How to Turn TRACE and GET Method off

Forum Moderators: phranque

Message Too Old, No Replies

How to Turn TRACE and GET Method off

Forbid TRACE and GET Methods on HTTP

xamba

7:55 pm on Nov 14, 2004 (gmt 0)

Is there a way to set the site to forbid TRACE and GET request methods and how can I test Trace in particular? Any pointer to this is appreciated.

Here is my initial setup I tried in http.conf on Apache 1.3.33 with mod_rewrite compiled and enabled:

RewriteEngine On
RewriteCond %{REQUEST_METHOD} TRACE
RewriteCond %{REQUEST_METHOD} GET
RewriteRule .* - [F]

RewriteLog logs/rewrite.log
RewriteLogLevel 9

<Directory />
SSLRequireSSL
Options FollowSymLinks
AllowOverride None
</Directory>

etc ...

Looks like not blocking GET at all when I first just do a http request on a browser. Any suggestions?
Thanks.

Slade

8:47 pm on Nov 14, 2004 (gmt 0)

I've never heard of TRACE before now, but it looks like you're on the right track... I did some quick searching and found this post on banning TRACE/TRACK:

[karakas-online.de...]

I'm kind of confused about blocking GET. Have I gone senile in thinking that 90+% of user web traffic is GET? I'm just not sure if blocking GET is what you really want to do. (It just smells wrong.) Can you tell us what you're trying to accomplish?

ogletree

10:04 pm on Nov 14, 2004 (gmt 0)

Stopping get requests is the same thing as turning off your webserver.

xamba

3:53 pm on Nov 15, 2004 (gmt 0)

I was trying to restict the web server to accept HTTP POST method but not GET and don't want anyone sniffing around with TRACE for security reason.

jdMorgan

4:32 pm on Nov 15, 2004 (gmt 0)

At a minimum, mod_rewrite will require Options FollowSymLinks or Options SymLinksIfOwnerMatch, plus AllowOverride FileInfo in order to run. Check your server error log, and you will see error messages that tell you this or give you a good hint.

I'd suggest you get mod_rewrite working using a simple URL redirect and GET, before blocking the GET method itself. This just makes it a lot easier to test.

Jim

xamba

6:50 am on Nov 17, 2004 (gmt 0)

Thanks for pointing out the missing
Options FollowSymLinks and AllowOverride None

It now works beautifully. :))