Apache mod-security

Mandar Jog | 9 Jun 2012 04:44

Picon

413 Request Entity Too Large for chunked encoded message

I use mod security to log requset body amongst other things.
This affects my production systems to any help is much appreciated.

A particular type of request is a POST of xml data with chunked encoding.
mod_security is rejecting about 20% of these POSTs with a '413 Request
Entity Too Large'

       SecAuditEngine On
       SecRuleEngine On
       SecRequestBodyLimit 132217728
       SecRequestBodyNoFilesLimit 132217728
       SecRequestBodyInMemoryLimit 132217728

I have set these limits to be incredibly high.
even with these I continue to get the 413 errors. I can be asolutely
certain that the POST request is less that 132M like I have
configured.

--58fded3e-A--
[09/Jun/2012:00:33:20 +0000] T9KZvwr-fhAAAGPsEZUAAACL 10.248.5.170
36263 10.255.126.16 80
--58fded3e-B--
POST /Y2ZhNjliMTM1YzVkY2MzOTZjMzZmMzg5ZDA1Yzg0N2E= HTTP/1.1
host: abc.com
Cache-Control: no-cache
Content-type: text/xml
User-Agent: egauge/pusher
X-Forwarded-For: 65.220.109.5
X-Forwarded-Port: 80
X-Forwarded-Proto: http

(Continue reading)

Javier Conti | 9 Jun 2012 08:59

Picon

Re: 413 Request Entity Too Large for chunked encoded message

On 9 June 2012 04:44, Mandar Jog <mandarjog <at> gmail.com> wrote:
> I use mod security to log requset body amongst other things.
> This affects my production systems to any help is much appreciated.
>
>
> A particular type of request is a POST of xml data with chunked encoding.
> mod_security is rejecting about 20% of these POSTs with a '413 Request
> Entity Too Large'
>
>       SecAuditEngine On
>       SecRuleEngine On
>       SecRequestBodyLimit 132217728
>       SecRequestBodyNoFilesLimit 132217728
>       SecRequestBodyInMemoryLimit 132217728
>
> I have set these limits to be incredibly high.
> even with these I continue to get the 413 errors. I can be asolutely
> certain that the POST request is less that 132M like I have
> configured.

Hi Mandar,

do you proxy your requests on a backend using SSL? If yes
check the "SSLRenegBufferSize" directive which should be
128KB by default and would generate a 413 if exceeded.

This assuming Apache's own limits, like LimitRequestBody
and similar directives, are already ok.

Hope this helps, regards, Javier

(Continue reading)

Mandar Jog | 10 Jun 2012 17:52

Picon

Re: 413 Request Entity Too Large for chunked encoded message

LimitRequestBody setting is left at the default. I am checking what it is.

An interesting to note is that the mod_security says

>> --58fded3e-F--
>> HTTP/1.1 413 Request Entity Too Large
>>

but the apache access log has an error '408' instead of 413 as
reported in the mod_security audit log.
Does that point to a timeout ?

regards,
- Mandar

On Sat, Jun 9, 2012 at 2:59 AM, Javier Conti <javier.conti <at> gmail.com> wrote:
> On 9 June 2012 04:44, Mandar Jog <mandarjog <at> gmail.com> wrote:
>> I use mod security to log requset body amongst other things.
>> This affects my production systems to any help is much appreciated.
>>
>>
>> A particular type of request is a POST of xml data with chunked encoding.
>> mod_security is rejecting about 20% of these POSTs with a '413 Request
>> Entity Too Large'
>>
>>       SecAuditEngine On
>>       SecRuleEngine On
>>       SecRequestBodyLimit 132217728
>>       SecRequestBodyNoFilesLimit 132217728
>>       SecRequestBodyInMemoryLimit 132217728

(Continue reading)

Mandar | 11 Jun 2012 02:13

Picon

Re: 413 Request Entity Too Large for chunked encoded message

It turns out that this was caused by unable to read a chunk because of an underlying timeout.

It was reported as error 413 in the audit logs.

Regards,
Mandar U Jog

On Jun 9, 2012, at 2:59 AM, Javier Conti <javier.conti <at> gmail.com> wrote:

> On 9 June 2012 04:44, Mandar Jog <mandarjog <at> gmail.com> wrote:
>> I use mod security to log requset body amongst other things.
>> This affects my production systems to any help is much appreciated.
>> 
>> 
>> A particular type of request is a POST of xml data with chunked encoding.
>> mod_security is rejecting about 20% of these POSTs with a '413 Request
>> Entity Too Large'
>> 
>>       SecAuditEngine On
>>       SecRuleEngine On
>>       SecRequestBodyLimit 132217728
>>       SecRequestBodyNoFilesLimit 132217728
>>       SecRequestBodyInMemoryLimit 132217728
>> 
>> I have set these limits to be incredibly high.
>> even with these I continue to get the 413 errors. I can be asolutely
>> certain that the POST request is less that 132M like I have
>> configured.
> 
> Hi Mandar,

(Continue reading)

Ryan Barnett | 11 Jun 2012 17:53

Re: 413 Request Entity Too Large for chunked encoded message


On 6/10/12 8:13 PM, "Mandar" <mandarjog <at> gmail.com> wrote:

>It turns out that this was caused by unable to read a chunk because of an
>underlying timeout.
>
>It was reported as error 413 in the audit logs.

Correct, if ModSecurity applied a disruptive action to the transaction, it
would be specified in section H in the audit log with a "Message: " tag.
In this case, it looks like the app server itself issued the timeout.

-Ryan

>
>Regards,
>Mandar U Jog
>
>
>On Jun 9, 2012, at 2:59 AM, Javier Conti <javier.conti <at> gmail.com> wrote:
>
>> On 9 June 2012 04:44, Mandar Jog <mandarjog <at> gmail.com> wrote:
>>> I use mod security to log requset body amongst other things.
>>> This affects my production systems to any help is much appreciated.
>>> 
>>> 
>>> A particular type of request is a POST of xml data with chunked
>>>encoding.
>>> mod_security is rejecting about 20% of these POSTs with a '413 Request
>>> Entity Too Large'

(Continue reading)

Return

Return to gmane.comp.apache.mod-security.user.

Project Web Page

Apache mod-security

Search Archive

Language

Change language

Options

Current view: Threads only / Showing only 20 lines / Not hiding cited text.
Change to All messages, whole messages, or hide cited text.

Post a message
NNTP Newsgroup
Classic Gmane web interface
XML

XML

RSS Feed
List Information

About Gmane