在 Apache/2.0.52 上禁用 TRACE 请求方法
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/1114249/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Disabling TRACE request method on Apache/2.0.52
提问by
By default, Apache 2.0.52 will respond to any HTTP TRACE request that it receives. This is a potential security problem because it can allow certain types of XSS attacks. For details, see http://www.apacheweek.com/issues/03-01-24#news
默认情况下,Apache 2.0.52 将响应它收到的任何 HTTP TRACE 请求。这是一个潜在的安全问题,因为它可能允许某些类型的 XSS 攻击。详情见http://www.apacheweek.com/issues/03-01-24#news
I am trying to disable TRACE requests by following the instructions shown in the page linked to above. I added the following lines of code to my http.conf file, and restarted apache:
我正在尝试按照上面链接的页面中显示的说明禁用 TRACE 请求。我将以下代码行添加到我的 http.conf 文件中,并重新启动了 apache:
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
However, when I send a TRACE request to my web server, it seems to ignore the rewrite rules and responds as if TRACE requests were still enabled.
但是,当我向 Web 服务器发送 TRACE 请求时,它似乎忽略了重写规则并像仍然启用了 TRACE 请求一样进行响应。
For example:
例如:
[admin2@dedicated ~]$ telnet XXXX.com 80
Trying XXXX...
Connected to XXXX.com (XXXX).
Escape character is '^]'.
TRACE / HTTP/1.0
X-Test: foobar
HTTP/1.1 200 OK
Date: Sat, 11 Jul 2009 17:33:41 GMT
Server: Apache/2.0.52 (Red Hat)
Connection: close
Content-Type: message/http
TRACE / HTTP/1.0
X-Test: foobar
Connection closed by foreign host.
The server should respond with 403 Forbidden. Instead, it echoes back my request with a 200 OK.
服务器应以 403 Forbidden 响应。相反,它以 200 OK 回应我的请求。
As a test, I changed the RewriteCond to %{REQUEST_METHOD} ^GET
作为测试,我将 RewriteCond 更改为 %{REQUEST_METHOD} ^GET
When I do this, Apache correctly responds to all GET requests with 403 Forbidden. But when I change GET back to TRACE, it still lets TRACE requests through.
当我这样做时,Apache 会正确响应所有带有 403 Forbidden 的 GET 请求。但是当我将 GET 改回 TRACE 时,它仍然允许 TRACE 请求通过。
How can I get Apache to stop responding to TRACE requests?
如何让 Apache 停止响应 TRACE 请求?
采纳答案by
I figured out the correct way to do it.
我想出了正确的方法来做到这一点。
I had tried placing the block of rewrite directives in three places: in the <Directory "/var/www/html">part of the httpd.conf file, at the top of my httpd.conf file, and in the /var/www/html/.htaccess file. None of these three methods worked.
我曾尝试将重写指令块放置在三个位置:<Directory "/var/www/html">httpd.conf 文件的一部分、httpd.conf 文件的顶部和 /var/www/html/.htaccess 文件中。这三种方法都没有奏效。
Finally, however, I tried putting the block of code in <VirtualHost *:80>part of my httpd.conf. For some reason, it works when it is placed. there.
然而,最后,我尝试将代码块放在<VirtualHost *:80>我的 httpd.conf 中。出于某种原因,它在放置时起作用。那里。
回答by
Some versions require:
某些版本需要:
TraceEnable Off
跟踪启用关闭
回答by
As you've said, that works in your VirtualHost block. As you didn't show httpd.conf I can't say why your initial attempt didn't work - it's context-sensitive.
正如您所说,这适用于您的 VirtualHost 块。由于您没有显示 httpd.conf,我无法说明为什么您最初的尝试无效 - 它是上下文相关的。
It failed in the because it's not really relevant there, that's generally for access control. If it didn't work in the .htaccess it's likely that apache wasn't looking for it (you can use AllowOverride to enable them).
它失败了,因为它在那里并不真正相关,这通常用于访问控制。如果它在 .htaccess 中不起作用,很可能是 apache 没有在寻找它(您可以使用 AllowOverride 来启用它们)。
