From b49ae063632b1f40b9bd45aa66524924e2c26600 Mon Sep 17 00:00:00 2001 From: Bryan Call Date: Tue, 6 Jun 2023 15:08:08 -0700 Subject: [PATCH] Deny the TRACE method by default (#9789) --- configs/ip_allow.config.default | 4 ++-- doc/admin-guide/files/ip_allow.config.en.rst | 12 ++++++------ tests/gold_tests/autest-site/min_cfg/ip_allow.config | 4 ++-- 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/configs/ip_allow.config.default b/configs/ip_allow.config.default index 264d0786d3d..0bf3b6e446c 100644 --- a/configs/ip_allow.config.default +++ b/configs/ip_allow.config.default @@ -23,5 +23,5 @@ src_ip=127.0.0.1 action=ip_allow method=ALL src_ip=::1 action=ip_allow method=ALL # Deny PURGE, DELETE, and PUSH for all (this implies allow other methods for all) -src_ip=0.0.0.0-255.255.255.255 action=ip_deny method=PUSH|PURGE|DELETE -src_ip=::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff action=ip_deny method=PUSH|PURGE|DELETE +src_ip=0.0.0.0-255.255.255.255 action=ip_deny method=PUSH|PURGE|DELETE|TRACE +src_ip=::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff action=ip_deny method=PUSH|PURGE|DELETE|TRACE diff --git a/doc/admin-guide/files/ip_allow.config.en.rst b/doc/admin-guide/files/ip_allow.config.en.rst index 537afcb6eaa..2917c12663b 100644 --- a/doc/admin-guide/files/ip_allow.config.en.rst +++ b/doc/admin-guide/files/ip_allow.config.en.rst @@ -70,20 +70,20 @@ deny, one explicit and the other implicit. The ``src_ip`` rules are checked when to |TS|. The ``dst_ip`` rules are checked when |TS| connects to another host. By default the :file:`ip_allow.config` file contains the following lines, which allows all methods -to connections from localhost and denies the ``PUSH``, ``PURGE`` and ``DELETE`` methods to all other -IP addresses (note this allows all other methods to all IP addresses):: +to connections from localhost and denies the ``PUSH``, ``PURGE``, ``DELETE`` and ``TRACE`` methods +to all other IP addresses (note this allows all other methods to all IP addresses):: src_ip=127.0.0.1 action=ip_allow method=ALL src_ip=::1 action=ip_allow method=ALL - src_ip=0.0.0.0-255.255.255.255 action=ip_deny method=PUSH|PURGE|DELETE - src_ip=::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff action=ip_deny method=PUSH|PURGE|DELETE + src_ip=0.0.0.0-255.255.255.255 action=ip_deny method=PUSH|PURGE|DELETE|TRACE + src_ip=::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff action=ip_deny method=PUSH|PURGE|DELETE|TRACE This could also be specified as:: src_ip=127.0.0.1 action=ip_allow method=ALL src_ip=::1 action=ip_allow method=ALL - src_ip=0/0 action=ip_deny method=PUSH|PURGE|DELETE - src_ip=::/0 action=ip_deny method=PUSH|PURGE|DELETE + src_ip=0/0 action=ip_deny method=PUSH|PURGE|DELETE|TRACE + src_ip=::/0 action=ip_deny method=PUSH|PURGE|DELETE|TRACE Examples ======== diff --git a/tests/gold_tests/autest-site/min_cfg/ip_allow.config b/tests/gold_tests/autest-site/min_cfg/ip_allow.config index 061bbe5c0b6..b795a59cad0 100644 --- a/tests/gold_tests/autest-site/min_cfg/ip_allow.config +++ b/tests/gold_tests/autest-site/min_cfg/ip_allow.config @@ -1,4 +1,4 @@ src_ip=127.0.0.1 action=ip_allow method=ALL src_ip=::1 action=ip_allow method=ALL -src_ip=0.0.0.0-255.255.255.255 action=ip_deny method=PUSH|PURGE|DELETE -src_ip=::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff action=ip_deny method=PUSH|PURGE|DELETE \ No newline at end of file +src_ip=0.0.0.0-255.255.255.255 action=ip_deny method=PUSH|PURGE|DELETE|TRACE +src_ip=::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff action=ip_deny method=PUSH|PURGE|DELETE|TRACE