----- Original Message ----- > > Can anyone offer any advice on this one? > > Cheers > > > > joelittlejohn wrote: > > > > Hi all, > > > > I'm try to use the LimitRequestBody directive to protect against > > clients that attempt to make request with extremely large body to > > negatively affect our service. I'd like to know whether this > > directive > > rejects requests based on the value of the Content-Length header, > > or > > whether the *real* size of the body is checked. >From looking at the code, it's taking the real size of the body. > > We intend to use Apache 2.2 in front of JBoss and delegate incoming > > requests to JBoss using mod_proxy. When a request comes in, we're > > concerned that when submitting a malicious message with a very > > large > > body, the client may report a false value in the Content-Length Note that LimitRequestBody does not affect proxies. > > header. I've also seen the SecRequestBodyLimit directive available > > in check out mod_proxy's documentation: http://www.modsecurity.org/documentation/modsecurity-apache/2.5.12/html-multipage/configuration-directives.html#N10878 It doesn't say anything about it.... So I gueess you're best off trying it out. > > ModSecurity, so I'd be interested to know if anyone knows what the > > difference is between these two directives (if any) and whether one > > provides better protection than the other. > > > > I've tried to simulate malicious requests using curl but I'm not > > sure > > if I'm producing exactly the request header values I need. I've > > also > > had a look at the source code but I can't find the exact code that https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/modules/http/http_filters.c In trunk also here: modules/proxy/mod_proxy_http.c > > executes the LimitRequestBody directive. Can anyone help? > > > > Thanks in advance, > > > > Joe > > > > --------------------------------------------------------------------- > > The official User-To-User support forum of the Apache HTTP Server > > Project. > > See <URL:http://httpd.apache.org/userslist.html> for more info. > > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > > " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > > > > > > > > -- > View this message in context: > http://old.nabble.com/-users%40httpd--LimitRequestBody-and-Content-Length-header-tp30826145p30862426.html > Sent from the Apache HTTP Server - Users mailing list archive at > Nabble.com. > > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server > Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > > --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|