14

I have Apache 2.2.22 in suse Linux. I want to disable track & trace in Apache and use 1- TraceEnable Off and 2- RewriteEngine on

RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F] .

but of 2 way don't work.

halfer
  • 19,824
  • 17
  • 99
  • 186
Kobra Ghahremani
  • 305
  • 2
  • 3
  • 7

8 Answers8

34

In Apache2 you can just add TraceEnable Off in httpd.conf (end of file)

TraceEnable Off

To check if Trace is On/Off you can use Curl: 

curl -v -X TRACE http://www.yourserver.com
Slipstream
  • 13,455
  • 3
  • 59
  • 45
  • 1
    The poster asked how to turn off TRACK and TRACE. Your solution does not turn off TRACK. – cdonner Oct 11 '16 at 19:04
  • 3
    +1 for the suggestion to use curl to diagnose this. At least, 50% of the problem can be addressed this way... – David Ramirez Feb 07 '17 at 23:05
  • Here is the solution is applied to main apache configuration not for individual hosts. It should be good approach if we choose a way to achieve same by each separate host configuration. – Abhishek Shah Nov 24 '17 at 06:32
  • @AbhishekShah run the command `curl -i -X TRACK example.com` after the line in the conf above is applied and apache restarted, and it will now give a 501 error (should)... Track is theoretically usable by other modules AFAIK, but I don't know of any, so just check with that curl command I gave you to be sure if you like. Also, this answer is best... read about performance using Rewrite rules guys... – om01 May 23 '19 at 23:05
10

You need to put TraceEnable Off in httpd.conf

Angel Cabrera
  • 109
  • 1
  • 3
7

To disable these methods, add the following lines for each virtual host in your configuration file :

RewriteEngine on

RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)

RewriteRule .* - [F]

nessus said)))

HaveNoDisplayName
  • 8,291
  • 106
  • 37
  • 47
Paul Frol
  • 71
  • 1
  • 1
  • configuration files! there can be multiple. Most commonly you have to add this to 2 configuration files: /etc/httpd/conf.d/ssl.conf (for each virtual https host) and /etc/httpd/conf.d/vhost.conf (for each virtual http host) I did NOT have to edit httpd.conf. – cdonner Oct 11 '16 at 19:05
2

For Apache HTTPD 2.4: Require not method TRACE TRACK

see Require Directive

Darren Parker
  • 1,772
  • 1
  • 20
  • 21
Jeff
  • 2,095
  • 25
  • 18
  • `TraceEnable off` also works in [Apache 2.4 per TraceEnable Directive](https://httpd.apache.org/docs/2.4/mod/core.html#traceenable) documentation. – user12345 Jan 09 '19 at 07:46
1

Unless a module is installed which supports TRACK, then TRACK is not supported by default by Apache, hence the only need to have the directive:

TraceEnable Off

However, for a belt-and-suspenders approach, also add:

RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) [NC]
RewriteRule ^.* - [F]

This will disable both TRACE and TRACK.

jeffmcneill
  • 2,052
  • 1
  • 30
  • 26
0

View Demo Trace Using SSH Command

TRACE is enabled by default in an apache installation. There are two ways to remediate. The first can be used if you are running Apache 1.3.34, 2.0.55, or anything in the 2.2 release. Simply add the TraceEnable directive into your httpd.conf and set the value to Off.

TraceEnable Off

add this line in httpd.conf

The first thing to do is make sure that mod_rewrite is loaded. If mod_rewrite.so is missing from your apache configuration but you have it installed, (and your install location is /usr/local/apache), then add the following statement to your httpd.conf:

LoadModule  rewrite_module  "/usr/local/apache/modules/mod_rewrite.so"

Then add the following as well to your httpd.conf file:

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

Test With Curl Command

curl -v -X TRACE http://localhost

Amol
  • 55
  • 4
0

I know there's already a few answers here, but I thought I'd chime in and add some additional options.

Slipstream's approach is certainly the simplest approach here, so if you're seeking a quick and easy fix, there's your pot of gold.

TraceEnable directive

As mentioned by a few people here, in Apache2, you can append the TraceEnable directive to the end your httpd.conf or apache2.conf file:

TraceEnable Off

Rewrite Module

You can also add a rewrite configuration to your VirtualHost to explicitly block TRACK and TRACE requests:

<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCondition %{REQUEST_METHOD} ^(TRACE|TRACE)
    RewriteRule . * - [F]
</IfModule>

With this configuration, Apache catches all TRACK and TRACE requests, and replies with a 403 Forbidden error. None of the original request's content is echoed back.

Rewrite Module (More Restrictive)

But, what I haven't seen anyone else suggest is explicitly passing the methods you want to allow. This is a slighly tighter fix, and is required for PCI compliance:

<IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD)
    RewriteRule .* - [F]
</IfModule>

This will reject any request which is using a method not specified in the directive. Again, the original request content is not echoed back, and the server responds with a 403 Forbidden error.

Something to keep in mind is that for production systems is that RewriteEngine can be processor intensive. This is generally not much of an issue because the increase would be milliseconds (if not microseconds), but something to be mindful of if you have loads of rewrites.

Note: For the above rewrite configurations, you'll need to uncomment the LoadModule or AddModule (depending on your setup) directives in your Apache config for rewrite_module.

Bradley
  • 132
  • 3
  • 15
0

You can also use the mod_allowmethods found in apache 2.3+

<Location "/">
   AllowMethods GET POST OPTIONS
</Location>

https://httpd.apache.org/docs/2.4/mod/mod_allowmethods.html

André Schild
  • 4,592
  • 5
  • 28
  • 42