Tuesday, August 9, 2011

Turning off HTTP TRACE / TRACK Method in Apache

TRACE / TRACK are HTTP methods are used to debug web server connections. For disabling these methods, follow below steps:

Step 1: Login into Web Server

Step 2: Type below command

            #  telnet localhost 80

          Once you connect, type the following:

          TRACE / HTTP/1.0
          Host: localhost
Press Enter TWICE and if trace is enabled, you should see output similar to the following:

# telnet localhost 80

Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.

TRACE / HTTP/1.0
Host: localhost

HTTP/1.1 200 OK
Date: Tue, 09 Aug 2011 04:40:15 GMT
Server: Apache/2.2.3 (Red Hat)
Connection: close
Content-Type: message/http

TRACE / HTTP/1.0
Host: localhost

Connection closed by foreign host.

Step 3: Change folder

            # cd /etc/httpd/conf

Step 4: Make a backup copy of httpd.conf file.

            # cp -p httpd.conf httpd.conf.bkp

Step 5: Edit httpd.conf & add below line as highlighted in screenshot:

          # vi httpd.conf

<IfModule mod_rewrite.c>
RewriteEngine on
          RewriteCond %{REQUEST_METHOD} ^TRACE
          RewriteRule .* - [F]
</IfModule>
         
Step 6: Save & Exit httpd.conf

Step 7: Check Syntax and restart the services
         
            # service httpd configtest

            # service httpd restart

Step 8: Check TRACE through telnet again

# telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.

TRACE / HTTP/1.0
Host: localhost

HTTP/1.1 403 Forbidden
Date: Tue, 09 Aug 2011 04:45:24 GMT
Server: Apache/2.2.3 (Red Hat)
Accept-Ranges: bytes
Content-Length: 3985
Connection: close
:
:
:
Connection closed by foreign host.


Step 9: You can also check TRACK method:

# telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.

TRACK / HTTP/1.0
Host: localhost

HTTP/1.1 501 Method Not Implemented
Date: Tue, 09 Aug 2011 04:46:42 GMT
Server: Apache/2.2.3 (Red Hat)
Allow: GET,HEAD,POST,OPTIONS,TRACE
Content-Length: 282
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>501 Method Not Implemented</title>
</head><body>
<h1>Method Not Implemented</h1>
<p>TRACK to / not supported.<br />
</p>
<hr>
<address>Apache/2.2.3 (Red Hat) Server at localhost Port 80</address>
</body></html>
Connection closed by foreign host.
Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)