Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 13th February 2008, 00:55
rdike rdike is offline
Junior Member
 
Join Date: Feb 2008
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
Default Disabling HTTP TRACE / TRACK in all virtual host

Is there a standard place to put the rewrite conditions so that all of the virtual host are covered and/or so that new virtual host are covered automatically?

Background:
We just had a security audit and one of the few things that they found was that our ispconfig server allowed HTTP TRACE and HTTP TRACK methods. We need to disable them. 'mod_rewrite' is already part of the standard ispconfig configuration so we just need to add the following

...
# disable TRACE and TRACK in the main scope of httpd.conf
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
RewriteCond %{REQUEST_METHOD} ^TRACK
RewriteRule .* - [F]
...
<VirtualHost www.example.com>
...
# disable TRACE and TRACK in the www.example.com virtual host
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
RewriteCond %{REQUEST_METHOD} ^TRACK
RewriteRule .* - [F]
</VirtualHost>

I know the the virtual host are configured in /etc/httpd/conf/vhosts/Vhosts_ispconfig.conf

Is there an easier way than editing that file for each virtual host?
Thanks,
Reece Dike
Reply With Quote
Sponsored Links
  #2  
Old 13th February 2008, 07:37
daveb daveb is offline
Senior Member
 
Join Date: Dec 2006
Location: St Louis Mo
Posts: 272
Thanks: 43
Thanked 41 Times in 37 Posts
Default

I think you could add in your apache2.conf or httpd.conf.
TraceEnable off
Reply With Quote
  #3  
Old 7th May 2008, 21:50
stirfry stirfry is offline
Member
 
Join Date: Jun 2007
Posts: 37
Thanks: 4
Thanked 0 Times in 0 Posts
Default

@daveb - Unfortunately, that only works with certain versions of Apache. Furthermore, that directive is supposed to work in Apache 2.0.55, but it didn't do it for me. At least doing so didn't allow my server to pass the audit software I use and I'm not sure exactly how to test the vulnerability myself.

@rdike - I would think that one could change the function named make_vhost in the file /root/ispconfig/scripts/lib/config.lib.php to something like this:

Code:
    $rewrite_rule = "RewriteEngine on"; // this existed
    $rewrite_rule .= "\nRewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)"; // this was added    
    $rewrite_rule .= "\nRewriteRule .* - [F]"; // this was added
After making this change, I went into ISPConfig Admin and "Saved" one of my sites (assuming it would re-generate the Vhosts_ispconfig.conf file). However, the Vhosts file didn't update. I thought, "Perhaps I'm missing a conditional in the PHP and it's never getting to the point where it turns on the RewriteEngine." So, I even tried a total hack by sticking it the php variable (since all my sites have php enabled), but my Vhosts file was not updating.

So, now I've put those lines in an .htaccess file in the web root for each site, hoping that does the trick. I'll report back when the audit completes.

So two questions here to someone who knows something*. 1) How do I update my Vhosts file? 2) How would you go about making this change? (assuming the .htaccess won't work for everyone even if it works out for me because all the sites I host are my own)

*Edit: I should say, two questions to someone who's smarter than me, as we all know "something". Falko? Till? You out there?

Last edited by stirfry; 8th May 2008 at 19:49.
Reply With Quote
  #4  
Old 8th May 2008, 22:08
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,743 Times in 2,577 Posts
Default

Quote:
Originally Posted by stirfry
So two questions here to someone who knows something*. 1) How do I update my Vhosts file? 2) How would you go about making this change? (assuming the .htaccess won't work for everyone even if it works out for me because all the sites I host are my own)
Can you go to the directory where your Vhosts_ispconfig.conf is located and run
Code:
ls -la
? What's the output?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #5  
Old 8th May 2008, 22:51
stirfry stirfry is offline
Member
 
Join Date: Jun 2007
Posts: 37
Thanks: 4
Thanked 0 Times in 0 Posts
Default

Code:
drwxr-xr-x 2 root root  4096 Jul 25  2007 .
drwxr-xr-x 9 root root  4096 May  6 16:27 ..
-rw-r--r-- 1 root root 17195 May  7 13:46 Vhosts_ispconfig.conf
Reply With Quote
  #6  
Old 9th May 2008, 15:05
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,743 Times in 2,577 Posts
Default

That's all? Nothing else? No Vhosts_ispconfig.conf~ or Vhosts_ispconfig.conf with a date at the end of the file name?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Apache Virtual Hosts - I have never gotten this right. DazzyB Server Operation 2 24th December 2007 13:37
Postfix problem: lost connection after CONNECT from unknown fernando_torrez Server Operation 5 30th November 2007 14:17
ISPConfig DNS and virtual host configuration tips and problem Ripper Installation/Configuration 6 26th June 2007 00:29
This is %#@*&^$# embarrassing! domino Smalltalk 34 5th February 2007 21:57
I broke it.. I think.. Email in is not being delivered? edge Server Operation 1 3rd July 2006 14:22


All times are GMT +2. The time now is 07:29.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.