httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Littlejohn <joelittlej...@gmail.com>
Subject [users@httpd] LimitRequestBody and Content-Length header
Date Wed, 02 Feb 2011 13:50:34 GMT
Hi all,

I'm try to use the LimitRequestBody directive to protect against
clients that attempt to make request  with extremely large body to
negatively affect our service. I'd like to know whether this directive
rejects requests based on the value of the Content-Length header, or
whether the *real* size of the body is checked.

We intend to use Apache 2.2 in front of JBoss and delegate incoming
requests to JBoss using mod_proxy. When a request comes in, we're
concerned that when submitting a malicious message with a very large
body, the client may report a false value in the Content-Length
header. I've also seen the SecRequestBodyLimit directive available in
ModSecurity, so I'd be interested to know if anyone knows what the
difference is between these two directives (if any) and whether one
provides better protection than the other.

I've tried to simulate malicious requests using curl but I'm not sure
if I'm producing exactly the request header values I need. I've also
had a look at the source code but I can't find the exact code that
executes the LimitRequestBody directive. Can anyone help?

Thanks in advance,

Joe

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message