You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Joe Littlejohn <jo...@gmail.com> on 2011/02/02 14:50:34 UTC
[users@httpd] LimitRequestBody and Content-Length header
Hi all,
I'm try to use the LimitRequestBody directive to protect against
clients that attempt to make request with extremely large body to
negatively affect our service. I'd like to know whether this directive
rejects requests based on the value of the Content-Length header, or
whether the *real* size of the body is checked.
We intend to use Apache 2.2 in front of JBoss and delegate incoming
requests to JBoss using mod_proxy. When a request comes in, we're
concerned that when submitting a malicious message with a very large
body, the client may report a false value in the Content-Length
header. I've also seen the SecRequestBodyLimit directive available in
ModSecurity, so I'd be interested to know if anyone knows what the
difference is between these two directives (if any) and whether one
provides better protection than the other.
I've tried to simulate malicious requests using curl but I'm not sure
if I'm producing exactly the request header values I need. I've also
had a look at the source code but I can't find the exact code that
executes the LimitRequestBody directive. Can anyone help?
Thanks in advance,
Joe
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] LimitRequestBody and Content-Length header
Posted by Igor Galić <i....@brainsware.org>.
----- Original Message -----
>
> Can anyone offer any advice on this one?
>
> Cheers
>
>
>
> joelittlejohn wrote:
> >
> > Hi all,
> >
> > I'm try to use the LimitRequestBody directive to protect against
> > clients that attempt to make request with extremely large body to
> > negatively affect our service. I'd like to know whether this
> > directive
> > rejects requests based on the value of the Content-Length header,
> > or
> > whether the *real* size of the body is checked.
>From looking at the code, it's taking the real size of the body.
> > We intend to use Apache 2.2 in front of JBoss and delegate incoming
> > requests to JBoss using mod_proxy. When a request comes in, we're
> > concerned that when submitting a malicious message with a very
> > large
> > body, the client may report a false value in the Content-Length
Note that LimitRequestBody does not affect proxies.
> > header. I've also seen the SecRequestBodyLimit directive available
> > in
check out mod_proxy's documentation:
http://www.modsecurity.org/documentation/modsecurity-apache/2.5.12/html-multipage/configuration-directives.html#N10878
It doesn't say anything about it....
So I gueess you're best off trying it out.
> > ModSecurity, so I'd be interested to know if anyone knows what the
> > difference is between these two directives (if any) and whether one
> > provides better protection than the other.
> >
> > I've tried to simulate malicious requests using curl but I'm not
> > sure
> > if I'm producing exactly the request header values I need. I've
> > also
> > had a look at the source code but I can't find the exact code that
https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/modules/http/http_filters.c
In trunk also here: modules/proxy/mod_proxy_http.c
> > executes the LimitRequestBody directive. Can anyone help?
> >
> > Thanks in advance,
> >
> > Joe
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server
> > Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > " from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
> >
> >
>
> --
> View this message in context:
> http://old.nabble.com/-users%40httpd--LimitRequestBody-and-Content-Length-header-tp30826145p30862426.html
> Sent from the Apache HTTP Server - Users mailing list archive at
> Nabble.com.
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] LimitRequestBody and Content-Length header
Posted by joelittlejohn <jo...@gmail.com>.
Can anyone offer any advice on this one?
Cheers
joelittlejohn wrote:
>
> Hi all,
>
> I'm try to use the LimitRequestBody directive to protect against
> clients that attempt to make request with extremely large body to
> negatively affect our service. I'd like to know whether this directive
> rejects requests based on the value of the Content-Length header, or
> whether the *real* size of the body is checked.
>
> We intend to use Apache 2.2 in front of JBoss and delegate incoming
> requests to JBoss using mod_proxy. When a request comes in, we're
> concerned that when submitting a malicious message with a very large
> body, the client may report a false value in the Content-Length
> header. I've also seen the SecRequestBodyLimit directive available in
> ModSecurity, so I'd be interested to know if anyone knows what the
> difference is between these two directives (if any) and whether one
> provides better protection than the other.
>
> I've tried to simulate malicious requests using curl but I'm not sure
> if I'm producing exactly the request header values I need. I've also
> had a look at the source code but I can't find the exact code that
> executes the LimitRequestBody directive. Can anyone help?
>
> Thanks in advance,
>
> Joe
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
--
View this message in context: http://old.nabble.com/-users%40httpd--LimitRequestBody-and-Content-Length-header-tp30826145p30862426.html
Sent from the Apache HTTP Server - Users mailing list archive at Nabble.com.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org