Hello all,
For the last couple of days I was trying to get my
Apache/mod_proxy/mongrel setup to limit the size of the request body.
The setup is as follows:
1.) Apache acts as a reverse proxy by facilitating mod_rewrite and
mod_proxy
2.) Requests for non-static files are passed on to a mongrel_cluster
3.) We use mongrel for our Ruby on Rails application
Note that due to some restrictions we are unable to use
Apache/Passenger for our production deployment.
Is there a way to tell mongrel to skip requests which exceed a certain
limit (say 20MB) and return a 400 (Bad Request) response or the like?
I have tried to use the LimitRequestBody directive of Apache httpd,
but this obviously does not work, since Apache httpd passes most of
it’s requests directly on to mongrel. Thanks for your help!
Regards,
Severin
gollomm wrote:
Note that due to some restrictions we are unable to use
Mongrel-users mailing list
[email protected]
http://rubyforge.org/mailman/listinfo/mongrel-users
Hello Severin,
mod_security may very well be your friend there. It can be
configured to drop
any request over a certain size, and by its nature will drop it with
standard
HTTP error messages.
Regards,
Ryan
On Fri, Jun 12, 2009 at 6:46 AM, gollomm[email protected] wrote:
Hello all,
For the last couple of days I was trying to get my
Apache/mod_proxy/mongrel setup to limit the size of the request body.
The setup is as follows:
1.) Apache acts as a reverse proxy by facilitating mod_rewrite and mod_proxy
2.) Requests for non-static files are passed on to a mongrel_cluster
3.) We use mongrel for our Ruby on Rails application
ModSecurity?
Stephan
Severin
Mongrel-users mailing list
[email protected]
http://rubyforge.org/mailman/listinfo/mongrel-users
–
Stephan W.
→ http://stephan.sugarmotor.org (blog and homepage)
→ http://www.thrackle.org
→ http://www.buckmaster.ca
→ http://www.trafficlife.com
→ http://stephansmap.org – http://blog.stephansmap.org
Look at http_request.rb.
Mongrel already has a limit to the length of the headers that it will
accept, so you are covered there. If you look at
HttpRequest#initialize, there is a “remain” variable that is set to
the content length of the body of the request.
You could simply insert a check there. If it’s too high, bail out
right there and throw back whatever error response you deem
appropriate.
It could be a 400, but it’s probably better if it is a 413 Request
Entity Too Large.
Kirk H.
On Fri, Jun 12, 2009 at 11:07 AM, Stephan
Wehner[email protected] wrote:
ModSecurity?
Well, we are very confined regarding Apache modules. That does not
seem to be an option.
Note that due to some restrictions we are unable to use
Apache/Passenger for our production deployment.
Is there a way to tell mongrel to skip requests which exceed a certain
limit (say 20MB) and return a 400 (Bad Request) response or the like?
I have tried to use the LimitRequestBody directive of Apache httpd,
but this obviously does not work, since Apache httpd passes most of
it’s requests directly on to mongrel. Thanks for your help!
I am currently looking into how mongrel handlers work and how I would
configure them. No luck so far. Ideally, I would like to change
mongrel’s own file upload handler to drop requests which exceed a
certain limit. Here is an interesting thread I came across:
http://rubyforge.org/pipermail/mongrel-users/2006-September/001511.html
The question is now, where is the code handling file-uploads in the
mongrel source? Alternatively, could somebody provide me some pointers
concerning mongrel handlers? I am a totally new to mongrel…
Thanks,
Severin
On Fri, Jun 12, 2009 at 12:40 PM, Kirk H.[email protected] wrote:
It could be a 400, but it’s probably better if it is a 413 Request
Entity Too Large.
Oh, I did that already. I had mongrel sending an error to the client,
when I realized that when that check is performed the provided file
(for upload) is stored on server side already. Instead, I’d like to do
something before all that. For processing the content_length, and the
remain variable respectively, the file has to be in its entirety on
the server. I’d like mongrel to abort processing the request body if
the HTTP header ‘Content-Length’ reports it’ll be too large anyways.
What I’d like to do is checking the ‘Content-Length’ (something fast)
and bail out appropriately…
The most challenging part here is to figure out at what point mongrel
has access to the request’s HTTP headers but has not begun processing
the request body in any way.
There is ‘request_begins’ for HttpHandlers, but providing code in
there never seems to be executed. Maybe I’d need some configuration
changes for handlers to be run or something similar. But I have no
idea how I’d do so or where to find some documentation about it…
Thank you very much for the great help,
Severin