Trying to turn off HTTP TRACE Method

WebzPro

Active Member
Jul 21, 2004
34
1
158
Been trying to turn off HTTP TRACE Method.

mod_rewrite is in place and this has been added to the HTTP.conf.

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
</IfModule>

We are still getting a return like this though.

login as: root
[email protected]'s password:
Last login: Thu Jun 29 17:09:12 2006 from c.hsd1.il.comcast.net
[email protected] [~]# echo -e 'TRACE / HTTP/1.0n' | nc xx.xx.xxx 80
HTTP/1.1 400 Bad Request
Date: Thu, 29 Jun 2006 22:21:41 GMT
Server: Apache/1.3.36 (Unix) mod_fastcgi/2.4.2 PHP/4.4.2 mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.27 OpenSSL/0.9.8a
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>400 Bad Request</TITLE>
</HEAD><BODY>
<H1>Bad Request</H1>
Your browser sent a request that this server could not understand.<P>
The request line contained invalid characters following the protocol string.<P>
<P>
<HR>
<ADDRESS>Apache/1.3.36 Server at xxx.xx.xxx Port 80</ADDRESS>
</BODY></HTML>


We are getting a 400 error message, but it is still return a lot of information. Does this look right? Any advice appreciated.
 

cPanelJamyn

Social Engineer
Staff member
Jan 29, 2009
105
2
143
I know this is an old thread, but it never received an answer so I'll post one here. There's a couple possible causes here. The most common I've seen is that 'localhost' doesn't resolve on your server, so Apache doesn't know how to service the request (should it go to a vhost? Should it go to the default location? etc). Since it can't figure out where 'localhost' is, Apache spits out a "400 Bad Request" error.

This usually means the /etc/named.conf doesn't have a localhost zone in it. Typing 'host localhost' should also fail, for example. Rebuilding the config file will typically resolve this.

# mv /etc/named.conf /etc/named.conf.20090917
# /scripts/rebuildnamedconf
# /etc/init.d/named restart

Another possible cause is a damaged template. Move your customized templates out of the way and rebuild the apache config to ensure this is not the case. Thanks!
 

DomineauX

Well-Known Member
PartnerNOC
Apr 12, 2003
429
11
168
Houston, TX
cPanel Access Level
Root Administrator
I know this is an old thread, but it never received an answer so I'll post one here.

Me too:

In WHM:
Main >> Service Configuration >> Apache Configuration
Set "TraceEnable" to "Off (PCI Recommended)"
-------------
This directive sets the behavior of TRACE requests for both the core server and mod_proxy.
-------------
 

jols

Well-Known Member
Mar 13, 2004
1,110
3
168
So then, what happens when you switch off TRACE? Do you loose mod_proxy?
 

DomineauX

Well-Known Member
PartnerNOC
Apr 12, 2003
429
11
168
Houston, TX
cPanel Access Level
Root Administrator
So then, what happens when you switch off TRACE? Do you loose mod_proxy?
According to core - Apache HTTP Server :

This directive overrides the behavior of TRACE for both the core server and mod_proxy. The default TraceEnable on permits TRACE requests per RFC 2616, which disallows any request body to accompany the request. TraceEnable off causes the core server and mod_proxy to return a 405 (Method not allowed) error to the client.
So it doesn't disable mod_proxy at all, just denies attempts using the TRACE method.
 

cPanelJamyn

Social Engineer
Staff member
Jan 29, 2009
105
2
143
According to core - Apache HTTP Server :
So it doesn't disable mod_proxy at all, just denies attempts using the TRACE method.
Right. TRACE really has no use except on a debugging (IE: internal development) webserver. For live servers, it's safe to disable.