Due to a security audit, I need to have the proxy reject requests containing the HTTP TRACE or TRACK methods. I have a proxy set up which listens on port 80 and simply redirects all requests to another proxy, which only accepts requests on 443. I thought that I would start by disabling TRACE/TRACK in the port 80 proxy. Here is a portion of my obj.conf for the port 80 proxy:
It seems that the server simply ignores the first <Client> tag and processes the second one. Even when I telnet to the proxy on port 80, and issue a "TRACE /" request, all it does is redirect me to www.site.com/Site. Can someone point me in the right direction here? Where is the best or proper place to intercept requests involving these methods?