Jump to: navigation, search
MithiWiki Home > ConnectXf Home > ConnectXf Administration > Configuration > HTTP TRACE & TRACK methods are enabled on the web server


Troubleshooting Icon.png
Troubleshooting
Product ConnectXf
Version All
Applies to Administrators
Level Advanced



HTTP TRACE & TRACK methods are enabled on the web server

On each front end server do foll. changes :

1. Take backup of foll. files in /root/mithiwork/httpconfbak :

/etc/http/conf/httpd.conf

/mithi/mcs/modules/mithi-system/conf/server/mithi-system.httpd.conf.sh

/etc/httpd/conf.d/mithi-mailclient.httpd.conf

/etc/httpd/conf.d/mithi-wc-webcal.httpd.conf


2. To disable Trace method for port 80

CASE 1 : http to https force redirection is NOT used : In all virtualhosts in all of above files, change the rewrite rules & conditions so that they look as follows.

       RewriteEngine On
        #RewriteCond %{HTTPS} !=on
        #RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R]
        RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
        RewriteRule .* - [F]

CASE 2 : http to https force redirection is used : In all virtualhosts in all of above files, change the rewrite rules & conditions so that they look as follows.


       RewriteEngine On
        RewriteCond %{HTTPS} !=on
        RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R]
        RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
        RewriteRule .* - [F]


3. To disable Trace method on port 443

Add foll. lines in each virtual host in /etc/httpd/conf.d/ssl.conf

       RewriteEngine On
        RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
        RewriteRule .* - [F]

4. Test whether the syntax is correct :

/usr/sbin/httpd -t

The last line of output should be 'Syntax OK'

5. Restart http service.

6. Test whether Trace method is disabled on port 80

telnet <ServerIP> 80

It will output

Trying 127.0.0.1...

Connected to localhost.

Escape character is '^]'.


After that type foll. as it is (case sensitive), and press enter 2 times after that.

TRACE / HTTP/1.0

The first line of output should be:

HTTP 1.1 403 Forbidden

7. Test whether the Trace method is disabled on port 443:

openssl s_client -connect <ServerIP>:443

It will display lots of data.

After that type foll. as it is (case sensitive), and press enter 2 times after that.

TRACE / HTTP/1.0

The first line of output should be:

HTTP 1.1 403 Forbidden