Index: [Article Count Order] [Thread]

Date:  Wed, 2 Apr 2008 15:13:47 -0400
From:  Jeremy Knope <jerome (at mark) rainstormconsulting.com>
Subject:  [coba-e:12424] Re: Apache vulnerability has customer in a panic
To:  coba-e (at mark) bluequartz.org
Message-Id:  <037AF174-04F0-4F62-978A-0B7998A2AE76 (at mark) rainstormconsulting.com>
In-Reply-To:  <16c601c894eb$e1b1f220$6401a8c0@OfficeKen>
References:  <47F16FF1.6020700 (at mark) virtbiz.com> <200804010335.16407.bq (at mark) solarspeed.net> <47F1AD42.80800 (at mark) virtbiz.com> <200804011600.20590.bq (at mark) solarspeed.net> <47F263BF.7040901 (at mark) virtbiz.com> <16c601c894eb$e1b1f220$6401a8c0 (at mark) OfficeKen>
X-Mail-Count: 12424


On Apr 2, 2008, at 2:03 PM, Ken Marcus - Precision Web Hosting, Inc.  
wrote:

>
> ----- Original Message ----- From: "Chris Gebhardt - VIRTBIZ  
> Internet" <cobaltfacts (at mark) virtbiz.com>
> To: <coba-e (at mark) bluequartz.org>
> Sent: Tuesday, April 01, 2008 9:33 AM
> Subject: [coba-e:12393] Re: Apache vulnerability has customer in a  
> panic
>
>
>> Michael Stauber wrote:
>>>> Using this information, what I have done is to add this into the  
>>>> end of
>>>> the main httpd.conf and the admserv httpd.conf:
>>>>
>>>> # disable TRACE in the main scope of httpd.conf
>>>> RewriteCond %{REQUEST_METHOD} ^TRACE
>>>> RewriteRule .* - [F]
>>>> #
>>>> This would appear to make a difference, yes?
>>>
>>> Correct. Or you could put these additions it into a separate conf  
>>> file located in /etc/httpd/conf.d/ and /etc/admserv/conf.d/ .  
>>> Like /etc/httpd/conf.d/trace.conf and /etc/admserv/conf.d/ 
>>> trace.conf for example.
>>
>> Ah, that may be a more efficient placement.  Thanks for the  
>> suggestion!
>>
>> -- 
>
>
> For some reason I had to place it in the /etc/admserv/conf/ 
> httpd.conf within the virtual host container in order to get it to  
> disable on port 444.
>
>
>
> <VirtualHost _default_:444>
> SSLEngine off
> RewriteEngine On
> RewriteCond %{HTTP_HOST}                ^([^:]+)
> RewriteCond %{DOCUMENT_ROOT}            !-d
> RewriteRule .*                          https://%1:81/error/ 
> forbidden.html [L,R]
> RewriteCond %{HTTP_HOST}                ^([^:]+)
> RewriteRule ^/admin/?$                  https://%1:81/login.php [L,R]
> RewriteCond %{HTTP_HOST}                ^([^:]+)
> RewriteRule ^/siteadmin/?$              https://%1:81/login.php [L,R]
> RewriteCond %{HTTP_HOST}                ^([^:]+)
> RewriteRule ^/personal/?$               https://%1:81/login.php [L,R]
> RewriteCond %{HTTP_HOST}                ^([^:]+)
> RewriteRule ^/login/?$                  https://%1:81/login.php [L,R]
>
> RewriteCond %{HTTP_HOST}                ^([^:]+)
> RewriteRule ^/login.php?$                  https://%1:81/login.php  
> [L,R]
>
>
> #by ken
> RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
> RewriteRule .* - [F]
>
>
>
> </VirtualHost>
>
>

I had this same problem, seemed to have to place it in non-ssl and in  
ssl explicitly for the admin server.  I'm still having troubles with  
this applying to all virtual hosts for regular apache, though oddly  
enough a local test BQ 4.8 server has no problems doing this it  
seems.  Live server just flat out doesn't work except for 1 domain.   
Frustrating.