在 httpd.conf 中加一行
TraceEnable off
重新啟動 apache httpd 即可
若有開放 TRACE 的回應如下
會回覆 200 OK
$ telnet localhost 80
Trying ::1...
Connected to localhost.
Escape character is '^]'.
TRACE / HTTP/1.0
HTTP/1.1 200 OK
Date: Thu, 29 Aug 2024 03:59:33 GMT
Server: Apache
Connection: close
Content-Type: message/http
TRACE / HTTP/1.0
Connection closed by foreign host.
以 telnet 檢測,若有關閉 TRACE 時
會回覆 405 Method Not Allowed
$ telnet localhost 80
Trying ::1...
Connected to localhost.
Escape character is '^]'.
TRACE / HTTP/1.0
HTTP/1.1 405 Method Not Allowed
Date: Thu, 29 Aug 2024 03:55:46 GMT
Server: Apache
Allow:
Content-Length: 222
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>405 Method Not Allowed</title>
</head><body>
<h1>Method Not Allowed</h1>
<p>The requested method TRACE is not allowed for this URL.</p>
</body></html>
Connection closed by foreign host.
若有開放 TRACE 的回應如下
會回覆 HTTP/1.1 200 OK
curl -v -X TRACE http://localhost
* Rebuilt URL to: http://localhost/
* Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 80 (#0)
> TRACE / HTTP/1.1
> Host: localhost
> User-Agent: curl/7.61.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Thu, 29 Aug 2024 04:11:46 GMT
< Server: Apache
< Transfer-Encoding: chunked
< Content-Type: message/http
<
TRACE / HTTP/1.1
Host: localhost
User-Agent: curl/7.61.1
Accept: */*
* Connection #0 to host localhost left intact
以 curl 檢測,若有關閉 TRACE 的回應如下
會回覆 HTTP/1.1 405 Method Not Allowed
# curl -v -X TRACE http://localhost
* Rebuilt URL to: http://localhost/
* Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 80 (#0)
> TRACE / HTTP/1.1
> Host: localhost
> User-Agent: curl/7.61.1
> Accept: */*
>
< HTTP/1.1 405 Method Not Allowed
< Date: Thu, 29 Aug 2024 04:10:34 GMT
< Server: Apache
< Allow:
< Content-Length: 222
< Content-Type: text/html; charset=iso-8859-1
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>405 Method Not Allowed</title>
</head><body>
<h1>Method Not Allowed</h1>
<p>The requested method TRACE is not allowed for this URL.</p>
</body></html>
* Connection #0 to host localhost left intact
在 .conf 加上
server {
::
::
只接受 GET/POST/HEAD
if ($request_method !~ ^(GET|POST|HEAD)$ ) {
return 405;
}
或是單獨禁用 TRACE:
if ($request_method = TRACE) {
return 405;
}
::
::
}