• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Resolved modsecurity POST failure with 413 Request Entity too large?

raytracy

raytracy

Basic Pleskian
My modsecurity has blocked some normal POST and logged with:

--9673be0a-F--
HTTP/1.1 413 Request Entity Too Large
Content-Length: 373
Connection: close
Content-Type: text/html; charset=iso-8859-1

--9673be0a-H--
Message: Request body no files data length is larger than the configured limit (1048576).. Deny with
code (413)

Is there any way to increase the modsecurity POST limit from 1048576 to more?
 
Hi raytracy,

when switching on "Web Application Firewall ( ModSecurity )" with a pre-defined rule-set, you are still able to customize your own, unique rules, which can overwrite existent ones. Pls. follow for example The "Atomic Wiki" at



Note:
The initial, default "SecRequestBodyLimit" setting is defined with a liberal 128 MB ( = 134217728 byte ) - limit.

The initial, default "SecRequestBodyNoFilesLimit" setting is defined with a liberal 1 MB ( = 1048576 byte ) - limit.
Actually, it is NOT recommended to raise this limit... it is rather documented by most server provider to REDUCE this limit to for example 131072 byte ( 128 KB ! ), due to the fact that this setting should be as low as possible/pratical.

For a unique ( not recommended !!! ) 512 MB - limit at "SecRequestBodyLimit" use:
Code: 
SecRequestBodyLimit 536870912

For a unique ( not recommended !!! ) 10 MB - limit at "SecRequestBodyNoFilesLimit" use:
Code: 
SecRequestBodyNoFilesLimit 10485760

Important note:
Be aware, that there is a HARD LIMIT of 1 GB for "SecRequestBodyLimit", which can't be overwritten!
Be aware, that there is a HARD LIMIT of 1 GB for "SecRequestBodyNoFilesLimit", which can't be overwritten!
Note as well, that IF you customize rules, you do this on your very own risk and without the support from Plesk, or the vendor support from the pre-defined rule-set provider!

Pls. consider as well to read the official documentation at => https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual for further informations!​
 
UFHH01 said:
Hi raytracy,

when switching on "Web Application Firewall ( ModSecurity )" with a pre-defined rule-set, you are still able to customize your own, unique rules, which can overwrite existent ones. Pls. follow for example The "Atomic Wiki" at



Note:
The initial, default "SecRequestBodyLimit" setting is defined with a liberal 128 MB ( = 134217728 byte ) - limit.

The initial, default "SecRequestBodyNoFilesLimit" setting is defined with a liberal 1 MB ( = 1048576 byte ) - limit.
Actually, it is NOT recommended to raise this limit... it is rather documented by most server provider to REDUCE this limit to for example 131072 byte ( 128 KB ! ), due to the fact that this setting should be as low as possible/pratical.

For a unique ( not recommended !!! ) 512 MB - limit at "SecRequestBodyLimit" use:
Code: 
SecRequestBodyLimit 536870912
For a unique ( not recommended !!! ) 10 MB - limit at "SecRequestBodyNoFilesLimit" use:
Code: 
SecRequestBodyNoFilesLimit 10485760

Important note:
Be aware, that there is a HARD LIMIT of 1 GB for "SecRequestBodyLimit", which can't be overwritten!
Be aware, that there is a HARD LIMIT of 1 GB for "SecRequestBodyNoFilesLimit", which can't be overwritten!
Note as well, that IF you customize rules, you do this on your very own risk and without the support from Plesk, or the vendor support from the pre-defined rule-set provider!

Pls. consider as well to read the official documentation at => https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual for further informations!​
Click to expand...

It is valuable info for me!! I will tune it carefully.

By the way, where is the correct config file that I should add these directives?
I have found some in /etc/httpd/conf/plesk.conf.d/server.conf:

<IfModule mod_security2.c>
SecRuleEngine On
SecRequestBodyAccess On
SecRequestBodyLimit 134217728
SecResponseBodyAccess On
SecResponseBodyLimit 524288
SecAuditEngine RelevantOnly
SecAuditLog "/var/log/modsec_audit.log"
SecAuditLogType serial
SecRuleRemoveById "340149,340162,350147,340159"
Include "/etc/httpd/conf/plesk.conf.d/modsecurity.conf"
</IfModule>

But it looks like that will be modified by Plesk and wipe out my customization?
 
raytracy said:
But it looks like that will be modified by Plesk and wipe out my customization?
Click to expand...
... correct... that's why I linked to the wiki - page, where is it very well described, how you setup YOUR OWN modifications. ;)

Quoted from the Wiki - page of Atomicorp:
Installing custom rules
Step 1) Create your custom rules directory:

mkdir /etc/httpd/modsecurity.custom.d
....
....
Click to expand...
 
You must log in or register to reply here.

Similar threads

M
Question HTTP 413 error with Ubuntu Apache/SVN
Replies
1
Views
538
scsa20
scsa20
C
Resolved Plesk Obsidian Version 18.0.56 Update #4 on Ubuntu 22.04.3 LTS ModSecurity upload error on WordPress
Replies
1
Views
1K
copec
C
A
Issue 502 Gateway error with HTTP POST Requests but not GET requests
Replies
3
Views
2K
Maarten
M
A
Issue 413 Request Entity Too Large after changing client_max_body_size
Replies
2
Views
3K
Anbosuki
A
LionKing
Resolved Max post size for Apache web server?
Replies
14
Views
9K
LionKing
LionKing
Back
Top