Mongrel users - Jun 2009 - Limit Request Body Size (Disallow very large File-uploads)

Hello all,

For the last couple of days I was trying to get my
Apache/mod_proxy/mongrel setup to limit the size of the request body.
The setup is as follows:

1.) Apache acts as a reverse proxy by facilitating mod_rewrite and mod_proxy
2.) Requests for non-static files are passed on to a mongrel_cluster
3.) We use mongrel for our Ruby on Rails application

Note that due to some restrictions we are unable to use
Apache/Passenger for our production deployment.

Is there a way to tell mongrel to skip requests which exceed a certain
limit (say 20MB) and return a 400 (Bad Request) response or the like?
I have tried to use the LimitRequestBody directive of Apache httpd,
but this obviously does not work, since Apache httpd passes most of
it''s requests directly on to mongrel. Thanks for your help!

Regards,
Severin

On Fri, Jun 12, 2009 at 6:46 AM, gollomm<gollomm at gmail.com>
wrote:
> Hello all,
>
> For the last couple of days I was trying to get my
> Apache/mod_proxy/mongrel setup to limit the size of the request body.
> The setup is as follows:
>
> 1.) Apache acts as a reverse proxy by facilitating mod_rewrite and
mod_proxy
> 2.) Requests for non-static files are passed on to a mongrel_cluster
> 3.) We use mongrel for our Ruby on Rails application
ModSecurity?

Stephan
> Note that due to some restrictions we are unable to use
> Apache/Passenger for our production deployment.
>
> Is there a way to tell mongrel to skip requests which exceed a certain
> limit (say 20MB) and return a 400 (Bad Request) response or the like?
> I have tried to use the LimitRequestBody directive of Apache httpd,
> but this obviously does not work, since Apache httpd passes most of
> it''s requests directly on to mongrel. Thanks for your help!
>
> Regards,
> Severin
> _______________________________________________
> Mongrel-users mailing list
> Mongrel-users at rubyforge.org
> http://rubyforge.org/mailman/listinfo/mongrel-users
>


-- 
Stephan Wehner

-> http://stephan.sugarmotor.org (blog and homepage)
-> http://www.thrackle.org
-> http://www.buckmaster.ca
-> http://www.trafficlife.com
-> http://stephansmap.org -- http://blog.stephansmap.org

gollomm wrote:
> Hello all,
>
> For the last couple of days I was trying to get my
> Apache/mod_proxy/mongrel setup to limit the size of the request body.
> The setup is as follows:
>
> 1.) Apache acts as a reverse proxy by facilitating mod_rewrite and
mod_proxy
> 2.) Requests for non-static files are passed on to a mongrel_cluster
> 3.) We use mongrel for our Ruby on Rails application
>
> Note that due to some restrictions we are unable to use
> Apache/Passenger for our production deployment.
>
> Is there a way to tell mongrel to skip requests which exceed a certain
> limit (say 20MB) and return a 400 (Bad Request) response or the like?
> I have tried to use the LimitRequestBody directive of Apache httpd,
> but this obviously does not work, since Apache httpd passes most of
> it''s requests directly on to mongrel. Thanks for your help!
>
> Regards,
> Severin
> _______________________________________________
> Mongrel-users mailing list
> Mongrel-users at rubyforge.org
> http://rubyforge.org/mailman/listinfo/mongrel-users
>   
    Hello Severin,

    mod_security may very well be your friend there. It can be configured to
drop
    any request over a certain size, and by its nature will drop it with
standard
    HTTP error messages.

    Regards,

    Ryan

On Fri, Jun 12, 2009 at 11:07 AM, Stephan Wehner<stephanwehner at
gmail.com> wrote:
> On Fri, Jun 12, 2009 at 6:46 AM, gollomm<gollomm at gmail.com> wrote:
>> Hello all,
>>
>> For the last couple of days I was trying to get my
>> Apache/mod_proxy/mongrel setup to limit the size of the request body.
>> The setup is as follows:
>>
>> 1.) Apache acts as a reverse proxy by facilitating mod_rewrite and
mod_proxy
>> 2.) Requests for non-static files are passed on to a mongrel_cluster
>> 3.) We use mongrel for our Ruby on Rails application
>
> ModSecurity?
Well, we are very confined regarding Apache modules. That does not
seem to be an option.
>> Note that due to some restrictions we are unable to use
>> Apache/Passenger for our production deployment.
>>
>> Is there a way to tell mongrel to skip requests which exceed a certain
>> limit (say 20MB) and return a 400 (Bad Request) response or the like?
>> I have tried to use the LimitRequestBody directive of Apache httpd,
>> but this obviously does not work, since Apache httpd passes most of
>> it''s requests directly on to mongrel. Thanks for your help!

I am currently looking into how mongrel handlers work and how I would
configure them. No luck so far. Ideally, I would like to change
mongrel''s own file upload handler to drop requests which exceed a
certain limit. Here is an interesting thread I came across:
http://rubyforge.org/pipermail/mongrel-users/2006-September/001511.html

The question is now, where is the code handling file-uploads in the
mongrel source? Alternatively, could somebody provide me some pointers
concerning mongrel handlers? I am a totally new to mongrel...

Thanks,
Severin
> -> http://stephan.sugarmotor.org (blog and homepage)
> -> http://www.thrackle.org
> -> http://www.buckmaster.ca
> -> http://www.trafficlife.com
> -> http://stephansmap.org -- http://blog.stephansmap.org
> _______________________________________________
> Mongrel-users mailing list
> Mongrel-users at rubyforge.org
> http://rubyforge.org/mailman/listinfo/mongrel-users
>

Look at http_request.rb.

Mongrel already has a limit to the length of the headers that it will
accept, so you are covered there.  If you look at
HttpRequest#initialize, there is a "remain" variable that is set to
the content length of the body of the request.

You could simply insert a check there.  If it''s too high, bail out
right there and throw back whatever error response you deem
appropriate.

It could be a 400, but it''s probably better if it is a 413 Request
Entity Too Large.


Kirk Haines

On Fri, Jun 12, 2009 at 12:40 PM, Kirk Haines<wyhaines at gmail.com>
wrote:
> Look at http_request.rb.
>
> Mongrel already has a limit to the length of the headers that it will
> accept, so you are covered there. ?If you look at
> HttpRequest#initialize, there is a "remain" variable that is set
to
> the content length of the body of the request.
>
> You could simply insert a check there. ?If it''s too high, bail out
> right there and throw back whatever error response you deem
> appropriate.
>
> It could be a 400, but it''s probably better if it is a 413 Request
> Entity Too Large.
Oh, I did that already. I had mongrel sending an error to the client,
when I realized that when that check is performed the provided file
(for upload) is stored on server side already. Instead, I''d like to do
something before all that. For processing the content_length, and the
remain variable respectively, the file has to be in its entirety on
the server. I''d like mongrel to abort processing the request body if
the HTTP header ''Content-Length'' reports it''ll be too
large anyways.
What I''d like to do is checking the ''Content-Length''
(something fast)
and bail out appropriately...

The most challenging part here is to figure out at what point mongrel
has access to the request''s HTTP headers but has not begun processing
the request body in any way.

There is ''request_begins'' for HttpHandlers, but providing code
in
there never seems to be executed. Maybe I''d need some configuration
changes for handlers to be run or something similar. But I have no
idea how I''d do so or where to find some documentation about it...

Thank you very much for the great help,
Severin