在Apache / 2.0.52禁用TRACE请求方法 [英] Disabling TRACE request method on Apache/2.0.52
问题描述
在默认情况下,阿帕奇2.0.52将它接收到的任何HTTP TRACE请求作出响应。这是一个潜在的安全问题,因为它可以允许某些类型的跨站脚本攻击。有关详细信息,请参阅 http://www.apacheweek.com/issues/03-01 -24#新闻
By default, Apache 2.0.52 will respond to any HTTP TRACE request that it receives. This is a potential security problem because it can allow certain types of XSS attacks. For details, see http://www.apacheweek.com/issues/03-01-24#news
我想通过以下链接在上面的页面显示的说明禁用TRACE请求。我加code以下行到我的http.conf文件,并重新启动Apache的:
I am trying to disable TRACE requests by following the instructions shown in the page linked to above. I added the following lines of code to my http.conf file, and restarted apache:
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
然而,当我发出TRACE请求,我的Web服务器,它似乎忽略重写规则并响应,如果跟踪请求仍启用。
However, when I send a TRACE request to my web server, it seems to ignore the rewrite rules and responds as if TRACE requests were still enabled.
例如:
[admin2@dedicated ~]$ telnet XXXX.com 80
Trying XXXX...
Connected to XXXX.com (XXXX).
Escape character is '^]'.
TRACE / HTTP/1.0
X-Test: foobar
HTTP/1.1 200 OK
Date: Sat, 11 Jul 2009 17:33:41 GMT
Server: Apache/2.0.52 (Red Hat)
Connection: close
Content-Type: message/http
TRACE / HTTP/1.0
X-Test: foobar
Connection closed by foreign host.
服务器应具有403禁止响应。相反,它回显我一个200 OK请求。
The server should respond with 403 Forbidden. Instead, it echoes back my request with a 200 OK.
作为测试,我改变了的RewriteCond为%{REQUEST_METHOD} ^ GET
As a test, I changed the RewriteCond to %{REQUEST_METHOD} ^GET
当我这样做,Apache的正确响应所有的GET禁止与403的请求。但是,当我换回到TRACE,它仍然允许TRACE通过请求。
When I do this, Apache correctly responds to all GET requests with 403 Forbidden. But when I change GET back to TRACE, it still lets TRACE requests through.
我怎样才能获得Apache停止响应跟踪请求?
How can I get Apache to stop responding to TRACE requests?
推荐答案
我想出正确的方式做到这一点。
I figured out the correct way to do it.
我曾试图将重写指令块在三个地方:在<目录的/ var / www / html等>在httpd.conf中的
部分文件中,在我的httpd.conf文件的顶部,并在/var/www/html/.htaccess文件。这三种方法都没有奏效。
I had tried placing the block of rewrite directives in three places: in the <Directory "/var/www/html">
part of the httpd.conf file, at the top of my httpd.conf file, and in the /var/www/html/.htaccess file. None of these three methods worked.
最后,不过,我试图把code块在&LT;虚拟主机*:80&gt;我的httpd.conf的
部分。出于某种原因,当它被置于它的作品。那里。
Finally, however, I tried putting the block of code in <VirtualHost *:80>
part of my httpd.conf. For some reason, it works when it is placed. there.
这篇关于在Apache / 2.0.52禁用TRACE请求方法的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!