Hi, from time to time we experience some memory issues on our apache webservers. The apache processes use more and more memory (4 times more than usual). Everytime this happens, we can see the message "011f0005:3: HTTP header (33304) exceeded maximum allowed size of 32768". I know that this is only a "informal" message. But now I want to know what client and what request caused this log entry, because we want to identify the cause for the memory usage on the webservers. I didn´t find a irule parameter that I can use to log the requests that exceed that maximum http header size. Has anyone an idea how to log those requests ? kind regards, Alex

If you're looking to monitor your headers for a specific string length, we can certainly help with that. Let's use the 32768 character limit that you mentioned above, and look for any headers that are represented as strings longer than that value. We'll send a log message to the /var/log/ltm log if we find one. The code looks like: when HTTP_REQUEST { foreach header {[HTTP::header names]} { if {[string length $header] > 32768} { log local0. "Header exceeds maximum length! - Header Name: $header, Length: [string length $header], Value: [HTTP::header value $header]" } } } This should log the information you're looking for. Keep in mind, though, that to do this you're forcing the LTM to loop through every header on every inbound HTTP request. This is probably NOT what you're looking for, as it's going to end up being pretty resource intensive pretty fast. If you're relatively confident that your HTTP headers aren't going to be changing all over the place within the scope of a given connection, you could easily have the LTM just parse through all of the headers once, on the first request that comes in, and then be done with it. That would look like this: when CLIENT_ACCEPTED { set loop 0 } when HTTP_REQUEST { if {$loop == 0} { foreach header {[HTTP::header names]} { if {[string length $header] > 32768} { log local0. "Header exceeds maximum length! - Header Name: $header, Length: [string length $header], Value: [HTTP::header value $header]" } } incr loop } } Hopefully that sheds a little light on what you're looking for. Colin

one small correction I think: shouldn't [string length $header] be (in all cases):[string length [HTTP::header value $header]to eval the length of the header value rather than the length of the header name? /d

thx for the suggestions, we finally found out that it wasn´t the client request that exceeded the maximum header size but the server reply. at the moment the problem disappeared so we have to wait...because we still don´t know what´s the reason for this problem unfortunately the performace decrease we experience when parsing all responses is much too big, so that i fear we have to analyse thousands of requests via tcpdump.

Hi Guys, What if I want to create a logging (I know iRules can do this) for client IP and Port when a max header value of http profile has been reached and then blocked? Thanks!

Hi Raj, Check your other reply for more info: http://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/50/aft/1144919/showtab/groupforums/Default.aspx Aaron

log connections, that exceed maximum header size

11 Replies

Colin_Walker_12
Historic F5 Account
Jan 29, 2009
If you're looking to monitor your headers for a specific string length, we can certainly help with that. Let's use the 32768 character limit that you mentioned above, and look for any headers that are represented as strings longer than that value. We'll send a log message to the /var/log/ltm log if we find one. The code looks like:

when HTTP_REQUEST { foreach header {[HTTP::header names]} { if {[string length $header] > 32768} { log local0. "Header exceeds maximum length! - Header Name: $header, Length: [string length $header], Value: [HTTP::header value $header]" } } }

This should log the information you're looking for. Keep in mind, though, that to do this you're forcing the LTM to loop through every header on every inbound HTTP request. This is probably NOT what you're looking for, as it's going to end up being pretty resource intensive pretty fast. If you're relatively confident that your HTTP headers aren't going to be changing all over the place within the scope of a given connection, you could easily have the LTM just parse through all of the headers once, on the first request that comes in, and then be done with it.

That would look like this:

when CLIENT_ACCEPTED { set loop 0 } when HTTP_REQUEST { if {$loop == 0} { foreach header {[HTTP::header names]} { if {[string length $header] > 32768} { log local0. "Header exceeds maximum length! - Header Name: $header, Length: [string length $header], Value: [HTTP::header value $header]" } } incr loop } }

Hopefully that sheds a little light on what you're looking for.

Colin
Deb_Allen_18
Historic F5 Account
Feb 02, 2009
one small correction I think:

shouldn't
[string length $header]
be (in all cases):
[string length [HTTP::header value $header]
to eval the length of the header value rather than the length of the header name?

/d
asieber_102433
Nimbostratus
Feb 04, 2009
thx for the suggestions, we finally found out that it wasn´t the client request that exceeded the maximum header size but the server reply.

at the moment the problem disappeared so we have to wait...because we still don´t know what´s the reason for this problem

unfortunately the performace decrease we experience when parsing all responses is much too big, so that i fear we have to analyse thousands of requests via tcpdump.
Raj_Zucre_Ramir
Nimbostratus
Apr 27, 2011
Hi Guys,

What if I want to create a logging (I know iRules can do this) for client IP and Port when a max header value of http profile has been reached and then blocked?

Thanks!
hooleylist
Cirrostratus
Apr 28, 2011
Hi Raj,

Check your other reply for more info:

http://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/50/aft/1144919/showtab/groupforums/Default.aspx

Aaron
sprashanthac_81
Nimbostratus
Jan 05, 2012
What is the maximum allowed size of the http header can we got to a length of 128k ??
nitass
Employee
Jan 05, 2012
What is the maximum allowed size of the http header can we got to a length of 128k ??i have not found the maximum allowed size but one of my colleague has mentioned he was able to raise it up to 4967295.
sprashanthac_81
Nimbostratus
Jan 05, 2012
I will be trying to raise it to the 128k size and see if that is not going to be an issue. Thanks for the reply though, I could not even find it in the F5 site so perhaps should be alright
hooleylist
Cirrostratus
Jan 05, 2012
I think the theoretical maximum for the maximum header size is 4,294,967,295 bytes. 128k should be fine. Keep in mind that increasing the max header size buffer can increase the memory usage for each HTTP request.

Aaron
hooleylist
Cirrostratus
Jan 05, 2012
Here's an updated version of the iRule you can use to log long header values. Note that the HTTP profile setting for Max HTTP headers size must be greater than the actual request's headers in order to avoid being reset and trigger the HTTP_REQUEST event. This version checks the total headers size before looping through each header. So it should be a bit more efficient than the previous version.

when HTTP_REQUEST { Check the total HTTP headers size if {[string length [HTTP::request]] > 10000 }{ Loop through the headers by name foreach header {[HTTP::header names]} { Check for a long header value if {[string length [HTTP::header value $header]] > 1000 } { log local0. "Header is long. Header Name: $header,\ Length: [string length [HTTP::header value $header]], Value: [HTTP::header value $header]" } } } }