I'm facing a really weird problem which I haven't seen. Right now I have some web applications offered through an Apache HTTP.
It happens that some HTTP request are denied by something in between the server and the client. It doesn't matter whether they are GET or POST, the thing in there denies the request with more than 40 parameters. Hence, some big POST requests (forms with many parameters, e.g. registration stuff or Joomla admin stuff) are blocked and one faces an awful HTTP 404 response (the browser shows "The specified URL cannot be found."
Checking the access.log and error.log in the Apache HTTP, these requests don't reach the HTTP server and I've tested with a certain number of dummy parameters (in GET and POST) using firefox and wget. WIth up to 40 parameters, the response is 200, with 41 or more it throws 404 and no other header...
How come something can filter an HTP request by number of parameters? Thanks for your help, hopefully this is the right forum to ask this kind of things.
EDIT: It came out to be the WAF I suspected. The people who configured it said that it only affected one of the interfaces for the server. I guessed it managed all of them. A rule in the WAF evaluating erroneous/suspicious URL limited the amout of parameters to 40, probably because of a regexp or something. We found this after doing some wireshark and finding that the request were not getting their way to the server itself. Thanks to you all.
