| Author |
|
ali_fareed
Joined: 04 Jul 2006
Posts: 61
Location: Bahrain
|
 Posted: Fri 07 Jul '06 14:55 Post subject: blocking trace with mod_rewrite |
 |
|
hello everybody, I am using mod_rewrite to block trace requests by adding this code to the configuration:
<IfModule rewrite_module>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* – [F]
</IfModule>
and it seems to work fine but when I tried connecting with ssl using openssl s_client I was able to get a trace response is there something missing in my configuration or is there a problem with mod_rewrite and I'm really sorry for asking so many questions. |
|
| Back to top |
|
Steffen
Moderator
Joined: 15 Oct 2005
Posts: 3092
Location: Hilversum, NL, EU
|
| Posted: Fri 07 Jul '06 15:20 Post subject: |
|
|
There no known issues with mod_rewrite.
Do not know openssl s_client, but it should block the Trace REQUEST_METHOD, maybe you are talking about a different trace in s_client.
We use the rule:
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule ^ - [F]
Steffen |
|
| Back to top |
|
ali_fareed
Joined: 04 Jul 2006
Posts: 61
Location: Bahrain
|
| Posted: Fri 07 Jul '06 15:33 Post subject: |
|
|
| You dont know the s_client in openssl? it's an ssl client in openssl which gives you the ability to send raw request to any type of servers like using netcat or telnet but for ssl you can use it by invoking openssl with "openssl s_client -connect server:port" and I mean the trace method the one where you make a request and get a reply with you request echoed. But i'm still having a problem can anybody help me. one more thing i forgot to mention when i connect without ssl the trace request is responded with a forbidden so it's working if the request is made without ssl |
|
| Back to top |
|
Steffen
Moderator
Joined: 15 Oct 2005
Posts: 3092
Location: Hilversum, NL, EU
|
| Posted: Fri 07 Jul '06 15:53 Post subject: |
|
|
When you use vhosts (most of us have SSL in a vhost) then you must have in the Vhost container:
RewriteEngine on
RewriteOptions inherit
OR place the rewrite code in the Vhost container. |
|
| Back to top |
|
ali_fareed
Joined: 04 Jul 2006
Posts: 61
Location: Bahrain
|
| Posted: Fri 07 Jul '06 16:02 Post subject: |
|
|
| no I still seem to have the problem. |
|
| Back to top |
|
ali_fareed
Joined: 04 Jul 2006
Posts: 61
Location: Bahrain
|
| Posted: Tue 11 Jul '06 19:52 Post subject: |
|
|
| I finally got it thanks for the help. |
|
| Back to top |
|
Steffen
Moderator
Joined: 15 Oct 2005
Posts: 3092
Location: Hilversum, NL, EU
|
| Posted: Wed 12 Jul '06 11:59 Post subject: |
|
|
| What was causing your issue ? |
|
| Back to top |
|
ali_fareed
Joined: 04 Jul 2006
Posts: 61
Location: Bahrain
|
| Posted: Wed 12 Jul '06 20:05 Post subject: |
|
|
like you said i had to add :
RewriteEngine on
RewriteOptions inherit
in the virtual host container in the httpd-ssl.conf file thanks for your help again. |
|
| Back to top |
|
ali_fareed
Joined: 04 Jul 2006
Posts: 61
Location: Bahrain
|
|
| Back to top |
|
Steffen
Moderator
Joined: 15 Oct 2005
Posts: 3092
Location: Hilversum, NL, EU
|
| Posted: Tue 18 Jul '06 19:11 Post subject: |
|
|
Thanks for the info.
I agrre, but I rather do not want to change the official code.
I think we must advice Apacherians not to allow the REQUEST_METHOD Trace, this can be done like you with mod_rewrite or with mod_security.
Steffen |
|
| Back to top |
|
