Large authorization header returning error 400

Audebert Bernard <bernard.audebert@xxxxxx> · Wed, 29 Aug 2018 08:12:37 +0000

Hello,

I have a problem configuring httpd to accept large SPNEGO authentication headers.
The request work fine with Authorization header line of up to at least 5674 bytes but break with Authorization header of more than 6178 bytes with the following answer :

    <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
    <html><head>
    <title>400 Bad Request</title>
    </head><body>
    <h1>Bad Request</h1>
    <p>Your browser sent a request that this server could not understand.<br />
    Size of a request header field exceeds server limit.</p>
    </body></html>

And the following error in server log (debug level)

    [Thu Aug 23 07:26:31 2018] [error] [client x.x.x.x] request failed: error reading the headers

Here is an excert of the server-info page we have activated to ensure that the LimitRequestFieldSize was high enough (curently set at ~40k)

    129: LimitRequestBody 52428800
    130: LimitRequestFields 50
    131: LimitRequestFieldsize 40960
    132: LimitRequestLine 40960

The server is running RHEL 6.7 with stock httpd server

    $ httpd -V
    Server version: Apache/2.2.15 (Unix)
    Server built:   Mar  3 2015 12:06:14
    Server's Module Magic Number: 20051115:25
    Server loaded:  APR 1.3.9, APR-Util 1.3.9
    Compiled using: APR 1.3.9, APR-Util 1.3.9
    Architecture:   64-bit
    Server MPM:     Prefork
      threaded:     no
        forked:     yes (variable process count)
    Server compiled with....
     -D APACHE_MPM_DIR="server/mpm/prefork"
     -D APR_HAS_SENDFILE
     -D APR_HAS_MMAP
     -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
     -D APR_USE_SYSVSEM_SERIALIZE
     -D APR_USE_PTHREAD_SERIALIZE
     -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
     -D APR_HAS_OTHER_CHILD
     -D AP_HAVE_RELIABLE_PIPED_LOGS
     -D DYNAMIC_MODULE_LIMIT=128
     -D HTTPD_ROOT="/etc/httpd"
     -D SUEXEC_BIN="/usr/sbin/suexec"
     -D DEFAULT_PIDLOG="run/httpd.pid"
     -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
     -D DEFAULT_LOCKFILE="logs/accept.lock"
     -D DEFAULT_ERRORLOG="logs/error_log"
     -D AP_TYPES_CONFIG_FILE="conf/mime.types"
     -D SERVER_CONFIG_FILE="conf/httpd.conf"
Is there anything obvious we could be missing in our configuration preventing large header from being read?
Is there still an hard coded limit to header size in the redhat apache 2.2 ?

Thanks.

 — 
 Gfi Informatique 
 Bernard Audebert 
 Développeur 
 Division Sud-Ouest AS 
 bernard.audebert@xxxxxx
 — 
 1, Rond-point du général Eisenhower -  31000 Toulouse 
 www.gfi.world 

 — 

 —