increase LimitRequestFieldSize
Merge request reports
Activity
based on @stuart.anderson's comment I figured out that you have to relax the header size constraint in gunicorn as well as in apache. But that parameter has to be set from the CLI at launch time instead of in a config file, annoying.
-
here's how you can test this via the command line. First generate a big string of ascii to put in a request header:
$ random="$(LC_ALL=C tr -dc 'A-Za-z0-9!"#$%&'\''()*+,-./:;<=>?@[\]^_`{|}~' </dev/urandom | head -c 10240)"This is the example of the original server configuration, before the apache fix:
$ curl --header "X-TestHeader: $random" https://gracedb-dev1.ligo.org/api/ <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>400 Bad Request</title> </head><body> <h1>Bad Request</h1> <p>Your browser sent a request that this server could not understand.<br /> Size of a request header field exceeds server limit.</p> </body></html>This is after the apache fix, but without the gunicorn fix:
$ curl --header "X-TestHeader: $random" https://gracedb-dev1.ligo.org/api/ <html> <head> <title>Request Header Fields Too Large</title> </head> <body> <h1><p>Request Header Fields Too Large</p></h1> Error parsing headers: 'limit request headers fields size' </body> </html>And then the output is as expected after applying both fixes. Right now apache and gunicorn limits are 16kb (double from before). This seems reasonable enough and should cover LVK users, without opening the server up to any DDoS attacks.
lastly it would seem that trafik's limit is 1MB.
@alexander.pace thanks for tracking this down. Please also post this nice CLI test procedure more broadly (including auth@ligo.org) so other developers can also test their web services.
mentioned in merge request !223 (merged)
enabled an automatic merge when the pipeline for 355aeaeb succeeds
