Forum Discussion

Stefan_Klotz_85's avatar
Stefan_Klotz_85
Icon for Cirrus rankCirrus
Dec 01, 2015

ASM restrict upload larger than long_request_buffer_size

Is it possible to restrict an upload to a value (e.g. 25MB), which is larger than the long_request_buffer_size? I don't want to touch the long_request_buffer_size variable as it has global impact, but its max. value is 20MB anyway. So what happened if I disable the "Request length exceeds defined buffer size" violation, but enable the required length violations with a max. value of 25MB? Will this work at all? And is it recommended to do this via ASM or should such large upload limits better be configured on the webserver?

 

Thanks for your ideas and help!

 

Ciao Stefan :)

 

ASM Advanced WAF
security
  • samstep's avatar
    samstep
    Icon for Cirrocumulus rankCirrocumulus
    Dec 02, 2015

    OK, so first of all this depends on what you are trying to achieve. I assume you want to allow large uploads for a specific URL/policy? e.g. "/upload" while preserving the global "long_request_buffer_size" limit.

     

    In this case you can disable ASM for that specific URL using iRule as described here:

     

    https://devcentral.f5.com/questions/how-to-increase-the-size-of-upload-file-size-in-asm

     

    If you are running ASM v11.5.0 and higher you no longer need to disable ASM as the first 10Kb of the request will always be processed, see solution SOL17573:

     

    https://support.f5.com/kb/en-us/solutions/public/17000/500/sol17573.html

     

    Hope this helps,

     

    Sam

     

  • Stefan_Klotz's avatar
    Stefan_Klotz
    Icon for Cumulonimbus rankCumulonimbus
    Dec 02, 2015

    Hi Sam,

     

    I'm aware of the possibility to use an iRule to disable ASM on a specific URL, but that's not my intention. My intention was to still use ASM and allow uploads up to e.g. 25MB, but blocking those which are larger than that.

     

    But this seems to be not possible at all, right?

     

    But looking at the mentioned solution, does this mean I need to disable blocking-mode for "Request length exceeds defined buffer size" at all if I need to pass large uploads though ASM? But disabling this violation still investigates the first 10KB for any other violations if the request is larger than the "long_request_buffer_size"?

     

    So at the end the required upload restriction needs to be configured on the webserver, right?

     

    Thank you!

     

    Ciao Stefan :)