Hello all, For the last couple of days I was trying to get my Apache/mod_proxy/mongrel setup to limit the size of the request body. The setup is as follows: 1.) Apache acts as a reverse proxy by facilitating mod_rewrite and mod_proxy 2.) Requests for non-static files are passed on to a mongrel_cluster 3.) We use mongrel for our Ruby on Rails application Note that due to some restrictions we are unable to use Apache/Passenger for our production deployment. Is there a way to tell mongrel to skip requests which exceed a certain limit (say 20MB) and return a 400 (Bad Request) response or the like? I have tried to use the LimitRequestBody directive of Apache httpd, but this obviously does not work, since Apache httpd passes most of it's requests directly on to mongrel. Thanks for your help! Regards, Severin
on 2009-06-12 16:24
on 2009-06-12 17:26
On Fri, Jun 12, 2009 at 6:46 AM, gollomm<gollomm@gmail.com> wrote: > Hello all, > > For the last couple of days I was trying to get my > Apache/mod_proxy/mongrel setup to limit the size of the request body. > The setup is as follows: > > 1.) Apache acts as a reverse proxy by facilitating mod_rewrite and mod_proxy > 2.) Requests for non-static files are passed on to a mongrel_cluster > 3.) We use mongrel for our Ruby on Rails application ModSecurity? Stephan > Severin > _______________________________________________ > Mongrel-users mailing list > Mongrel-users@rubyforge.org > http://rubyforge.org/mailman/listinfo/mongrel-users > -- Stephan Wehner -> http://stephan.sugarmotor.org (blog and homepage) -> http://www.thrackle.org -> http://www.buckmaster.ca -> http://www.trafficlife.com -> http://stephansmap.org -- http://blog.stephansmap.org
on 2009-06-12 17:54
gollomm wrote: > Note that due to some restrictions we are unable to use > _______________________________________________ > Mongrel-users mailing list > Mongrel-users@rubyforge.org > http://rubyforge.org/mailman/listinfo/mongrel-users > Hello Severin, mod_security may very well be your friend there. It can be configured to drop any request over a certain size, and by its nature will drop it with standard HTTP error messages. Regards, Ryan
on 2009-06-12 18:18
On Fri, Jun 12, 2009 at 11:07 AM, Stephan Wehner<stephanwehner@gmail.com> wrote: > > ModSecurity? Well, we are very confined regarding Apache modules. That does not seem to be an option. >> Note that due to some restrictions we are unable to use >> Apache/Passenger for our production deployment. >> >> Is there a way to tell mongrel to skip requests which exceed a certain >> limit (say 20MB) and return a 400 (Bad Request) response or the like? >> I have tried to use the LimitRequestBody directive of Apache httpd, >> but this obviously does not work, since Apache httpd passes most of >> it's requests directly on to mongrel. Thanks for your help! I am currently looking into how mongrel handlers work and how I would configure them. No luck so far. Ideally, I would like to change mongrel's own file upload handler to drop requests which exceed a certain limit. Here is an interesting thread I came across: http://rubyforge.org/pipermail/mongrel-users/2006-... The question is now, where is the code handling file-uploads in the mongrel source? Alternatively, could somebody provide me some pointers concerning mongrel handlers? I am a totally new to mongrel... Thanks, Severin
on 2009-06-12 18:41
Look at http_request.rb. Mongrel already has a limit to the length of the headers that it will accept, so you are covered there. If you look at HttpRequest#initialize, there is a "remain" variable that is set to the content length of the body of the request. You could simply insert a check there. If it's too high, bail out right there and throw back whatever error response you deem appropriate. It could be a 400, but it's probably better if it is a 413 Request Entity Too Large. Kirk Haines
on 2009-06-12 19:38
On Fri, Jun 12, 2009 at 12:40 PM, Kirk Haines<wyhaines@gmail.com> wrote: > > It could be a 400, but it's probably better if it is a 413 Request > Entity Too Large. Oh, I did that already. I had mongrel sending an error to the client, when I realized that when that check is performed the provided file (for upload) is stored on server side already. Instead, I'd like to do something before all that. For processing the content_length, and the remain variable respectively, the file has to be in its entirety on the server. I'd like mongrel to abort processing the request body if the HTTP header 'Content-Length' reports it'll be too large anyways. What I'd like to do is checking the 'Content-Length' (something fast) and bail out appropriately... The most challenging part here is to figure out at what point mongrel has access to the request's HTTP headers but has not begun processing the request body in any way. There is 'request_begins' for HttpHandlers, but providing code in there never seems to be executed. Maybe I'd need some configuration changes for handlers to be run or something similar. But I have no idea how I'd do so or where to find some documentation about it... Thank you very much for the great help, Severin
Enable email notification
Enable multi-page viewPlease log in before posting. Registration is free and takes only a minute.
Existing account
(Switch to SSL-encrypted connection)
NEW: Do you have a Google/GoogleMail or Yahoo account? No registration required!
Log in with Google account | Log in with Yahoo account
Log in with Google account | Log in with Yahoo account
No account? Register here.