What I have:
I have an iPhone app that sends HTTP POST requests (XML format) to a web service written in PHP. This is on a hosted virtual private server so I can edit httpd.conf and other files on the server, and restart Apache.
The problem:
The web service works perfectly as long as the request is not too large, but around 1MB is the limit. After that, the server responds with:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>413 Request Entity Too Large</title>
</head><body>
<h1>Request Entity Too Large</h1>
The requested resource<br />/<br />
does not allow request data with POST requests, or the amount of data
provided in the request exceeds the capacity limit.
</body></html>
The web service writes its own log file, and I can see that small messages are processed fine. Larger messages are not logged at all so I guess that something in Apache rejects them before they even reach the web service?
Things I've tried without success:
(I've restarted Apache after every change. These steps are incremental.)
- hosting provider's web-based configuration panel: disable mod_security
- httpd.conf:
LimitXMLRequestBody 0andLimitRequestBody 0 - httpd.conf:
LimitXMLRequestBody 100000000andLimitRequestBody 100000000 - httpd.conf:
SecRequestBodyLimit 100000000
At this stage, Apache's error.log contains a message:
ModSecurity: Request body no files data length is larger than the configured limit (1048576)
The fact that there's an error statement by ModSecurity indicates that my step #1 didn't really take. Apache's access.log looks like this, with 3 successful small messages and 2 failed large messages:
"POST / HTTP/1.1" 200 310 "-" "Audiopad/1.0 CFNetwork/548.0.4 Darwin/11.0.0"
"POST / HTTP/1.1" 200 310 "-" "Audiopad/1.0 CFNetwork/548.0.4 Darwin/11.0.0"
"POST / HTTP/1.1" 200 310 "-" "Audiopad/1.0 CFNetwork/548.0.4 Darwin/11.0.0"
"POST / HTTP/1.1" 413 464 "-" "Audiopad/1.0 CFNetwork/548.0.4 Darwin/11.0.0"
"POST / HTTP/1.1" 413 464 "-" "Audiopad/1.0 CFNetwork/548.0.4 Darwin/11.0.0"
Apache's error.log has this info about the large messages:
[error] [client 194.24.138.43] ModSecurity: Request body no files data length is larger than the configured limit (1048576). [hostname "webservice-audiopad.golfbravo.net"] [uri "/"]
[error] [client 194.24.138.43] ModSecurity: Request body no files data length is larger than the configured limit (1048576). [hostname "webservice-audiopad.golfbravo.net"] [uri "/"]
However, I don't see the value 1048576 anywhere in httpd.conf.
What more can I try, to get the web service to receive large messages?
I set
SecRequestBodyAccess Offfor now and that solved all problems.I ran into the same exact issue.
SecRequestBodyNoFilesLimit was the reason.
it was not used in my config at all, but it does have a default value, 1048576.
Once I found that this setting existed, I set it larger than my files and everything is working.
Here is the documentation https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecRequestBodyNoFilesLimit
if you compare to the entry above SecRequestBodyLimit the documentation seems very convoluted. What I was able to boil it down to is this; If you're uploading an actual file attachment the prior setting will rule. If you are pasting the contents of a file into something like a form and the payload is in the PUT then SecRequestBodyNoFilesLimit rules.
You say this is a PHP service, so that means that php.ini is ever bit as much in play as httpd.conf.
There are a number of size limits defined in php.ini, including limits on the size of requests, so I'd start by verifying those limits are all big enough for your needs.
Everything I have tried to fix this has failed. One last search and found this here.
SecRequestBodyAccess Off
That did the trick. I know this is 10 years old but sure did help me!