tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Kolinko <>
Subject Re: maxHTTPHeaderSize, and specific header lengths
Date Mon, 01 Oct 2012 15:41:06 GMT
2012/10/1 Andrew Todd <>:
> On Sun, Sep 30, 2012 at 6:21 AM, Konstantin Kolinko
> <> wrote:
>> In Tomcat each request processor has a byte buffer and all the headers
>> must fit into that buffer.
> Thanks so much for the detailed response. I have a couple more questions:
> 1) When a request is rejected for being too large, is there any
> logging that happens or can happen in Tomcat?

I think that you should see a record in the access log with certain
HTTP response code.
(Try to test it and see what happens).

There should not be anything in the "catalina" log, unless you enable
debug logging.

> Looks like you'll get an IllegalArgumentException.

A request with too long headers is rejected before it reaches a web
application. What exception happens is up to Tomcat internals.

> 2) Apache httpd will accept a request-line of 8190 bytes.
> Additionally, each header line can have a maximum length of 8190
> bytes. With the default maximum of 100 request fields, this means that
> httpd will accept a header of up to (101 * 8190) = 827,190 bytes in
> size.
> Let's say I'm fronting Tomcat with Apache, and I set maxHttpHeaderSize
> to 827,190 bytes so that they have the same limit.
> Is a byte array of that size going to be allocated for each incoming
> request, regardless of how short or long it actually is?

1. Yes. For each request processor. So the buffer is reused for
subsequent requests.

2. If the protocol between HTTPD and Tomcat is AJP,
then the protocol itself has its own limitation, which is ~15 times
lesser than that amount.

> And, in a worst-case scenario, if all of Tomcat's default 200 threads
> receive headers of 827,190 bytes at the same time, I'm looking at
> about 166 megabytes of memory allocated on the heap. Is that accurate?
> (I think I have enough memory to handle this; GC might be a little
> much, though).
> For the record, I'm not seriously expecting headers of this size on a
> regular basis, but wondering about the edge cases.

3. Note that there are also limits on the count of headers and on the
count of parameters in a GET/POST request.

4. A request that has 1Mb of headers wastes a lot of bandwidth.

Best regards,
Konstantin Kolinko

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message