Forum Discussion
asieber_102433
Nimbostratus
Nimbostratuslog connections, that exceed maximum header size
Hi,
from time to time we experience some memory issues on our apache webservers.
The apache processes use more and more memory (4 times more than usual).
Everytime this happens, we can see the message "011f0005:3: HTTP header (33304) exceeded maximum allowed size of 32768". I know that this is only a "informal" message. But now I want to know what client and what request caused this log entry, because we want to identify the cause for the memory usage on the webservers.
I didn´t find a irule parameter that I can use to log the requests that exceed that maximum http header size.
Has anyone an idea how to log those requests ?
kind regards,
Alex
- If you're looking to monitor your headers for a specific string length, we can certainly help with that. Let's use the 32768 character limit that you mentioned above, and look for any headers that are represented as strings longer than that value. We'll send a log message to the /var/log/ltm log if we find one. The code looks like:
when HTTP_REQUEST { foreach header {[HTTP::header names]} { if {[string length $header] > 32768} { log local0. "Header exceeds maximum length! - Header Name: $header, Length: [string length $header], Value: [HTTP::header value $header]" } } }
This should log the information you're looking for. Keep in mind, though, that to do this you're forcing the LTM to loop through every header on every inbound HTTP request. This is probably NOT what you're looking for, as it's going to end up being pretty resource intensive pretty fast. If you're relatively confident that your HTTP headers aren't going to be changing all over the place within the scope of a given connection, you could easily have the LTM just parse through all of the headers once, on the first request that comes in, and then be done with it.
That would look like this:when CLIENT_ACCEPTED { set loop 0 } when HTTP_REQUEST { if {$loop == 0} { foreach header {[HTTP::header names]} { if {[string length $header] > 32768} { log local0. "Header exceeds maximum length! - Header Name: $header, Length: [string length $header], Value: [HTTP::header value $header]" } } incr loop } }
Hopefully that sheds a little light on what you're looking for.
Colin - one small correction I think:
shouldn't
be (in all cases):[string length $header]
to eval the length of the header value rather than the length of the header name?[string length [HTTP::header value $header]
/d 
asieber_102433thx for the suggestions, we finally found out that it wasn´t the client request that exceeded the maximum header size but the server reply.
at the moment the problem disappeared so we have to wait...because we still don´t know what´s the reason for this problem
unfortunately the performace decrease we experience when parsing all responses is much too big, so that i fear we have to analyse thousands of requests via tcpdump.
Raj_Zucre_RamirHi Guys,
What if I want to create a logging (I know iRules can do this) for client IP and Port when a max header value of http profile has been reached and then blocked?
Thanks!
hoolioCirrostratus
Hi Raj,
Check your other reply for more info:
http://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/50/aft/1144919/showtab/groupforums/Default.aspx
Aaron
sprashanthac_81What is the maximum allowed size of the http header can we got to a length of 128k ??- nitass
Employee
What is the maximum allowed size of the http header can we got to a length of 128k ??i have not found the maximum allowed size but one of my colleague has mentioned he was able to raise it up to 4967295. - sprashanthac_81I will be trying to raise it to the 128k size and see if that is not going to be an issue. Thanks for the reply though, I could not even find it in the F5 site so perhaps should be alright
- hoolioI think the theoretical maximum for the maximum header size is 4,294,967,295 bytes. 128k should be fine. Keep in mind that increasing the max header size buffer can increase the memory usage for each HTTP request.
Aaron - hoolioHere's an updated version of the iRule you can use to log long header values. Note that the HTTP profile setting for Max HTTP headers size must be greater than the actual request's headers in order to avoid being reset and trigger the HTTP_REQUEST event. This version checks the total headers size before looping through each header. So it should be a bit more efficient than the previous version.
when HTTP_REQUEST { Check the total HTTP headers size if {[string length [HTTP::request]] > 10000 }{ Loop through the headers by name foreach header {[HTTP::header names]} { Check for a long header value if {[string length [HTTP::header value $header]] > 1000 } { log local0. "Header is long. Header Name: $header,\ Length: [string length [HTTP::header value $header]], Value: [HTTP::header value $header]" } } } }
