Hi all, I'm try to use the LimitRequestBody directive to protect against clients that attempt to make request with extremely large body to negatively affect our service. I'd like to know whether this directive rejects requests based on the value of the Content-Length header, or whether the *real* size of the body is checked.
We intend to use Apache 2.2 in front of JBoss and delegate incoming requests to JBoss using mod_proxy. When a request comes in, we're concerned that when submitting a malicious message with a very large body, the client may report a false value in the Content-Length header. I've also seen the SecRequestBodyLimit directive available in ModSecurity, so I'd be interested to know if anyone knows what the difference is between these two directives (if any) and whether one provides better protection than the other. I've tried to simulate malicious requests using curl but I'm not sure if I'm producing exactly the request header values I need. I've also had a look at the source code but I can't find the exact code that executes the LimitRequestBody directive. Can anyone help? Thanks in advance, Joe --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
