mod-security-users

[mod-security-users] filter http-request trace

[Jochen B. <jo...@ro...>]

Hi!

I have a problem with filtering the http-request TRACE. The HEAD and
OPTIONS request is filtered correctly, but it is not possible to filter
TRACE requests. Is an error in my config file or is it not possible to
filter TRACE?

best regards,

Jochen


My setup:

Debian GNU/Linux unstable
Apache 1.3.29
Mod-Security 1.7.5

but was also tested with:

Debian GNU/Linux stable
Apache 1.3.26
Mod-Security 1.7.1

SecFilterEngine On                                              =20
SecFilterInheritance On
SecFilterScanPOST on
SecFilterCheckURLEncoding On
SecFilterCheckUnicodeEncoding On
SecFilterForceByteRange 0 255
SecFilterDebugLog /var/log/apache/modsec_debug_log
SecFilterDebugLevel 3
SecAuditEngine On
SecAuditLog /var/log/apache/modsec_audit_log

SecFilterDefaultAction "deny,log,status:500"

SecFilter hidden
SecFilterSelective "REQUEST_METHOD" ^OPTIONS
SecFilterSelective "REQUEST_METHOD" ^TRACE
SecFilterSelective "REQUEST_METHOD" ^HEAD

Re: [mod-security-users] filter http-request trace

[<iv...@we...>]

> I have a problem with filtering the http-request TRACE. The HEAD and OPTIONS request is
> filtered correctly, but it is not possible to filter TRACE requests. Is an error in my
> config file or is it not possible to filter TRACE?

   It isn't possible at the moment. Apache handles TRACE before the request reaches
mod_security. That could possibly change in a future release, but in the meantime you can
use mod_rewrite to filter out TRACE.

Bye,
Ivan