Disable Track and Trace in apache

Question

I have Apache 2.2.22 in suse Linux. I want to disable track & trace in Apache and use 1- TraceEnable Off and 2- RewriteEngine on

RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F] .

but of 2 way don't work.

Answer 1

I know there's already a few answers here, but I thought I'd chime in and add some additional options.

Slipstream's approach is certainly the simplest approach here, so if you're seeking a quick and easy fix, there's your pot of gold.

TraceEnable directive

As mentioned by a few people here, in Apache2, you can append the TraceEnable directive to the end your httpd.conf or apache2.conf file:

TraceEnable Off

Rewrite Module

You can also add a rewrite configuration to your VirtualHost to explicitly block TRACK and TRACE requests:

<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
    RewriteRule .* - [F]
</IfModule>

With this configuration, Apache catches all TRACK and TRACE requests, and replies with a 403 Forbidden error. None of the original request's content is echoed back.

Rewrite Module (More Restrictive)

But, what I haven't seen anyone else suggest is explicitly passing the methods you want to allow. This is a slighly tighter fix, and is required for PCI compliance:

<IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD)
    RewriteRule .* - [F]
</IfModule>

This will reject any request which is using a method not specified in the directive. Again, the original request content is not echoed back, and the server responds with a 403 Forbidden error.

Something to keep in mind is that for production systems is that RewriteEngine can be processor intensive. This is generally not much of an issue because the increase would be milliseconds (if not microseconds), but something to be mindful of if you have loads of rewrites.

Note: For the above rewrite configurations, you'll need to uncomment the LoadModule or AddModule (depending on your setup) directives in your Apache config for rewrite_module.

Answer 2

You can also use the mod_allowmethods found in apache 2.3+

<Location "/">
   AllowMethods GET POST OPTIONS
</Location>

https://httpd.apache.org/docs/2.4/mod/mod_allowmethods.html

Answer 3

View Demo Trace Using SSH Command

TRACE is enabled by default in an apache installation. There are two ways to remediate. The first can be used if you are running Apache 1.3.34, 2.0.55, or anything in the 2.2 release. Simply add the TraceEnable directive into your httpd.conf and set the value to Off.

TraceEnable Off

add this line in httpd.conf

The first thing to do is make sure that mod_rewrite is loaded. If mod_rewrite.so is missing from your apache configuration but you have it installed, (and your install location is /usr/local/apache), then add the following statement to your httpd.conf:

LoadModule  rewrite_module  "/usr/local/apache/modules/mod_rewrite.so"

Then add the following as well to your httpd.conf file:

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

Test With Curl Command

curl -v -X TRACE http://localhost

Answer 4

For Apache HTTPD 2.4: Require not method TRACE TRACK

see Require Directive

Answer 5

Unless a module is installed which supports TRACK, then TRACK is not supported by default by Apache, hence the only need to have the directive:

TraceEnable Off

However, for a belt-and-suspenders approach, also add:

RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) [NC]
RewriteRule ^.* - [F]

This will disable both TRACE and TRACK.

Answer 6

To disable these methods, add the following lines for each virtual host in your configuration file :

RewriteEngine on

RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)

RewriteRule .* - [F]

nessus said)))

Answer 7

In Apache2 you can just add TraceEnable Off in httpd.conf (end of file)

TraceEnable Off

To check if Trace is On/Off you can use Curl:

curl -v -X TRACE http://www.yourserver.com

Answer 8

You need to put TraceEnable Off in httpd.conf