2 Replies Latest reply: Feb 20, 2014 4:14 PM by signaldecay
William Bowden1 Level 1 Level 1 (35 points)
Thinking caps on
My server keeps failing PCI security checks because port 8008 has a TRACE vulnerability

tested myself


HTTP/1.1 200 OK
Content-Length: 18
Accept-Ranges: bytes
Server: Twisted/8.2.0 TwistedWeb/8.2.0
Last-Modified: Sat, 27 Feb 2010 13:33:53 GMT
DAV: 1, access-control
ETag: "4534C-88-4B891F41"
Date: Tue, 08 Mar 2011 14:37:07 GMT
Content-Type: message/http
Connection: close

Connection closed by foreign host.

now the web servers apache this TRACE is disabled but ical uses the calendarserve a python based system that runs its own Apache .

So any ideas how to disable TRACE and TRACK in iCal server

MacBook, Mac OS X (10.6.6)
  • Samuel Macomber Level 1 Level 1 (35 points)

    I have the same problem,  did you ever figure it out? 

  • signaldecay Level 1 Level 1 (0 points)

    I realize this is an ancient thread, but I ran into this myself recently and Googled up this unanswered question.


    What worked for me is setting up OS X Server's Apache to reverse-proxy port 8443 and forward the traffic to the Calendar Server's unsecure 8008 port. You have to turn off the Calendar Server's own SSL on 8443. Furthermore, you have to hand-edit the appropriate conf file in /etc/apache2/sites to have the needed rewrite rules after adding the new 8443 site in the GUI. But it seems to work. Apache can be told not to support TRACE but the built-in web server of the Calendar Server can't.


    This is the basic method, as applied to another application:




    The write-up only covers the non-server version of OS X, but does have the correct rewrite rules.


    You could also use an entirely different machine for the reverse proxy and forward the traffic across your own private network. Lots of options