Skip to content

Deny the TRACE method by default #9788

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
bryancall merged 1 commit into from
Jun 6, 2023
Merged

Deny the TRACE method by default #9788

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion configs/ip_allow.yaml.default
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@
# Rules are applied in the order listed starting from the top.
# That means you generally want to append your rules after the ones listed here.
#
# Allow anything on localhost, limit destructive methods elsewhere.
# Allow anything on localhost, limit destructive and debug methods elsewhere.
ip_allow:
- apply: in
ip_addrs: 127.0.0.1
Expand All @@ -41,10 +41,12 @@ ip_allow:
- PURGE
- PUSH
- DELETE
- TRACE
- apply: in
ip_addrs: ::/0
action: deny
methods:
- PURGE
- PUSH
- DELETE
- TRACE
9 changes: 6 additions & 3 deletions doc/admin-guide/files/ip_allow.yaml.en.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,13 +60,15 @@ Format
- PURGE
- PUSH
- DELETE
- TRACE
- apply: in
ip_addrs: ::/0
action: deny
methods:
- PURGE
- PUSH
- DELETE
- TRACE

Each rule is a mapping. The YAML data must have a top level key of "ip_allow" and its value must
be a mapping or a sequence of mappings, each of those being one rule.
Expand Down Expand Up @@ -106,7 +108,8 @@ the specified methods are denied and all other methods are allowed.
For example, from the default configuration, the rule for ``127.0.0.1`` is ``allow`` with all
methods. Therefore an inbound connection from the loopback address (127.0.0.1) is allowed to use any
method. The general IPv4 rule, covering all IPv4 address, is a ``deny`` rule and therefore when it
matches the methods "PURGE", "PUSH", and "DELETE", these methods are denied and any other method is allowed.
matches the methods "PURGE", "PUSH", "DELETE", and "TRACE", these methods are denied and any other method
is allowed.

The rules are matched in order, by IP address, therefore the general IPv4 rule does not apply to the
loopback address because the latter is matched first.
Expand Down Expand Up @@ -224,8 +227,8 @@ As a final example, here is the default configuration in compact form::
ip_allow: [
{ apply: in, ip_addrs: 127.0.0.1, action: allow },
{ apply: in, ip_addrs: "::1", action: allow },
{ apply: in, ip_addrs: 0/0, action: deny, methods: [ PURGE, PUSH, DELETE ] },
{ apply: in, ip_addrs: "::/0", action: deny, methods: [ PURGE, PUSH, DELETE ] }
{ apply: in, ip_addrs: 0/0, action: deny, methods: [ PURGE, PUSH, DELETE, TRACE ] },
{ apply: in, ip_addrs: "::/0", action: deny, methods: [ PURGE, PUSH, DELETE, TRACE ] }
]

.. note::
Expand Down
4 changes: 3 additions & 1 deletion tests/gold_tests/autest-site/min_cfg/ip_allow.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@
# or implied. See the License for the specific language governing permissions and limitations under
# the License.

# Allow anything on localhost, limit destructive methods elsewhere.
# Allow anything on localhost, limit destructive and debug methods elsewhere.
ip_allow:
- apply: in
ip_addrs: 127.0.0.1
Expand All @@ -34,10 +34,12 @@ ip_allow:
- PURGE
- PUSH
- DELETE
- TRACE
- apply: in
ip_addrs: ::/0
action: deny
methods:
- PURGE
- PUSH
- DELETE
- TRACE