3.4.3 Apache Web Server Resource Usage Restriction Configuration
"Resource Usage Restriction" is to restrict users' access to specific resources of the website (such as directory, server hardware, etc.). Related instructions include: LimitRequestBody, LimitRequestFields, LimitRequestFieldSize, LimitRequestLine, RLimitCPU, RLimitMEM, RLimitNPROC, and ThreadStackSize. The LimitRequest* family of directives is used to limit the amount of resources Apache uses in reading client requests. By limiting these values, some Denial of Service (DOS) attacks can be mitigated; the RLimit* family of instructions limits the amount of resources used by processes spawned by Apache subprocesses, which are typically used to control the resources used by CGI scripts and SSI exec commands. The ThreadStackSize directive is used on some platforms to control the stack size. 1. The LimitRequestBody
LimitRequestBody directive limits the maximum byte length of the HTTP request body sent by the client. Its syntax is: LimitRequestBody Bytes, which limits the number of bytes allowed by the request body between 0 (meaning unlimited) and 2 147 483 647 (2GB). The default is "0". The LimitRequestBody directive allows the user to set a limit on the maximum byte length of the HTTP request body that the client is allowed to send within its scope (entire server, specific directory, specific file, specific location). If the client's request exceeds this limit, the server will respond with an error instead of continuing to service the request. The body of a normal request depends largely on the natural properties of the resource and the methods allowed by that resource. CGI scripts often use the body of the message to pass information about the form to the server. Using the PUT method, at least a value that is about the size of the amount of information the server expects to get from this resource can be obtained. This directive gives the server administrator greater control over the client's abnormal request behavior. This helps to avoid some forms of denial of service attacks. For example, if you allow files to be uploaded to a location and you want to set the size of the uploaded file to 100KB, you can use the following command: LimitRequestBody 1024002. LimitRequestFields
LimitRequestFields is used to limit the number of HTTP request header fields in accepting client requests. Its syntax is: LimitRequestFields Number, and Number is an integer from 0 (meaning unlimited) to 32 767. The default is "100". The default value is the compile-time constant DEFAULT_LIMIT_REQUEST_FIELDS (release value is 100). The LimitRequestFields directive allows the server administrator to modify the limit on the number of request header fields in an HTTP request. The server needs this value to be greater than the number of header fields included in a normal client request. The number of client request header fields is rarely greater than 20, but this number varies greatly depending on the client, often depending on the user configuring their browser extensions to support more detailed content negotiation. Optional HTTP extensions are often implemented using the request header field. The directive gives the server administrator greater control over the client's abnormal request behavior. This helps to avoid some forms of denial of service attacks. If the client that is being used is answered by the server, indicating that it has sent too many header fields in the request, you should increase this value appropriately. For example: LimitRequestFields 50 3. The LimitRequestFieldSize
LimitRequestFieldSize directive is used to limit the number of bytes of the request header sent by the client. Its syntax is: LimitRequestFieldsize Bytes, and Bytes specifies the size of the bytes allowed by the HTTP request header. The default is "8190". The LimitRequestFieldSize directive allows the server administrator to increase or reduce the size of the HTTP request header field. In general, the server needs this value to be large enough to accommodate the header field size of any request from a normal client. The size of a normal header field is very different for different clients, and is generally closely related to the user configuring their browser to support more content protocols. The directive gives the server administrator greater control over the client's abnormal request behavior. This helps to avoid some forms of denial of service attacks. For example: LimitRequestFieldSize 4094 In general, please do not change this setting, but keep its default settings. 4. The LimitRequestLine
LimitRequestLine directive is used to limit the number of bytes of the HTTP request line sent by the receiving client. Its syntax is: LimitRequestLine Bytes, Bytes will set the limit of the number of bytes in the HTTP request line. The default value is also "8190". The LimitRequestLine directive allows the server administrator to increase or decrease the allowable size limit of the client HTTP request line. Because the request line includes the HTTP method, URI, and protocol version, the LimitRequestLine directive limits the length of the request URI. The server will need this value to be large enough to load all of its resource names, including all the information about the part of the query that might be passed in the GET request. The directive also gives the server administrator greater control over the client's abnormal request behavior. This helps to avoid some forms of denial of service attacks. For example: LimitRequestLine 4094 In general, you do not need to change the default value of this setting. 5. RLimitCPU
The RLimitCPU command is used to limit the maximum number of seconds the Apache child process spawns to occupy the CPU. The CPU resource limit is expressed as the number of seconds per process. Its syntax is: RLimitCPU seconds|
Max [seconds|
Max], the default value is undefined, using the operating system defaults. The first parameter sets the soft resource limit for all processes, and the second parameter sets the maximum resource limit. Both parameters can be set to a value or "max" to indicate that the setting is the maximum allowed by the operating system. Increasing the maximum value of this resource limit requires running the server as root or in the initialization startup statement. This restriction will be applied to the process derived from the request of the Apache child process service, not the Apache child process itself. This range includes CGI scripts and SSI execution commands, but does not include all processes derived from the Apache parent process. For example, the pipeline log. 6. The RLimitMEM
RLimitMEM directive is used to limit the maximum number of bytes of memory occupied by processes spawned by the Apache child process. The memory resource limit is expressed as the number of bytes per process. Its syntax is: RLimitMEM Bytes|
Max [Bytes|
Max], also does not define a default value, using the operating system defaults. The first parameter sets the soft resource limit for all processes, and the second parameter sets the maximum resource limit. Both parameters can be set to a value or "max" to indicate that the setting is the maximum allowed by the operating system. Increasing the maximum value of this resource limit requires running the server as root or in the initialization startup statement. This restriction will be applied to the process derived from the request of the Apache child process service, not the Apache child process itself. This range includes CGI scripts and SSI execution commands, but does not include all processes derived from the Apache parent process. For example, the pipeline log. 7. The RLimitNPROC
RLimitNPROC directive is used to limit the number of processes spawned by processes spawned by the Apache child process. Process limits control the number of processes per user. Its syntax is: RLimitNPROC number|
Max [number|
Max], also does not define a default value, using the operating system defaults. The first parameter sets the soft resource limit for all processes, and the second parameter sets the maximum resource limit. Both parameters can be set to a value or "max" to indicate that the setting is the maximum allowed by the operating system. Increasing this resource limit maximum requires running the server as an administrator account or in an initialization startup statement. This restriction will be applied to the process derived from the request of the Apache child process service, not the Apache child process itself. This range includes CGI scripts and SSI execution commands, but does not include all processes derived from the Apache parent process. For example, the pipeline log. If the CGI process is not started with the web server's uid, then this directive will limit the number of processes the server itself can create. This situation will be recorded as "cannot fork" in the error_log. 8. The ThreadStackSize
ThreadStackSize directive is used to handle the stack size (bytes) used by threads connected by the client. Its syntax is: ThreadStackSize size, which defaults to 65 536 on NetWare systems; it equals the operating system defaults on other systems. The ThreadStackSize directive sets the maximum stack size (in bytes) allowed for threads that handle client connections, including calling modules to assist with processing. In most cases, the operating system default stack size is reasonable, but in some cases, this value needs to be adjusted. For example, on a platform with a smaller default stack size (such as HP-UX), Apache might crash when using some third-party modules that require a larger stack size. Such a problem can be solved by setting ThreadStackSize to a larger value. This adjustment should only be required if explicitly requested by a third-party module provider, or by diagnostics to determine that the stack space is too small to cause a crash. On some platforms, if the default stack space is larger than the space required for the server to run, lowering the ThreadStackSize value to less than the operating system default value increases the maximum number of threads allowed to be generated in each process. This type of tweak should only be used in a test environment and fully test all server processes because processing a few rare requests requires a large stack space. A small server configuration change may make the current ThreadStackSize setting inappropriate.