1 Reply Latest reply: Feb 22, 2010 4:46 AM by 807573 RSS

    Disabling the HTTP TRACE and TRACK Methods

    807573
      Greetings,

      Due to a security audit, I need to have the proxy reject requests containing the HTTP TRACE or TRACK methods. I have a proxy set up which listens on port 80 and simply redirects all requests to another proxy, which only accepts requests on 443. I thought that I would start by disabling TRACE/TRACK in the port 80 proxy. Here is a portion of my obj.conf for the port 80 proxy:

      <Object name="default">
      AuthTrans fn="match-browser" browser=".*MSIE.*" ssl-unclean-shutdown="true"
      <Client method="TRACE">
      Service fn="deny-service"
      </Client>
      <Client security="off">
      NameTrans fn="redirect" from="/" url="https://www.site.com/Site"
      </Client>
      PathCheck fn="url-check"
      ObjectType fn="block-ip"
      Service fn="deny-service"
      AddLog fn="flex-log" name="access"
      </Object>

      It seems that the server simply ignores the first <Client> tag and processes the second one. Even when I telnet to the proxy on port 80, and issue a "TRACE /" request, all it does is redirect me to www.site.com/Site. Can someone point me in the right direction here? Where is the best or proper place to intercept requests involving these methods?

      Thanks,

      Chris