Date:  Wed, 2 Apr 2008 15:31:06 -0700
From:  "Ken Marcus - Precision Web Hosting, Inc." <kenmarcus (at mark) precisionweb.net>
Subject:  [coba-e:12432] Re: Apache vulnerability has customer in a panic
To:  <coba-e (at mark) bluequartz.org>
Message-Id:  <18e901c89511$3f708320$6401a8c0@OfficeKen>
References:  <47F16FF1.6020700 (at mark) virtbiz.com> <200804010335.16407.bq (at mark) solarspeed.net> <47F1AD42.80800 (at mark) virtbiz.com> <200804011600.20590.bq (at mark) solarspeed.net> <47F263BF.7040901 (at mark) virtbiz.com> <16c601c894eb$e1b1f220$6401a8c0 (at mark) OfficeKen> <037AF174-04F0-4F62-978A-0B7998A2AE76 (at mark) rainstormconsulting.com>
X-Mail-Count: 12432


----- Original Message ----- 
From: "Jeremy Knope" <jerome (at mark) rainstormconsulting.com>
To: <coba-e (at mark) bluequartz.org>
Sent: Wednesday, April 02, 2008 12:13 PM
Subject: [coba-e:12424] Re: Apache vulnerability has customer in a panic


> 
> On Apr 2, 2008, at 2:03 PM, Ken Marcus - Precision Web Hosting, Inc.  
> wrote:
> 
>>
>> ----- Original Message ----- From: "Chris Gebhardt - VIRTBIZ  
>> Internet" <cobaltfacts (at mark) virtbiz.com>
>> To: <coba-e (at mark) bluequartz.org>
>> Sent: Tuesday, April 01, 2008 9:33 AM
>> Subject: [coba-e:12393] Re: Apache vulnerability has customer in a  
>> panic
>>
>>
>>> Michael Stauber wrote:
>>>>> Using this information, what I have done is to add this into the  
>>>>> end of
>>>>> the main httpd.conf and the admserv httpd.conf:
>>>>>
>>>>> # disable TRACE in the main scope of httpd.conf
>>>>> RewriteCond %{REQUEST_METHOD} ^TRACE
>>>>> RewriteRule .* - [F]
>>>>> #
>>>>> This would appear to make a difference, yes?
>>>>
>>>> Correct. Or you could put these additions it into a separate conf  
>>>> file located in /etc/httpd/conf.d/ and /etc/admserv/conf.d/ .  
>>>> Like /etc/httpd/conf.d/trace.conf and /etc/admserv/conf.d/ 
>>>> trace.conf for example.
>>>
>>> Ah, that may be a more efficient placement.  Thanks for the  
>>> suggestion!
>>>
>>> -- 
>>
>>
>> For some reason I had to place it in the /etc/admserv/conf/ 
>> httpd.conf within the virtual host container in order to get it to  
>> disable on port 444.
>>
>>
>>
>> <VirtualHost _default_:444>
>> SSLEngine off
>> RewriteEngine On
>> RewriteCond %{HTTP_HOST}                ^([^:]+)
>> RewriteCond %{DOCUMENT_ROOT}            !-d
>> RewriteRule .*                          https://%1:81/error/ 
>> forbidden.html [L,R]
>> RewriteCond %{HTTP_HOST}                ^([^:]+)
>> RewriteRule ^/admin/?$                  https://%1:81/login.php [L,R]
>> RewriteCond %{HTTP_HOST}                ^([^:]+)
>> RewriteRule ^/siteadmin/?$              https://%1:81/login.php [L,R]
>> RewriteCond %{HTTP_HOST}                ^([^:]+)
>> RewriteRule ^/personal/?$               https://%1:81/login.php [L,R]
>> RewriteCond %{HTTP_HOST}                ^([^:]+)
>> RewriteRule ^/login/?$                  https://%1:81/login.php [L,R]
>>
>> RewriteCond %{HTTP_HOST}                ^([^:]+)
>> RewriteRule ^/login.php?$                  https://%1:81/login.php  
>> [L,R]
>>
>>
>> #by ken
>> RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
>> RewriteRule .* - [F]
>>
>>
>>
>> </VirtualHost>
>>
>>
> 
> I had this same problem, seemed to have to place it in non-ssl and in  
> ssl explicitly for the admin server.  I'm still having troubles with  
> this applying to all virtual hosts for regular apache, though oddly  
> enough a local test BQ 4.8 server has no problems doing this it  
> seems.  Live server just flat out doesn't work except for 1 domain.   
> Frustrating.


Jeremy, 

I actually add it to all the vhost include files by default.

Possibly you could try that.

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|PUT|DELETE)
RewriteRule .* - [F]



----
Ken Marcus
Ecommerce Web Hosting by
Precision Web Hosting, Inc.
http://www.precisionweb.net