HPE Community
Operating System - HP-UX
1829545 Members
1991 Online
109992 Solutions
New Discussion

Apache + SSL + Tomcat: Deny HTTP TRACE requests

 
Marlon_8
New Member

‎10-21-2004 10:35 PM

‎10-21-2004 10:35 PM

Apache + SSL + Tomcat: Deny HTTP TRACE requests

Hi!

I have configured an Apache + SSL + Tomcat system. Applying the countermeasures suggested from the web regarding how to disable HTTP Trace requests, I have successfully done so and tested against sites served by Apache. When Trace requests are received for sites managed by Apache, they are denied, error code 403.

The problem is for sites served by Tomcat, the TRACE request is not being denied. The request is handled and response is generated, HTTP headers are looped back to the client. The intent is to block TRACE requests and return error "403 Forbidden" even for sites handled by Tomcat.

Has anyone found a way to block/disable/deny TRACE requests from Tomcat?

Thanks for any help or lead you can share with me!

0 Kudos
Reply
3 REPLIES 3
Marlon_8
New Member

‎10-25-2004 03:30 PM

‎10-25-2004 03:30 PM

Re: Apache + SSL + Tomcat: Deny HTTP TRACE requests

Hello again!

Some additional info:
The behavior mentioned above does not occur when Apache is started using "apachectl start". It only happens during "apachectl startssl".

Both httpd.conf and ssl.conf contain the Rewrite rules for rejecting Trace:
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .8 - [F]

Examples:
When Apache started without SSL
http://server -> Trace denied
http://server/webapp -> Denied

When Apache is started with SSL
http://server -> Denied
https://server -> Denied
http://server/webapp -> Allowed
https://server/webapp -> Allowed

I am using the following JavaScript to test whether if Trace is rejected or not:
function sendTrace()
{
var xmlHttp = new ActiveXObject("Microsoft.XMLHTTP");
xmlHttp.open("TRACE", "https://crane/manager",false);
xmlHttp.send();
xmlDoc=xmlHttp.responseText;
alert(xmlDoc);
}

ENVIRONMENT:
HP-UX 11i
Apache 2.0.52
Tomcat 4.1.29_04
mod_jk2 2.0.3-dev or mod_jk 1.2.3-dev

Thanks in advance for any assistance!
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎10-25-2004 04:58 PM

‎10-25-2004 04:58 PM

Re: Apache + SSL + Tomcat: Deny HTTP TRACE requests

Same actual response from Tomcat, different text message.

Do you see anything in the the access_log that indicates the Trace was successful?

I think you have things locked down in this area.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Marlon_8
New Member

‎10-26-2004 01:48 PM

‎10-26-2004 01:48 PM

Re: Apache + SSL + Tomcat: Deny HTTP TRACE requests

Here are the access_log contents:

Using "apachectl start", TRACE enabled -> request is accepted
HOST IP - - [27/Oct/2004:10:33:40 -0700] "TRACE / HTTP/1.1" 200 340
HOST IP - - [27/Oct/2004:10:34:05 -0700] "TRACE /webapp HTTP/1.1" 200 344

Using "apachectl start", TRACE disabled -> request is denied
HOST IP - - [27/Oct/2004:10:34:34 -0700] "TRACE /webapp HTTP/1.1" 403 330

Using "apachectl startssl", TRACE disabled -> request is ACCEPTED!?
HOST IP - - [27/Oct/2004:10:35:27 -0700] "TRACE /webapp HTTP/1.1" 200 344

The same configuration works in our Linux box, running RedHat 9. Its only in the HP-UX 11i machine that its not.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.