How to disable Apache HTTP TRACE (Legacy KB ID CNC TS13622 )

Document ID : KB000052120
Last Modified Date : 14/02/2018
Show Technical Document Details

The following steps must be performed as a user with administrator privileges if running a Windows OS.


***If the OS is UNIX, these steps must be done as the root user.***



1. cd $NH_HOME/web/httpd or $NH_HOME/web/httpd/conf for eHealth v6.0 SP2 and higher 

2. Create a httpd.tpl file or add to an existing httpd.tpl file

     *** WARNING - the directives in the httpd.tpl file must be exactly as specified below and the httpd.tpl file must include an empty line as the last line in the file

Create the httpd.tpl with the following directive:



     # Custom Protect Section
     ReWriteEngine on
     ReWriteCond %{REQUEST_METHOD} ^TRACE
     ReWriteRUle .* - [F]
     # End Custom Protect Section


 3. Recreate the httpd.conf file and signal the web server to reread the new httpd.conf.  This can be done in one of the following two ways:




(A) Add or modify the permissions of a web user from the web admin UI. This will recreate the httpd.conf file and signal the web server to reread the new httpd.conf
(B) Manually rebuild the httpd.conf by following the steps shown in Technical Solution TS9403 - How to regenerate the httpd.conf file


To confirm that HTTP TRACE is forbidden telnet to the eHealth server at the web server port and enter the TRACE request described below the web server should respond with the error below.  For example:



> telnet <hostname> portNumber
TRACE / HTTP/1.1
Host: hostname
X_Header: test
<return>
<return>


A response similar to the following should be received:



...
<TITLE> 403 </TITLE>
..
<H1> Forbidden </H1>
You don't have permission to access / on this server ..


Actual test:



 telnet rutland 80
Trying 10.150.6.57...
Connected to rutland.concord.com.
Escape character is '^]'.
TRACE / HTTP/1.1
Host: hostname
X_Header: test


HTTP/1.1 403 Forbidden
Date: Thu, 06 Jan 2005 17:13:38 GMT
Server: Apache/1.3.27 (Unix)
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1


106
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>403 Forbidden</TITLE>
</HEAD><BODY>
<H1>Forbidden</H1>
You don't have permission to access /
on this server.<P>

.

Related Issues/Questions:
How to disable Apache HTTP TRACE
Apache Security violation: TRACE
How to disable HTTP TRACE
Can HTTP TRACE be disabled

Problem Environment:

eHealth
Apache

Additional Information:
The HTTP TRACE request method is mainly used for debug and other connection analysis activities. This request sent to a trace supporting web server will respond to the client with the information contained in the request. 
Apache web server support Trace by default, but many customers choose to disable HTTP TRACE for security purposes.

Starting in eHealth 6.0 Service Pack 2, the directory structure and location of eHealth web configuration files has changed:

   In eHealth 6.0 SP 01 and earlier it is in $NH_HOME/web/httpd/httpd.conf 

   In eHealth 6.0 SP 02 and later is is in $NH_HOME/web/httpd/conf/httpd.conf



(Legacy KB ID CNC TS13622 )