httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Igor Galić <i.ga...@brainsware.org>
Subject Re: [users@httpd] LimitRequestBody and Content-Length header
Date Tue, 08 Feb 2011 13:54:39 GMT


----- Original Message -----
> 
> Can anyone offer any advice on this one?
> 
> Cheers
> 
> 
> 
> joelittlejohn wrote:
> > 
> > Hi all,
> > 
> > I'm try to use the LimitRequestBody directive to protect against
> > clients that attempt to make request  with extremely large body to
> > negatively affect our service. I'd like to know whether this
> > directive
> > rejects requests based on the value of the Content-Length header,
> > or
> > whether the *real* size of the body is checked.

>From looking at the code, it's taking the real size of the body.

> > We intend to use Apache 2.2 in front of JBoss and delegate incoming
> > requests to JBoss using mod_proxy. When a request comes in, we're
> > concerned that when submitting a malicious message with a very
> > large
> > body, the client may report a false value in the Content-Length

Note that LimitRequestBody does not affect proxies.

> > header. I've also seen the SecRequestBodyLimit directive available
> > in

check out mod_proxy's documentation:
http://www.modsecurity.org/documentation/modsecurity-apache/2.5.12/html-multipage/configuration-directives.html#N10878

It doesn't say anything about it....

So I gueess you're best off trying it out.

> > ModSecurity, so I'd be interested to know if anyone knows what the
> > difference is between these two directives (if any) and whether one
> > provides better protection than the other.
> > 
> > I've tried to simulate malicious requests using curl but I'm not
> > sure
> > if I'm producing exactly the request header values I need. I've
> > also
> > had a look at the source code but I can't find the exact code that

https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/modules/http/http_filters.c

In trunk also here: modules/proxy/mod_proxy_http.c

> > executes the LimitRequestBody directive. Can anyone help?
> > 
> > Thanks in advance,
> > 
> > Joe
> > 
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server
> > Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> > 
> > 
> > 
> 
> --
> View this message in context:
> http://old.nabble.com/-users%40httpd--LimitRequestBody-and-Content-Length-header-tp30826145p30862426.html
> Sent from the Apache HTTP Server - Users mailing list archive at
> Nabble.com.
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
> 

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message