View Single Post
  #1  
Old 13th February 2008, 00:55
rdike rdike is offline
Junior Member
 
Join Date: Feb 2008
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
Default Disabling HTTP TRACE / TRACK in all virtual host

Is there a standard place to put the rewrite conditions so that all of the virtual host are covered and/or so that new virtual host are covered automatically?

Background:
We just had a security audit and one of the few things that they found was that our ispconfig server allowed HTTP TRACE and HTTP TRACK methods. We need to disable them. 'mod_rewrite' is already part of the standard ispconfig configuration so we just need to add the following

...
# disable TRACE and TRACK in the main scope of httpd.conf
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
RewriteCond %{REQUEST_METHOD} ^TRACK
RewriteRule .* - [F]
...
<VirtualHost www.example.com>
...
# disable TRACE and TRACK in the www.example.com virtual host
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
RewriteCond %{REQUEST_METHOD} ^TRACK
RewriteRule .* - [F]
</VirtualHost>

I know the the virtual host are configured in /etc/httpd/conf/vhosts/Vhosts_ispconfig.conf

Is there an easier way than editing that file for each virtual host?
Thanks,
Reece Dike
Reply With Quote
Sponsored Links