HSeber 0 Posted February 15, 2022 Share Posted February 15, 2022 I have a request from our security team to disable TRACE and/or TRACK method on our running Apache HTTP Proxy (2.4.52.0) by: To disable these methods, add the following lines for each virtual host in your configuration file : RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F]Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2 support disabling the TRACE method natively via the 'TraceEnable' directive. As easy as it sounds the required module "mod_rewrite.so" is not included in the latest Apache HTTP Proxy package. Further I'm unsure if there will be any functional impact after this has been disabled? We use Apache HTTP Proxy ONLY as a repository for modules updates & ESET repository products (mirror tool) Please advise if it is safe to add the module and add the 3 line to the virtual host in our http.conf. Link to comment Share on other sites More sharing options...
ESET Staff MartinK 384 Posted February 22, 2022 ESET Staff Share Posted February 22, 2022 On 2/15/2022 at 4:54 PM, HSeber said: Please advise if it is safe to add the module and add the 3 line to the virtual host in our http.conf. I am afraid it won't be possible as mentioned module is not present in a distributed packages - as we distribute only minimal set of modules that is required for HTTP caching. Also I am currently not sure how to disable those methods in such configuration, nor I am aware of any possible consequences or impact of current configuration, so I would also recommend to open support ticket so that it is properly analyzed and possibly integrated into future versions, if it will be necessary to minimize impacts. Link to comment Share on other sites More sharing options...
Recommended Posts