All geek questions in one place

JBoss HTTP request size limit

I am using Jboss 4.2.3 as an application server. Is there a way to limit the size of the HTTP request received by JBoss? I want to limit the size to avoid DOS attacks.

I already sat maxHttpHeaderSize and maxPostSize in server.xml, but none of them have any meaning.

+4
source share
3 answers

maxPostSize determines how large the POST can be before Tomcat parses it “automatically”, whatever that means.

If you do this for security reasons, you need to think twice about how you do it. The DOS attack is not going to declare its size as the header of the HTTP request, it will simply send data until your server crashes.

You can check the Content-Length header of the request and immediately reject it if it is not submitted or too large, but you run the risk of abandoning genuine clients that do not supply a header that many will not.

Otherwise, you just need to read the request data until it crosses the threshold and then rejects it.

In any case, the container cannot help you.

+3
source

Tomcat accepts an HTTP request at $JBOSS_HOME/server/default/deploy/jbossweb-tomcat55.sar/server.xml , you can configure maxHttpHeaderSize as an attribute of the Connector tag.

To have control over the content, you would use Valve or Filter

0
source

For Jboss, you must configure the configuration file (for example: standalone-full.xml) as follows: max-post-size = "26214400" means 25 MB

 <subsystem xmlns="urn:jboss:domain:undertow:3.1"> <buffer-cache name="default"/> <server name="default-server"> <http-listener name="default" max-post-size="26214400" socket-binding="http" redirect-socket="https"/> <host name="default-host" alias="localhost"> <location name="/" handler="welcome-content"/> <filter-ref name="server-header"/> <filter-ref name="x-powered-by-header"/> </host> </server> <servlet-container name="default"> <jsp-config/> <websockets/> </servlet-container> <handlers> <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/> </handlers> <filters> <response-header name="server-header" header-name="Server" header-value="JBoss-EAP/7"/> <response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/> </filters> </subsystem>
0
source

Source: https://habr.com/ru/post/1303684/

More articles:


All Articles