Due to a security audit, I need to have the proxy reject requests containing the HTTP TRACE or TRACK methods. I have a proxy set up which listens on port 80 and simply redirects all requests to another proxy, which only accepts requests on 443. I thought that I would start by disabling TRACE/TRACK in the port 80 proxy. Here is a portion of my obj.conf for the port 80 proxy:
AuthTrans fn="match-browser" browser=".*MSIE.*" ssl-unclean-shutdown="true"
NameTrans fn="redirect" from="/" url="https://www.site.com/Site"
AddLog fn="flex-log" name="access"
It seems that the server simply ignores the first <Client> tag and processes the second one. Even when I telnet to the proxy on port 80, and issue a "TRACE /" request, all it does is redirect me to www.site.com/Site. Can someone point me in the right direction here? Where is the best or proper place to intercept requests involving these methods?
Please try moving the <Client> tag to the protocol-specific object. For example:
Service fn="proxy-retrieve" method="*"