mode_rewrite directives to the web server configuration file, at main scope as well as in every <VirtualHost >container. If you use the IHS Administration Server, and it listens on a client accessible interface, the directives should be added there as well if the listening port can't be restricted to an internally facing interface.
Here is an example:-
# disable TRACE in the main scope of httpd.conf
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
...
<VirtualHost www.example.com>
...
# disable TRACE in the www.example.com virtual host
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
</VirtualHost>
Verifying that TRACE is disabled :
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
...
<VirtualHost www.example.com>
...
# disable TRACE in the www.example.com virtual host
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
</VirtualHost>
Verifying that TRACE is disabled :
After TRACE has been disabled according to the instructions above, a TRACE request will be responded to with either a HTTP status code of 403 or 405.
Using telnet to verify the configuration for a non-SSL web server port
Using telnet to verify the configuration for a non-SSL web server port
The telnet command provided with most operating systems can be used to verify that the configuration changes to disable TRACE have been made. Note that telnet can only be used to test non-SSL ports, since it does not have the capability to perform the SSL handshake or to encrypt the data.
$ telnet 127.0.0.1 8080
Trying...
Connected to 127.0.0.1.
Escape character is '^]'.
TRACE / HTTP/1.0
A: b
C: d
Host: foo
HTTP/1.1 403 Forbidden
Date: Mon, 04 Oct 2004 14:23:31 GMT
Server: IBM_HTTP_SERVER
Connection: close
Content-Type: text/html; charset=iso-8859-1
If the response to the TRACE request continues to result in a response with status code 200, verify that the required directives were added to all <VirtualHost > containers and the main scope of the configuration file, and also verify that the web server has been restarted to activate the updated configuration.
Note:
The HTTP TRACE method is disabled by default in IBM HTTP Server 8.0 and later.
Trying...
Connected to 127.0.0.1.
Escape character is '^]'.
TRACE / HTTP/1.0
A: b
C: d
Host: foo
HTTP/1.1 403 Forbidden
Date: Mon, 04 Oct 2004 14:23:31 GMT
Server: IBM_HTTP_SERVER
Connection: close
Content-Type: text/html; charset=iso-8859-1
If the response to the TRACE request continues to result in a response with status code 200, verify that the required directives were added to all <VirtualHost > containers and the main scope of the configuration file, and also verify that the web server has been restarted to activate the updated configuration.
Note:
The HTTP TRACE method is disabled by default in IBM HTTP Server 8.0 and later.
댓글 없음:
댓글 쓰기