Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 14 replies
  • Subscribers 1 subscriber
  • Views 12555 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ownCloud - Upload Limit (Content-Length)

scorpionking
Hi,

I have an Apache web server in my internal network on which an ownCloud instance is running.
It is protected by WAF.
My setup is working fine so far (at least for smaller files).
If I try to upload a file >128MB from external to my ownCloud instance I get the following WAF log eintries: 
2013:05:08-11:21:35 vpn reverseproxy: [Wed May 08 11:21:35.555140 2013] [security2:error] [pid 9816:tid 3895282544] [client ] ModSecurity: Request body (Content-Length) is larger than the configured limit (134217728). [hostname ""] [uri "/owncloud/index.php/apps/files/ajax/upload.php"] [unique_id "AAA12345aaa"]

2013:05:08-11:21:35 vpn reverseproxy: srcip="" localip="" size="371" user="-" host="" method="POST" statuscode="413" reason="-" extra="-" time="337" url="/owncloud/index.php/apps/files/ajax/upload.php" server="" referer="https:///owncloud/index.php/apps/files" cookie="508d626f7872f=irc8vbpm7023pgefjk14de7f45; HASH_508d626f7872f=06299B8BCF8BA83A7213F19D9468964255EE8E01" set-cookie="-"


I switched off all checkboxes in the WAF Firewall Profile for this virtual host, but that didn't change anything.
Is there any possibility to set a higher Content-Length limit (e.g. via cc)?
I didn't find any places to tweak this setting in WebAdmin.

Note: This is not an ownCloud limit, as it works with a DNAT rule.


This thread was automatically locked due to age.
  • 0
    Hi,

    I guess you have to change that in the config files of the reverse proxy. Those changes do usually not survive an up2date and void the support contract (if you have one).

    Regards
    Manfred
  • 0
    This is not an ownCloud limit, as it works with a DNAT rule. 

    You can, in effect, create an exclusion for "" by using it as the source in the traffic selector in a DNAT - the DNAT will capture the packets before they can be seen by WAF.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to Hallowach2
    I guess you have to change that in the config files of the reverse proxy. Those changes do usually not survive an up2date and void the support contract (if you have one).

    Thanks for your answer. It's a home setup, so no support...
    I would love to do that but editing a config file probably won't even survive a reboot, so I need a reasonably persistent solution. That's why I mentioned cc.

    You can, in effect, create an exclusion for "" by using it as the source in the traffic selector in a DNAT - the DNAT will capture the packets before they can be seen by WAF.

    Thanks for the suggestion but with  I meant every IP outside my Home network (not a specific one), so that's not practicable...

    ----------
    Sophos user, admin and reseller.
    Private Setup:

    • XG: HPE DL20 Gen9 (Core i3-7300, 8GB RAM, 120GB SSD) | XG 18.0 (Home License) with: Web Protection, Site-to-Site-VPN (IPSec, RED-Tunnel), Remote Access (SSL, HTML5)
    • UTM: 2 vCPUs, 2GB RAM, 50GB vHDD, 2 vNICs on vServer (KVM) | UTM 9.7 (Home License) with: Email Protection, Webserver Protection, RED-Tunnel (server)
  • 0
    Hi, you can post a Feature Request for this to be adjustable, at UTM (Formerly ASG) Feature Requests: Hot (1206 ideas)

    It's possible this is adjustable via 'cc', but I don't know the command/variable.

    Barry
  • 0 in reply to BarryG
    Hi, you can post a Feature Request for this to be adjustable, at UTM (Formerly ASG) Feature Requests: Hot (1206 ideas)
    I will do that...

    It's possible this is adjustable via 'cc', but I don't know the command/variable.
    That's what I hoped for. Perhaps someone else knows it?

    ----------
    Sophos user, admin and reseller.
    Private Setup:

    • XG: HPE DL20 Gen9 (Core i3-7300, 8GB RAM, 120GB SSD) | XG 18.0 (Home License) with: Web Protection, Site-to-Site-VPN (IPSec, RED-Tunnel), Remote Access (SSL, HTML5)
    • UTM: 2 vCPUs, 2GB RAM, 50GB vHDD, 2 vNICs on vServer (KVM) | UTM 9.7 (Home License) with: Email Protection, Webserver Protection, RED-Tunnel (server)
  • 0
    Hm - I don't see such a setting in CC.

    But since this is a home setup you my try to add the line
    SecRequestBodyLimit 500000000
    into
    /var/storage/chroot-reverseproxy/usr/apache/conf/httpd.conf, restart WAF and try again.

    This file survives reboots but not every up2date.

    Regards
    Manfred
  • 0 in reply to BarryG
    Hi, you can post a Feature Request for this to be adjustable, at UTM (Formerly ASG) Feature Requests: Hot (1206 ideas)

    Done: Allow modification of "ModSecurity: Request body (Content-Length) limit"

    ----------
    Sophos user, admin and reseller.
    Private Setup:

    • XG: HPE DL20 Gen9 (Core i3-7300, 8GB RAM, 120GB SSD) | XG 18.0 (Home License) with: Web Protection, Site-to-Site-VPN (IPSec, RED-Tunnel), Remote Access (SSL, HTML5)
    • UTM: 2 vCPUs, 2GB RAM, 50GB vHDD, 2 vNICs on vServer (KVM) | UTM 9.7 (Home License) with: Email Protection, Webserver Protection, RED-Tunnel (server)
  • 0
    Did adding the setting to the conf file do the trick (as a workaround)?

    Regards
    Manfred
  • 0 in reply to Hallowach2
    I haven't tried that yet. I will let you know, if I had the time to check...

    ----------
    Sophos user, admin and reseller.
    Private Setup:

    • XG: HPE DL20 Gen9 (Core i3-7300, 8GB RAM, 120GB SSD) | XG 18.0 (Home License) with: Web Protection, Site-to-Site-VPN (IPSec, RED-Tunnel), Remote Access (SSL, HTML5)
    • UTM: 2 vCPUs, 2GB RAM, 50GB vHDD, 2 vNICs on vServer (KVM) | UTM 9.7 (Home License) with: Email Protection, Webserver Protection, RED-Tunnel (server)
  • 0 in reply to scorpionking
    Yep, seems to work. At least I don't get the error log entries from above.

    Note: There is a 1GB (1073741824 byte) hard limit in ModSecurity for "SecRequestBodyLimit" (see Configuration Directives), so 1GB is the maximum.

    I added the line 
    SecRequestBodyLimit 1073741824

    to /var/storage/chroot-reverseproxy/usr/apache/conf/httpd.conf, restartet WAF and could successfully upload a 700MB file to my ownCloud.

    ----------
    Sophos user, admin and reseller.
    Private Setup:

    • XG: HPE DL20 Gen9 (Core i3-7300, 8GB RAM, 120GB SSD) | XG 18.0 (Home License) with: Web Protection, Site-to-Site-VPN (IPSec, RED-Tunnel), Remote Access (SSL, HTML5)
    • UTM: 2 vCPUs, 2GB RAM, 50GB vHDD, 2 vNICs on vServer (KVM) | UTM 9.7 (Home License) with: Email Protection, Webserver Protection, RED-Tunnel (server)
Unfiltered HTML