ModSecurity, an open-source web application firewall (WAF), provides valuable tools to defend web applications from a myriad of online threats. However, as is common with any complex tool, problems can sometimes arise. One such issue relates to the request body size, which can trigger an error if the data length exceeds the configured limit.
The specific error message encountered might look something like this: “ModSecurity: Request body no files data length is larger than the configured limit (1048576).”
The directive “SecRequestBodyNoFilesLimit” at the heart of this issue, governs the maximum request body size ModSecurity will accept for buffering, discounting the size of any files being transported in the request.
Understanding the Problem
This directive helps reduce susceptibility to Denial of Service (DoS) attacks, where an attacker could attempt to overload the system by sending exceptionally large request bodies. Web applications that allow file uploads often need to configure the “SecRequestBodyLimit” to a high value. Large files are streamed to disk, so their upload won’t increase memory consumption.
Nevertheless, an attacker could potentially exploit a large request body limit to send non-upload requests with large body sizes. The directive “SecRequestBodyNoFilesLimit” helps close this loophole by limiting the maximum data size of request bodies.
The default limit set by ModSecurity is 1048576 bytes, or approximately 1 MB. Generally, this default limit is not small enough. For most applications, it’s often feasible to lower it to 128 KB or even less. Any requests exceeding the limit are rejected with status code 413, signalling that the request entity is too large.
To resolve this issue, find the options: “SecRequestBodyLimit” and “SecRequestBodyNoFilesLimit” in the Apache config and increase their values. If you can’t find them in the *.conf, you can add these options to the “/etc/apache2/conf.d/modsec/modsec2.user.conf“.
SecResponseBodyLimit 20971520 SecRequestBodyNoFilesLimit 20971520
Don’t forget to restart the Apache service afterwards using:
systemctl restart httpd
In the Plesk environment, the does re-write during an update. It is therefore advisable to create the “/etc/httpd/conf/modsecurity.d/custom.conf” file to preserve your changes. Check the changes with the command:
httpd -DDUMP_CONFIG -k start | grep SecRequestBody
The default value for DirectAdmin can be found in the ModSecurity configuration file provided by DirectAdmin: “/etc/httpd/conf/extra/httpd-modsecurity.conf“. To solve the issue, you can increase the value and restart Apache.
You can check the current value with the command:
grep SecRequestBody /etc/httpd/conf/extra/httpd-modsecurity.conf
and then restart Apache with:
systemctl restart httpd
For other panels and servers without a control panel, these settings can typically be managed in a similar manner. You just need to find the appropriate .conf file to edit.
In summary, understanding and adjusting the “SecRequestBodyNoFilesLimit” directive is a crucial part of managing and securing web applications using ModSecurity. Properly configured, it can help protect your web application from unnecessary exposure to potential threats.