關閉 apache httpd TRACE

關閉 TRACE 方法：

在 httpd.conf 中加一行

TraceEnable off

重新啟動 apache httpd 即可

如何檢測是否有開放 TRACE ：

以 telnet 檢測

若有開放 TRACE 的回應如下

會回覆 200 OK

$ telnet localhost 80
Trying ::1...
Connected to localhost.
Escape character is '^]'.
TRACE / HTTP/1.0

HTTP/1.1 200 OK
Date: Thu, 29 Aug 2024 03:59:33 GMT
Server: Apache
Connection: close
Content-Type: message/http

TRACE / HTTP/1.0

Connection closed by foreign host.

以 telnet 檢測，若有關閉 TRACE 時

會回覆 405 Method Not Allowed

$ telnet localhost 80
Trying ::1...
Connected to localhost.
Escape character is '^]'.
TRACE / HTTP/1.0

HTTP/1.1 405 Method Not Allowed
Date: Thu, 29 Aug 2024 03:55:46 GMT
Server: Apache
Allow:
Content-Length: 222
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>405 Method Not Allowed</title>
</head><body>
<h1>Method Not Allowed</h1>
<p>The requested method TRACE is not allowed for this URL.</p>
</body></html>
Connection closed by foreign host.

以 curl 檢測

若有開放 TRACE 的回應如下

會回覆 HTTP/1.1 200 OK

curl -v -X TRACE http://localhost
* Rebuilt URL to: http://localhost/
*   Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 80 (#0)
> TRACE / HTTP/1.1
> Host: localhost
> User-Agent: curl/7.61.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Thu, 29 Aug 2024 04:11:46 GMT
< Server: Apache
< Transfer-Encoding: chunked
< Content-Type: message/http
<
TRACE / HTTP/1.1
Host: localhost
User-Agent: curl/7.61.1
Accept: */*

* Connection #0 to host localhost left intact

以 curl 檢測，若有關閉 TRACE 的回應如下

會回覆 HTTP/1.1 405 Method Not Allowed

 # curl -v -X TRACE http://localhost
* Rebuilt URL to: http://localhost/
*   Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 80 (#0)
> TRACE / HTTP/1.1
> Host: localhost
> User-Agent: curl/7.61.1
> Accept: */*
>
< HTTP/1.1 405 Method Not Allowed
< Date: Thu, 29 Aug 2024 04:10:34 GMT
< Server: Apache
< Allow:
< Content-Length: 222
< Content-Type: text/html; charset=iso-8859-1
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>405 Method Not Allowed</title>
</head><body>
<h1>Method Not Allowed</h1>
<p>The requested method TRACE is not allowed for this URL.</p>
</body></html>
* Connection #0 to host localhost left intact

nginx 禁用 TRACE

在 .conf 加上

server {
  ::
  ::

  只接受  GET/POST/HEAD
  if ($request_method !~ ^(GET|POST|HEAD)$ ) {
    return 405;
  }

  或是單獨禁用 TRACE:
  if ($request_method = TRACE) {
        return 405;
  }

  ::
  ::
}