topic Re: Apache + SSL + Tomcat: Deny HTTP TRACE requests in Operating System - HP-UX

Apache + SSL + Tomcat: Deny HTTP TRACE requests

Marlon_8 — Fri, 22 Oct 2004 05:35:21 GMT

Hi!

I have configured an Apache + SSL + Tomcat system. Applying the countermeasures suggested from the web regarding how to disable HTTP Trace requests, I have successfully done so and tested against sites served by Apache. When Trace requests are received for sites managed by Apache, they are denied, error code 403.

The problem is for sites served by Tomcat, the TRACE request is not being denied. The request is handled and response is generated, HTTP headers are looped back to the client. The intent is to block TRACE requests and return error "403 Forbidden" even for sites handled by Tomcat.

Has anyone found a way to block/disable/deny TRACE requests from Tomcat?

Thanks for any help or lead you can share with me!

Re: Apache + SSL + Tomcat: Deny HTTP TRACE requests

Marlon_8 — Mon, 25 Oct 2004 22:30:09 GMT

Hello again!

Some additional info:
The behavior mentioned above does not occur when Apache is started using "apachectl start". It only happens during "apachectl startssl".

Both httpd.conf and ssl.conf contain the Rewrite rules for rejecting Trace:
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .8 - [F]

Examples:
When Apache started without SSL
http://server -> Trace denied
http://server/webapp -> Denied

When Apache is started with SSL
http://server -> Denied
https://server -> Denied
http://server/webapp -> Allowed
https://server/webapp -> Allowed

I am using the following JavaScript to test whether if Trace is rejected or not:
function sendTrace()
{
var xmlHttp = new ActiveXObject("Microsoft.XMLHTTP");
xmlHttp.open("TRACE", "https://crane/manager",false);
xmlHttp.send();
xmlDoc=xmlHttp.responseText;
alert(xmlDoc);
}

ENVIRONMENT:
HP-UX 11i
Apache 2.0.52
Tomcat 4.1.29_04
mod_jk2 2.0.3-dev or mod_jk 1.2.3-dev

Thanks in advance for any assistance!

Re: Apache + SSL + Tomcat: Deny HTTP TRACE requests

Steven E. Protter — Mon, 25 Oct 2004 23:58:11 GMT

Same actual response from Tomcat, different text message.

Do you see anything in the the access_log that indicates the Trace was successful?

I think you have things locked down in this area.

SEP

Re: Apache + SSL + Tomcat: Deny HTTP TRACE requests

Marlon_8 — Tue, 26 Oct 2004 20:48:58 GMT

Here are the access_log contents:

Using "apachectl start", TRACE enabled -> request is accepted
HOST IP - - [27/Oct/2004:10:33:40 -0700] "TRACE / HTTP/1.1" 200 340
HOST IP - - [27/Oct/2004:10:34:05 -0700] "TRACE /webapp HTTP/1.1" 200 344

Using "apachectl start", TRACE disabled -> request is denied
HOST IP - - [27/Oct/2004:10:34:34 -0700] "TRACE /webapp HTTP/1.1" 403 330

Using "apachectl startssl", TRACE disabled -> request is ACCEPTED!?
HOST IP - - [27/Oct/2004:10:35:27 -0700] "TRACE /webapp HTTP/1.1" 200 344

The same configuration works in our Linux box, running RedHat 9. Its only in the HP-UX 11i machine that its not.