HTTP Error: 413 Request Entity Too Large

apache-2.2 php vps httpd.conf web-services

42,319

Solution 1

I set SecRequestBodyAccess Off for now and that solved all problems.

Solution 2

I ran into the same exact issue.

SecRequestBodyNoFilesLimit was the reason.

it was not used in my config at all, but it does have a default value, 1048576.

Once I found that this setting existed, I set it larger than my files and everything is working.

Here is the documentation https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecRequestBodyNoFilesLimit

if you compare to the entry above SecRequestBodyLimit the documentation seems very convoluted. What I was able to boil it down to is this; If you're uploading an actual file attachment the prior setting will rule. If you are pasting the contents of a file into something like a form and the payload is in the PUT then SecRequestBodyNoFilesLimit rules.

Solution 3

You say this is a PHP service, so that means that php.ini is ever bit as much in play as httpd.conf.

There are a number of size limits defined in php.ini, including limits on the size of requests, so I'd start by verifying those limits are all big enough for your needs.

42,319

AdrianM

Hello, world! I enjoy using my experience to help others. That is why I am active at a number of other sites in the StackExchange network on topics that interest me. I'm something of a Swiss army knife both professionally and in private, able to juggle a wild variety of things at once. I've worked in every kind of business that uses software. I'm also very good with tools, both IT and mechanic. Whether you need software design or assembling some IKEA furniture, I'm your man for the job. I'm generally soft-spoken but driven by clear principles. I'm a twin, I've lived in five countries, I speak four languages fluently and two more embarrassingly. Also, being a father routinely develops my patience which is useful for moderating on StackExchange too. To learn more about me, see my Google+ profile.

Updated on September 18, 2022

Comments

AdrianM over 1 year
What I have:
I have an iPhone app that sends HTTP POST requests (XML format) to a web service written in PHP. This is on a hosted virtual private server so I can edit httpd.conf and other files on the server, and restart Apache.

The problem:
The web service works perfectly as long as the request is not too large, but around 1MB is the limit. After that, the server responds with:
```
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>413 Request Entity Too Large</title>
</head><body>
<h1>Request Entity Too Large</h1>
The requested resource<br />/<br />
does not allow request data with POST requests, or the amount of data
provided in the request exceeds the capacity limit.
</body></html>
```
The web service writes its own log file, and I can see that small messages are processed fine. Larger messages are not logged at all so I guess that something in Apache rejects them before they even reach the web service?

Things I've tried without success:
(I've restarted Apache after every change. These steps are incremental.)
1. hosting provider's web-based configuration panel: disable mod_security
2. httpd.conf: LimitXMLRequestBody 0 and LimitRequestBody 0
3. httpd.conf: LimitXMLRequestBody 100000000 and LimitRequestBody 100000000
4. httpd.conf: SecRequestBodyLimit 100000000
At this stage, Apache's error.log contains a message:
ModSecurity: Request body no files data length is larger than the configured limit (1048576)

The fact that there's an error statement by ModSecurity indicates that my step #1 didn't really take. Apache's access.log looks like this, with 3 successful small messages and 2 failed large messages:
```
"POST / HTTP/1.1" 200 310 "-" "Audiopad/1.0 CFNetwork/548.0.4 Darwin/11.0.0"
"POST / HTTP/1.1" 200 310 "-" "Audiopad/1.0 CFNetwork/548.0.4 Darwin/11.0.0"
"POST / HTTP/1.1" 200 310 "-" "Audiopad/1.0 CFNetwork/548.0.4 Darwin/11.0.0"
"POST / HTTP/1.1" 413 464 "-" "Audiopad/1.0 CFNetwork/548.0.4 Darwin/11.0.0"
"POST / HTTP/1.1" 413 464 "-" "Audiopad/1.0 CFNetwork/548.0.4 Darwin/11.0.0"
```
Apache's error.log has this info about the large messages:
```
[error] [client 194.24.138.43] ModSecurity: Request body no files data length is larger than the configured limit (1048576). [hostname "webservice-audiopad.golfbravo.net"] [uri "/"]
[error] [client 194.24.138.43] ModSecurity: Request body no files data length is larger than the configured limit (1048576). [hostname "webservice-audiopad.golfbravo.net"] [uri "/"]
```
However, I don't see the value 1048576 anywhere in httpd.conf.

What more can I try, to get the web service to receive large messages?
- Ladadadada almost 12 years
  
  The method of disabling mod_security may have been to set it to DetectionOnly rather than removing the module. It doesn't say anything in that error message about denying the request and it would normally send a 403 if it were working properly.
AdrianM almost 12 years

Thanks, that's a good hint! I must find the php.ini (it won't be in the standard location because it's a virtual private server) and check for any limits. But the log indicates that ModSecurity is the problem?
Catfish almost 9 years

Where do i add this? In my httpd.conf file?
AdrianM almost 9 years

Sorry that's three year's ago and I don't run that services anymore. I can't help you...
xebeche over 7 years

SecRequestBodyAccess is a basic setting of ModSecurity, usually found in modsecurity.conf e.g. at /etc/modsecurity/modsecurity.conf.