Blocking HTTP TRACE by redirecting it to noop@internal


for security reasons I want to block all HTTP TRACE request to any of my applications.

To do that I defined a router with highest priority to redirect all TRACE requests to the nooop@internal service:

  # block all TRACE requests on both entrypoints by redirecting it to the noop service with the highest priority
    - web
    - websecure
    service: noop@internal
    rule: Method(`TRACE`)
    priority: 10000

But as I could not find anyone else doing it this way I just wanted to ask if this is a good idea? Or if there is a better way to achieve this? I could not really find any documentation on the internal services (in general), so I could not really find out what their actual purpose is and what the restrictions of those are. I just found noop@internal mentioned in an article about redirects.

Thanks in advance!

1 Like

As no one really cried out in pain, I'd guess this is not such a bad idea?

I have this "in prod" now for some time and at least semantically it works. Still not sure if it is a good idea to actually redirect traffic to the noop service though...

I would also be very interested in the question if this is a recommended approach and especially if the usage of the endpoint "noop@internal" is recommended or highly discouraged!?

So yeah after reading: IngressRoute without a "real" service · Issue #7242 · traefik/traefik · GitHub noop@internal is a dummy service that returns just a http 418 I'm a teapot. Your config will def. work for http traffic but not for https. For https you could instead whitelist methods for every service. So for the rule of a specific service you could write: rule=Host(`youdomain.tld`)&&Method(`GET`,`POST`) (Just check with developer console in your browser what methods your service is using). For the example the service will only accept GET and POST method and traefik will return an http 405 method not allowed otherwise.

oh and btw you can test if your setup works with curl -X TRACE -i http://yourdomain.tld or curl -X -i TRACE https://yourdomain.tld the response should be something like that: HTTP/1.1 418 I'm a teapot

Why exactly do you think this will not work for https? My http entrypoint is web and the https one is websecure. And this works as described above.

Adding the Method matcher to all rules would be an option, but as I'm having hundreds of ingresses this would be a pretty cumbersome thing to do.

Also the question was not about "Does this work?" but rather "It works, but is it a good idea to do it like this?" :slight_smile: I'm thinking about issues with the service when a lot of requests hit it. Like it could crash Traefik in such a case. Or that it has some known security issues and should never be used on a publicly accessible endpoint.

Thanks for your reply anyways!

Sorry about that. I tested your setup and copied your config and used curl -X TRACE -i https://example.tld and it did not return a http 418, but instead it put the request through to the service. Because of that I assumed that this will not work. (You could probably define a second service with tls termination and a wildcard cert for all your domains maybe). What I do not know is how good this will work (but I mean reading the bug report they basically created noop@internal for having a dummy service in your k8s cluster).

Yep, you're right. Looks like it. But all examples I found only describe cases where the service is actually never hit by any request, but always a Middleware is doing some redirection before that.

Also, as described in the issue, unfortunately there is no real documentation on the @internal services.

I subscribed to the issue. Maybe there will be someone taking it over and describing the ideas behind the different services.