如何通过htaccess拒绝跟踪请求?

时间:2014-01-14 09:59:07

标签: regex .htaccess http-method

我想通过htaccess禁用跟踪和跟踪方法。

我的htaccess中有以下代码段:

RewriteCond %{REQUEST_METHOD} ^TRAC[EK]
RewriteRule .* - [L,R=405]

我得到以下答案

url -v -X TRACK obscuredurl* Adding handle: conn: 0x7f8c43004400
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x7f8c43004400) send_pipe: 1, recv_pipe: 0
* About to connect() to obscuredurl port 80 (#0)
*   Trying xx.xx.xxx.xx...
* Connected to obscuredurl (xx.xx.xxx.xx) port 80 (#0)
> TRACK / HTTP/1.1
> User-Agent: curl/7.30.0
> Host: obscuredurl
> Accept: */*
>
< HTTP/1.1 405 Method Not Allowed
< Date: Tue, 14 Jan 2014 09:53:45 GMT
* Server Apache is not blacklisted
< Server: Apache
< Allow: TRACE
< Content-Length: 296
< Connection: close
< Content-Type: text/html; charset=iso-8859-1
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>405 Method Not Allowed</title>
</head><body>
<h1>Method Not Allowed</h1>
<p>The requested method TRACK is not allowed for the URL /.</p>
<hr>
<address>Apache Server at obscuredurl Port 80</address>
</body></html>
* Closing connection 0

curl -v -X TRACE obscuredurl
* Adding handle: conn: 0x7ff339004400
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x7ff339004400) send_pipe: 1, recv_pipe: 0
* About to connect() to obscuredurl port 80 (#0)
*   Trying xx.xx.xxx.xx...
* Connected to obscuredurl (xx.xx.xxx.xx) port 80 (#0)
> TRACE / HTTP/1.1
> User-Agent: curl/7.30.0
> Host: obscuredurl
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Tue, 14 Jan 2014 09:55:15 GMT
* Server Apache is not blacklisted
< Server: Apache
< Connection: close
< Transfer-Encoding: chunked
< Content-Type: message/http
<
TRACE / HTTP/1.1
User-Agent: curl/7.30.0
Host: obscuredurl
Accept: */*

* Closing connection 0

所以它似乎适用于TRACK但不适用于跟踪。两个独立的条件也可以。

我该如何调试?

由于

1 个答案:

答案 0 :(得分:1)

区别在于Apache处理TRACETRACK请求方法。正如您所注意到TRACK请求由Apache中的mod_rewrite规则正确处理,但TRACE由Apache在更高级别处理,甚至在读取.htacess之前您可以通过在.htaccess中添加一些垃圾文本然后调用TRACE请求以获得正确的响应而不是预期的500 (Internal Server Error)来验证。

您可能需要请求您的服务器管理员在Apache服务器配置中添加它:

TraceEnable Off 

关闭TRACE