maxHTTPHeaderSize, and specific header lengths

[Andrew Todd <an...@gmail.com>]

I have a question about maxHttpHeaderSize [0]. In Apache httpd, there
are two different parameters that affect the maximum size of an HTTP
header, limitRequestFieldSize and limitRequestLine. [1] These
configuration values specify about 8 kilobytes per _line_ in the
incoming request. However, in Tomcat, maxHttpHeaderSize seems to
specify the maximum length of the entire incoming header, also at
around 8 kilobytes. So httpd will, by default, accept a much bigger
header than Tomcat will.

Is that an accurate understanding of the configuration? If I want to
expand the maximum URL and header lengths that I can accept in Tomcat,
should I change the value of maxHttpHeaderSize? Thanks.


[0] https://tomcat.apache.org/tomcat-7.0-doc/config/http.html
[1] https://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfieldsize

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: maxHTTPHeaderSize, and specific header lengths

[Andrew Todd <an...@gmail.com>]

On Mon, Oct 1, 2012 at 11:41 AM, Konstantin Kolinko
<kn...@gmail.com> wrote:
> 2. If the protocol between HTTPD and Tomcat is AJP,
> then the protocol itself has its own limitation, which is ~15 times
> lesser than that amount.

Thanks for anticipating my next question. Right now we're using
mod_proxy with the HTTP connector, but mod_jk and AJP are definitely a
possibility in the future.

I've started digging into the documentation, and it seems like by
default the AJP connector is limited to 8k requests, based on the
packetSize parameter? And the max is 65536? (~13 times less)?

Does the memory allocation works the same way in AJP as in HTTP?

> 4. A request that has 1Mb of headers wastes a lot of bandwidth.

I agree -- I'd just rather bounce my huge, unwanted requests at the
reverse proxy rather than at Tomcat.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: maxHTTPHeaderSize, and specific header lengths

[Konstantin Kolinko <kn...@gmail.com>]

2012/10/1 Andrew Todd <an...@gmail.com>:
> On Sun, Sep 30, 2012 at 6:21 AM, Konstantin Kolinko
> <kn...@gmail.com> wrote:
>> In Tomcat each request processor has a byte buffer and all the headers
>> must fit into that buffer.
>
> Thanks so much for the detailed response. I have a couple more questions:
>
> 1) When a request is rejected for being too large, is there any
> logging that happens or can happen in Tomcat?
>

I think that you should see a record in the access log with certain
HTTP response code.
(Try to test it and see what happens).

There should not be anything in the "catalina" log, unless you enable
debug logging.


> Looks like you'll get an IllegalArgumentException.

A request with too long headers is rejected before it reaches a web
application. What exception happens is up to Tomcat internals.


> 2) Apache httpd will accept a request-line of 8190 bytes.
> Additionally, each header line can have a maximum length of 8190
> bytes. With the default maximum of 100 request fields, this means that
> httpd will accept a header of up to (101 * 8190) = 827,190 bytes in
> size.
>
> Let's say I'm fronting Tomcat with Apache, and I set maxHttpHeaderSize
> to 827,190 bytes so that they have the same limit.
>
> Is a byte array of that size going to be allocated for each incoming
> request, regardless of how short or long it actually is?
>

1. Yes. For each request processor. So the buffer is reused for
subsequent requests.

2. If the protocol between HTTPD and Tomcat is AJP,
then the protocol itself has its own limitation, which is ~15 times
lesser than that amount.

> And, in a worst-case scenario, if all of Tomcat's default 200 threads
> receive headers of 827,190 bytes at the same time, I'm looking at
> about 166 megabytes of memory allocated on the heap. Is that accurate?
> (I think I have enough memory to handle this; GC might be a little
> much, though).
>
> For the record, I'm not seriously expecting headers of this size on a
> regular basis, but wondering about the edge cases.
>

3. Note that there are also limits on the count of headers and on the
count of parameters in a GET/POST request.

4. A request that has 1Mb of headers wastes a lot of bandwidth.

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: maxHTTPHeaderSize, and specific header lengths

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Andrew,

On 10/1/12 10:33 AM, Andrew Todd wrote:
> 1) When a request is rejected for being too large, is there any 
> logging that happens or can happen in Tomcat?

Looks like you'll get an IllegalArgumentException. Easy enough to test
yourself, eh?

> 2) Apache httpd will accept a request-line of 8190 bytes. 
> Additionally, each header line can have a maximum length of 8190 
> bytes. With the default maximum of 100 request fields, this means
> that httpd will accept a header of up to (101 * 8190) = 827,190
> bytes in size.
> 
> Let's say I'm fronting Tomcat with Apache, and I set
> maxHttpHeaderSize to 827,190 bytes so that they have the same
> limit.
> 
> Is a byte array of that size going to be allocated for each
> incoming request, regardless of how short or long it actually is?

It will be allocated once and re-used for every request (unless you
disable such reuse).

> And, in a worst-case scenario, if all of Tomcat's default 200
> threads receive headers of 827,190 bytes at the same time, I'm
> looking at about 166 megabytes of memory allocated on the heap. Is
> that accurate?

Yes, though it will always be on the heap: there wont be any
heap-churn for those objects.

> (I think I have enough memory to handle this; GC might be a little 
> much, though).
> 
> For the record, I'm not seriously expecting headers of this size on
> a regular basis, but wondering about the edge cases.

I think you're thinking the right way.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBpr9gACgkQ9CaO5/Lv0PCqbQCfbbjzBN/7uvCsqJL4P79r2C6k
MnMAn1sBdW17YKepWVpzFefbHU22Hr/V
=f36y
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: maxHTTPHeaderSize, and specific header lengths

[Andrew Todd <an...@gmail.com>]

On Sun, Sep 30, 2012 at 6:21 AM, Konstantin Kolinko
<kn...@gmail.com> wrote:
> In Tomcat each request processor has a byte buffer and all the headers
> must fit into that buffer.

Thanks so much for the detailed response. I have a couple more questions:

1) When a request is rejected for being too large, is there any
logging that happens or can happen in Tomcat?

2) Apache httpd will accept a request-line of 8190 bytes.
Additionally, each header line can have a maximum length of 8190
bytes. With the default maximum of 100 request fields, this means that
httpd will accept a header of up to (101 * 8190) = 827,190 bytes in
size.

Let's say I'm fronting Tomcat with Apache, and I set maxHttpHeaderSize
to 827,190 bytes so that they have the same limit.

Is a byte array of that size going to be allocated for each incoming
request, regardless of how short or long it actually is?

And, in a worst-case scenario, if all of Tomcat's default 200 threads
receive headers of 827,190 bytes at the same time, I'm looking at
about 166 megabytes of memory allocated on the heap. Is that accurate?
(I think I have enough memory to handle this; GC might be a little
much, though).

For the record, I'm not seriously expecting headers of this size on a
regular basis, but wondering about the edge cases.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: maxHTTPHeaderSize, and specific header lengths

[Konstantin Kolinko <kn...@gmail.com>]

2012/9/28 Andrew Todd <an...@gmail.com>:
> I have a question about maxHttpHeaderSize [0]. In Apache httpd, there
> are two different parameters that affect the maximum size of an HTTP
> header, limitRequestFieldSize and limitRequestLine. [1] These
> configuration values specify about 8 kilobytes per _line_ in the
> incoming request. However, in Tomcat, maxHttpHeaderSize seems to
> specify the maximum length of the entire incoming header, also at
> around 8 kilobytes. So httpd will, by default, accept a much bigger
> header than Tomcat will.
>
> Is that an accurate understanding of the configuration? If I want to
> expand the maximum URL and header lengths that I can accept in Tomcat,
> should I change the value of maxHttpHeaderSize? Thanks.
>

Yes.

In Tomcat each request processor has a byte buffer and all the headers
must fit into that buffer. The size of the buffer is essentially
specified by the maxHttpHeaderSize attribute. (The actual buffer is
larger due to some additional margins being taken into account).

The bytes in the buffer are passed by reference (see ByteChunk).
Conversion from bytes to Strings for headers is performed lazily. So
the buffer cannot be reused for subsequent headers and thus is the
limitation.

The configuration reference [0] does not say it, but IIRC the request
line is placed into the same buffer and is subjected to the same limit
together with the headers.

>
> [0] https://tomcat.apache.org/tomcat-7.0-doc/config/http.html
> [1] https://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfieldsize

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org