Re: LimitRequestBody and Content-Length header

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Can anyone offer any advice on this one?

Cheers



joelittlejohn wrote:
> 
> Hi all,
> 
> I'm try to use the LimitRequestBody directive to protect against
> clients that attempt to make request  with extremely large body to
> negatively affect our service. I'd like to know whether this directive
> rejects requests based on the value of the Content-Length header, or
> whether the *real* size of the body is checked.
> 
> We intend to use Apache 2.2 in front of JBoss and delegate incoming
> requests to JBoss using mod_proxy. When a request comes in, we're
> concerned that when submitting a malicious message with a very large
> body, the client may report a false value in the Content-Length
> header. I've also seen the SecRequestBodyLimit directive available in
> ModSecurity, so I'd be interested to know if anyone knows what the
> difference is between these two directives (if any) and whether one
> provides better protection than the other.
> 
> I've tried to simulate malicious requests using curl but I'm not sure
> if I'm producing exactly the request header values I need. I've also
> had a look at the source code but I can't find the exact code that
> executes the LimitRequestBody directive. Can anyone help?
> 
> Thanks in advance,
> 
> Joe
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>    "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
> 
> 
> 

-- 
View this message in context: http://old.nabble.com/-users%40httpd--LimitRequestBody-and-Content-Length-header-tp30826145p30862426.html
Sent from the Apache HTTP Server - Users mailing list archive at Nabble.com.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux