HTTP Error: 413 Request Entity Too Large

Question

What I have:
I have an iPhone app that sends HTTP POST requests (XML format) to a web service written in PHP. This is on a hosted virtual private server so I can edit httpd.conf and other files on the server, and restart Apache.

The problem:
The web service works perfectly as long as the request is not too large, but around 1MB is the limit. After that, the server responds with:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>413 Request Entity Too Large</title>
</head><body>
<h1>Request Entity Too Large</h1>
The requested resource<br />/<br />
does not allow request data with POST requests, or the amount of data
provided in the request exceeds the capacity limit.
</body></html>

The web service writes its own log file, and I can see that small messages are processed fine. Larger messages are not logged at all so I guess that something in Apache rejects them before they even reach the web service?

Things I've tried without success:
(I've restarted Apache after every change. These steps are incremental.)

1. hosting provider's web-based configuration panel: disable mod_security
2. httpd.conf: LimitXMLRequestBody 0 and LimitRequestBody 0
3. httpd.conf: LimitXMLRequestBody 100000000 and LimitRequestBody 100000000
4. httpd.conf: SecRequestBodyLimit 100000000

At this stage, Apache's error.log contains a message:
ModSecurity: Request body no files data length is larger than the configured limit (1048576)

The fact that there's an error statement by ModSecurity indicates that my step #1 didn't really take. Apache's access.log looks like this, with 3 successful small messages and 2 failed large messages:

"POST / HTTP/1.1" 200 310 "-" "Audiopad/1.0 CFNetwork/548.0.4 Darwin/11.0.0"
"POST / HTTP/1.1" 200 310 "-" "Audiopad/1.0 CFNetwork/548.0.4 Darwin/11.0.0"
"POST / HTTP/1.1" 200 310 "-" "Audiopad/1.0 CFNetwork/548.0.4 Darwin/11.0.0"
"POST / HTTP/1.1" 413 464 "-" "Audiopad/1.0 CFNetwork/548.0.4 Darwin/11.0.0"
"POST / HTTP/1.1" 413 464 "-" "Audiopad/1.0 CFNetwork/548.0.4 Darwin/11.0.0"

Apache's error.log has this info about the large messages:

[error] [client 194.24.138.43] ModSecurity: Request body no files data length is larger than the configured limit (1048576). [hostname "webservice-audiopad.golfbravo.net"] [uri "/"]
[error] [client 194.24.138.43] ModSecurity: Request body no files data length is larger than the configured limit (1048576). [hostname "webservice-audiopad.golfbravo.net"] [uri "/"]

However, I don't see the value 1048576 anywhere in httpd.conf.

What more can I try, to get the web service to receive large messages?

Answer 1

I set SecRequestBodyAccess Off for now and that solved all problems.

Answer 2

I ran into the same exact issue.

SecRequestBodyNoFilesLimit was the reason.

it was not used in my config at all, but it does have a default value, 1048576.

Once I found that this setting existed, I set it larger than my files and everything is working.

Here is the documentation https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecRequestBodyNoFilesLimit

if you compare to the entry above SecRequestBodyLimit the documentation seems very convoluted. What I was able to boil it down to is this; If you're uploading an actual file attachment the prior setting will rule. If you are pasting the contents of a file into something like a form and the payload is in the PUT then SecRequestBodyNoFilesLimit rules.

Answer 3

You say this is a PHP service, so that means that php.ini is ever bit as much in play as httpd.conf.

There are a number of size limits defined in php.ini, including limits on the size of requests, so I'd start by verifying those limits are all big enough for your needs.

Answer 4

Everything I have tried to fix this has failed. One last search and found this here.

SecRequestBodyAccess Off

That did the trick. I know this is 10 years old but sure did help me!