在Apache / 2.0.52禁用TRACE请求方法 [英] Disabling TRACE request method on Apache/2.0.52

问题描述

在默认情况下，阿帕奇2.0.52将它接收到的任何HTTP TRACE请求作出响应。这是一个潜在的安全问题，因为它可以允许某些类型的跨站脚本攻击。有关详细信息，请参阅 http://www.apacheweek.com/issues/03-01 -24＃新闻

By default, Apache 2.0.52 will respond to any HTTP TRACE request that it receives. This is a potential security problem because it can allow certain types of XSS attacks. For details, see http://www.apacheweek.com/issues/03-01-24#news

我想通过以下链接在上面的页面显示的说明禁用TRACE请求。我加code以下行到我的http.conf文件，并重新启动Apache的：

I am trying to disable TRACE requests by following the instructions shown in the page linked to above. I added the following lines of code to my http.conf file, and restarted apache:

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]

然而，当我发出TRACE请求，我的Web服务器，它似乎忽略重写规则并响应，如果跟踪请求仍启用。

However, when I send a TRACE request to my web server, it seems to ignore the rewrite rules and responds as if TRACE requests were still enabled.

例如：

[admin2@dedicated ~]$ telnet XXXX.com 80
Trying XXXX...
Connected to XXXX.com (XXXX).
Escape character is '^]'.
TRACE / HTTP/1.0
X-Test: foobar

HTTP/1.1 200 OK
Date: Sat, 11 Jul 2009 17:33:41 GMT
Server: Apache/2.0.52 (Red Hat)
Connection: close
Content-Type: message/http

TRACE / HTTP/1.0
X-Test: foobar

Connection closed by foreign host.

服务器应具有403禁​​止响应。相反，它回显我一个200 OK请求。

The server should respond with 403 Forbidden. Instead, it echoes back my request with a 200 OK.

作为测试，我改变了的RewriteCond为％{REQUEST_METHOD} ^ GET

As a test, I changed the RewriteCond to %{REQUEST_METHOD} ^GET

当我这样做，Apache的正确响应所有的GET禁止与403的请求。但是，当我换回到TRACE，它仍然允许TRACE通过请求。

When I do this, Apache correctly responds to all GET requests with 403 Forbidden. But when I change GET back to TRACE, it still lets TRACE requests through.

我怎样才能获得Apache停止响应跟踪请求？

How can I get Apache to stop responding to TRACE requests?

推荐答案

我想出正确的方式做到这一点。

I figured out the correct way to do it.

我曾试图将重写指令块在三个地方：在＆LT;目录的/ var / www / html等＆gt;在httpd.conf中的部分文件中，在我的httpd.conf文件的顶部，并在/var/www/html/.htaccess文件。这三种方法都没有奏效。

I had tried placing the block of rewrite directives in three places: in the <Directory "/var/www/html"> part of the httpd.conf file, at the top of my httpd.conf file, and in the /var/www/html/.htaccess file. None of these three methods worked.

最后，不过，我试图把code块在＆LT;虚拟主机*：80＆gt;我的httpd.conf的部分。出于某种原因，当它被置于它的作品。那里。

Finally, however, I tried putting the block of code in <VirtualHost *:80> part of my httpd.conf. For some reason, it works when it is placed. there.

这篇关于在Apache / 2.0.52禁用TRACE请求方法的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！