Reputation: 697
How to deny trace requests via htaccess?
I want to disable the trace and track methods via htaccess.
With following snippet in my htaccess:
RewriteCond %{REQUEST_METHOD} ^TRAC[EK]
RewriteRule .* - [L,R=405]
I get the following answers
url -v -X TRACK obscuredurl* Adding handle: conn: 0x7f8c43004400
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x7f8c43004400) send_pipe: 1, recv_pipe: 0
* About to connect() to obscuredurl port 80 (#0)
* Trying xx.xx.xxx.xx...
* Connected to obscuredurl (xx.xx.xxx.xx) port 80 (#0)
> TRACK / HTTP/1.1
> User-Agent: curl/7.30.0
> Host: obscuredurl
> Accept: */*
>
< HTTP/1.1 405 Method Not Allowed
< Date: Tue, 14 Jan 2014 09:53:45 GMT
* Server Apache is not blacklisted
< Server: Apache
< Allow: TRACE
< Content-Length: 296
< Connection: close
< Content-Type: text/html; charset=iso-8859-1
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>405 Method Not Allowed</title>
</head><body>
<h1>Method Not Allowed</h1>
<p>The requested method TRACK is not allowed for the URL /.</p>
<hr>
<address>Apache Server at obscuredurl Port 80</address>
</body></html>
* Closing connection 0
And
curl -v -X TRACE obscuredurl
* Adding handle: conn: 0x7ff339004400
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x7ff339004400) send_pipe: 1, recv_pipe: 0
* About to connect() to obscuredurl port 80 (#0)
* Trying xx.xx.xxx.xx...
* Connected to obscuredurl (xx.xx.xxx.xx) port 80 (#0)
> TRACE / HTTP/1.1
> User-Agent: curl/7.30.0
> Host: obscuredurl
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Tue, 14 Jan 2014 09:55:15 GMT
* Server Apache is not blacklisted
< Server: Apache
< Connection: close
< Transfer-Encoding: chunked
< Content-Type: message/http
<
TRACE / HTTP/1.1
User-Agent: curl/7.30.0
Host: obscuredurl
Accept: */*
* Closing connection 0
So it seems to work with TRACK but not with trace. Two separated conditions work either.
How can I debug it?
Thanks
Upvotes: 1
Views: 1296
Answers (1)
Reputation: 785866
Difference is in Apache handling of TRACE and TRACK request methods. As you noticed TRACK request is duly handled by mod_rewrite rule in Apache but TRACE is handled by Apache at much higher level even before reading your .htacess You can verify that by putting some garbage text in .htaccess and then invoking TRACE request to get a proper response instead of expected 500 (Internal Server Error).
You may need to request your server admin to add this in Apache server config:
TraceEnable Off
to switch off TRACE.
Upvotes: 1
Related Questions
- How prevent access if the request URL doesn't have string in .htacess
- Prevent direct access to .htaccess file
- How to deny access to a url within htaccess
- Apache - htaccess how to block a GET request URL?
- apache: block request via RewriteRule in .htaccess
- How can I block POST requests to urls ending with /trackback/ in .htaccess?
- Blocking specific extensions in htaccess
- Blacklist ip that request certain pattern
- Blocking all requests through .htaccess
- Disable HTTP trace in .htaccess