Article 14207 at 08/10/23 04:58:53 From: billberg (at mark) northernweb.net Subject: [coba-e:14207] Trace|Track and PCI scanning

Index: [Article Count Order] [Thread]
Date:  Wed, 22 Oct 2008 14:58:34 -0500
From:  "Bill Berg" <billberg (at mark) northernweb.net>
Subject:  [coba-e:14207] Trace|Track and PCI scanning
To:  <coba-e (at mark) bluequartz.org>
Message-Id:  <200810221958.m9MJwVb2025719 (at mark) bugs.northernweb.net>
X-Mail-Count: 14207

Trying to get PCI compliant, and we are told to disable trace and track.

I find that I should put this code in the main section of httpd.conf:

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) 
RewriteRule .* - [F]

And then add it again in each virtual host that we need to block.

<VirtualHost>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) 
RewriteRule .* - [F] </VirtualHost>


When I add it to the main file, no problem. I add it to the Virtualhost and
I get this when I try to bring up the site in a browser:

Firefox has detected that the server is redirecting the request for this
address in a way that will never complete.

I'm guessing that it has something to do with the other Rewrite directives
already in that VirtualHost. It now looks something like this:

RewriteEngine on
RewriteCond %{HTTP_HOST}                !^IPADDRESS(:80)?$
RewriteCond %{HTTP_HOST}                !^www.domain.com(:80)?$ [NC]
RewriteRule ^/(.*)                      http://www.domain.com/$1 [L,R]
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) 
RewriteRule .* - [F] 
RewriteOptions inherit


Am I putting the directives in the wrong order, or should I eliminate
something else?

Bill Berg
Northern Webworks
715-627-0400 or 1-866-572-1333