The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Trying to turn off HTTP TRACE Method

Discussion in 'General Discussion' started by WebzPro, Jun 29, 2006.

  1. WebzPro

    WebzPro Active Member

    Joined:
    Jul 21, 2004
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    6
    Been trying to turn off HTTP TRACE Method.

    mod_rewrite is in place and this has been added to the HTTP.conf.

    <IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteCond %{REQUEST_METHOD} ^TRACE
    RewriteRule .* - [F]
    </IfModule>

    We are still getting a return like this though.

    login as: root
    root@xx.xx.xxx's password:
    Last login: Thu Jun 29 17:09:12 2006 from c.hsd1.il.comcast.net
    root@elladan [~]# echo -e 'TRACE / HTTP/1.0n' | nc xx.xx.xxx 80
    HTTP/1.1 400 Bad Request
    Date: Thu, 29 Jun 2006 22:21:41 GMT
    Server: Apache/1.3.36 (Unix) mod_fastcgi/2.4.2 PHP/4.4.2 mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.27 OpenSSL/0.9.8a
    Connection: close
    Content-Type: text/html; charset=iso-8859-1

    <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
    <HTML><HEAD>
    <TITLE>400 Bad Request</TITLE>
    </HEAD><BODY>
    <H1>Bad Request</H1>
    Your browser sent a request that this server could not understand.<P>
    The request line contained invalid characters following the protocol string.<P>
    <P>
    <HR>
    <ADDRESS>Apache/1.3.36 Server at xxx.xx.xxx Port 80</ADDRESS>
    </BODY></HTML>


    We are getting a 400 error message, but it is still return a lot of information. Does this look right? Any advice appreciated.
     
  2. WebzPro

    WebzPro Active Member

    Joined:
    Jul 21, 2004
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    6
    Anybody? Any thought?
     
  3. cPanelJamyn

    cPanelJamyn Social Engineer
    Staff Member

    Joined:
    Jan 29, 2009
    Messages:
    105
    Likes Received:
    2
    Trophy Points:
    0
    I know this is an old thread, but it never received an answer so I'll post one here. There's a couple possible causes here. The most common I've seen is that 'localhost' doesn't resolve on your server, so Apache doesn't know how to service the request (should it go to a vhost? Should it go to the default location? etc). Since it can't figure out where 'localhost' is, Apache spits out a "400 Bad Request" error.

    This usually means the /etc/named.conf doesn't have a localhost zone in it. Typing 'host localhost' should also fail, for example. Rebuilding the config file will typically resolve this.

    # mv /etc/named.conf /etc/named.conf.20090917
    # /scripts/rebuildnamedconf
    # /etc/init.d/named restart

    Another possible cause is a damaged template. Move your customized templates out of the way and rebuild the apache config to ensure this is not the case. Thanks!
     
  4. DomineauX

    DomineauX Well-Known Member
    PartnerNOC

    Joined:
    Apr 12, 2003
    Messages:
    414
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator

    Me too:

    In WHM:
    Main >> Service Configuration >> Apache Configuration
    Set "TraceEnable" to "Off (PCI Recommended)"
    -------------
    This directive sets the behavior of TRACE requests for both the core server and mod_proxy.
    -------------
     
  5. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    So then, what happens when you switch off TRACE? Do you loose mod_proxy?
     
  6. DomineauX

    DomineauX Well-Known Member
    PartnerNOC

    Joined:
    Apr 12, 2003
    Messages:
    414
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    According to core - Apache HTTP Server :

    So it doesn't disable mod_proxy at all, just denies attempts using the TRACE method.
     
  7. cPanelJamyn

    cPanelJamyn Social Engineer
    Staff Member

    Joined:
    Jan 29, 2009
    Messages:
    105
    Likes Received:
    2
    Trophy Points:
    0
    Right. TRACE really has no use except on a debugging (IE: internal development) webserver. For live servers, it's safe to disable.
     
Loading...

Share This Page