According to this documentation you can configure IIS 10 on Windows Server 2016 to write custom fields as long as "The total amount of data added in custom fields cannot exceed 65,536 bytes"
I have configured a custom field to write the cookies from Header and another from the server variable into the logs and this works just fine.
But only 4096 bytes are written to the log no matter what value I put in maxCustomFieldLength.
When I send 8k of data in the cookies and I:
set maxCustomFieldLength to 4096 I only get 2048 bytes in the log file.
increase maxCustomFieldLength to 65536, I only get 4096 bytes in the log file.
I have verified using fiddler that the browser requests are sending the full 8k cookies value and that they are not truncating the value to 4096 at the client.
Any ideas why IIS is truncating the cookies value to 4096 and not respecting maxCustomFieldLength greater than 4096?
Having done extensive research into this now, the only way I have found to get all the cookies logged to the standard IIS log files when they are < 4k is to write a custom HttpModule that:
hooks into Begin_Request
reads the raw cookies string from the Request Headers
splits it into chunks < 4k (preserving entire cookies as whole items, name and value)
write the chunks into custom request headers
configure IIS with a bunch of new custom fields to drop the new request headers into the iis logs
Related
We have a lot of web applications behind one Application Gateway. We recognize a problem with a couple of them when "Inspect request body size" is on and configured to it's default size - 128KB.
I would like to get recommendation how to solve it best way:
Turn it off?
Increase a Max body size?
Create additional Application Gateway?
Any ideas will be appreciated.
I understand that you are having issues with Azure App Gateway where you are seeing an issue when "Inspect request body size" is turned on and set to 128KB and want to know the best way to address the same.
As per Azure WAF Request size limits:
The maximum request body size field is specified in kilobytes and controls overall request size limit excluding any file uploads. This field has a minimum value of 1 KB and a maximum value of 128 KB. The default value for request body size is 128 KB.
However, For CRS 3.2 (on the WAF_v2 SKU) and newer, these limits are as follows:
2MB request body size limit
4GB file upload limit
WAF also offers a configurable knob to turn the request body inspection on or off. By default, the request body inspection is enabled. If the request body inspection is turned off, WAF doesn't evaluate the contents of HTTP message body. In such cases, WAF continues to enforce WAF rules on headers, cookies, and URI. If the request body inspection is turned off, then maximum request body size field isn't applicable and can't be set. Turning off the request body inspection allows for messages larger than 128 KB to be sent to WAF, but the message body isn't inspected for vulnerabilities.
To change to CRS 3.2, go to WAF Policy > Manged Rules > change to 3.2 and hit save. Once you do the same, change the size of the request body size to 2 MB and hit save.
Hope this helps. If you have any further questions, please do let us know and we will be glad to assist further. Thank you!
I am trying to use NestJs to develop an API. I am getting Http Error Code 431, when the bearer token passed as HTTP header is too long (around 2400 characters). But it works when the bearer token is around 1200 characters. Is there any setting that we can do to increase the header size limit? I am using nodejs12
The HTTP 431 Request Header Fields Too Large response status code indicates that the server refuses to process the request because the request’s HTTP headers are too long. The request may be resubmitted after reducing the size of the request headers.
431 can be used when the total size of request headers is too large, or when a single header field is too large. To help those running into this error, indicate which of the two is the problem in the response body — ideally, also include which headers are too large. This lets users attempt to fix the problem, such as by clearing their cookies.
Servers will often produce this status if:
The Referer URL is too long
There are too many Cookies sent in the request
The below solution is not specific to nest.js but to any node.js server.
On running node --help, you'll see one of the flag will be:
...
--max-http-header-size=... set the maximum size of HTTP headers (default: 8KB)
...
This Node.js CLI flag can help:
--max-http-header-size=16384
It sets the HTTP Max Headers Size to 16KB.
You can set this flag to the value you want.
See this for reference.
The documentation states the maximum size on this flag, so take care of that.
I am running an Express website on an Azure Website instance (note I say Azure Website, not Azure Webrole)
Initially, uploading large files failed with an HTTP 500 error. After much research, I found that the solution is to manually adjust the value of the parameter <requestLimits maxAllowedContentLength="xxxxxxx" /> in the web.config file to a higher value. I increased that value to 1Gb and large files started to get uploaded successfully.
However, when I increase the size of that parameter (maxAllowedContentLength) to something much larger (say, 5Gb or 10Gb), the website does not even start up anymore. It looks like there is a hard-coded limit to how large this parameter can be.
Does anyone have links to documentation where the max value of this parameter is specified by Microsoft for an Azure Website, or any pointers on how to get files up to 10Gb to be uploaded?
maxAllowedContentLength is a uint which has a max value of 4,294,967,295 which makes the max limit 4GB - If you want to upload larger amounts of data, you will have to use chunked transfer encoding.
We've hit a problem with some forms in the admin portion of our web app. There are a handful of forms that contain a large number of fields (it can range anywhere from one input field to the hundreds).
We've found that as these forms grow, there is a point where the server will throw 500 errors when a form is posted.
After running a test, I was able to find that the server can handle forms with 100 fields in them; once 101 or more fields are used, we get the errors.
We run Coldfusion, and we have determined that Coldfusion is not throwing this error. We never see this error logged in Coldfusion, so we are assuming IIS is throwing an error even before it sends the request to the Coldfusion server.
I'm assuming there is some setting in IIS 7.5 where we can up this limit. I've searched on the web, but all I can find is how to raise the byte-size limits of this data, not any kind of limit on a number of fields that are allowed.
So, am I right in assuming that this can be changed, and if so, how can it be done?
This is an issue introduced with hotfix APSB12-06. While it is a ColdFusion error, people have reported receiving the error in Tomcat, before it supposedly hit the CF server
There is a setting in neo-runtime.xml which defines the postsizelimit - and is defaulted to 100.
The full notes are located here, but here is the short version.
This hot fix has a new setting in ColdFusion, Post Parameter Limit. This setting limits the number of parameters in a post request. The default value is 100. If a post request contains more parameters as specified, the server doesn't process the request and throws an exception. This process protects against DoS attack using Hash Collision. This setting is different from Post Size Limit (ColdFusion Administrator > Settings > Maximum size of post data). This setting isn't exposed in the ColdFusion Administrator console. But you can easily change this limit in the neo-runtime.xml file. See point 5 below.
Customers who want to change postParameterLimit, go to {ColdFusion-Home}/lib for Server Installation or {ColdFusion-Home}/WEB-INF/cfusion/lib for Multiserver or J2EE installation. Open file neo-runtime.xml, after line.
<var name='postSizeLimit'><number>100.0</number></var>
Add the line below and you can change 100 with the desired number.
<var name='postParametersLimit'><number>100.0</number></var>
CF10+ has the setting available to edit within the CF Admin Settings page under Maximum number of POST request parameters under Server Settings -> Settings.
On our 9.0.1 server, we just increased the setting up to 10000 and have seen no adverse effects.
I believe you are bumping up against a security feature of ColdFusion. What ColdFusion version are you running? In ColdFusion Security Hotfix APSB12-06 they introduced a fix to protect against DoS attack using Hash Collision. From that page:
This hotfix implements a new setting in ColdFusion, Post Parameter
Limit. This limits the number of parameters in a post request. The
default value is 100. If a post request contains more parameters as
specified, server will not process the request and throws an
exception. This is done to protect against DoS attack using Hash
Collision. This setting is different from Post Size Limit (ColdFusion
Administrator > Settings > Maximum size of post data). We are not
exposing this setting in ColdFusion Administrator console, but this
limit can be easily changed in neo-runtime.xml file. See point 5
below.
Also on that page are instructions on how to increase that limit. Basically you have to make a change in your neo-runtime.xml file.
Customers who want to change postParameterLimit, go to
{ColdFusion-Home}/lib for Server Installation or
{ColdFusion-Home}/WEB-INF/cfusion/lib for Multiserver or J2EE
installation. Open file neo-runtime.xml, after line:
<var name='postSizeLimit'><number>100.0</number></var>
add the below line and you can change 100 with desired number.
<var name='postParametersLimit'><number>100.0</number></var>
In order to change the maximum upload size in IIS, the user can adjust in the IIS metabase the AspMaxRequestEntityAllowed value as explained in different sites.
My question is:
Is it possible to read the current maximum allowed size for uploads from classic Asp code?
Explanation:
I'm adjusting some upload code, and one feature now is to notify the client side of the maximum upload size so that files sent with Flash or FormData can be validated and not even try to send them if they are too large and the upload would fail. So I can either hope that when the users configure it, correctly write in the configuration file the maximum allowed by their server; but it would be much better if I can get the real value from IIS.
You can use WMI to do that. For instance, using VBScript:
Dim provider, setting, maxUploadSize
Set provider = GetObject("winmgmts:/root/MicrosoftIISv2")
Set setting = provider.Get("IIsWebVirtualDirSetting='W3SVC/1/ROOT'")
maxUploadSize = setting.AspMaxRequestEntityAllowed