/ Zope / Apsis / Pound Mailing List / Archive / 2007 / 2007-12 / MaxRequest not working as expected (OpenBSD v4.2, Pound 2.3.2, OpenSSL 0.9.8g)

[ << ] [ >> ]

[ Recommendation about / Thorsten Kramm ... ] [ Problems with "The service is not available. ... ]

MaxRequest not working as expected (OpenBSD v4.2, Pound 2.3.2, OpenSSL 0.9.8g)
Calomel <cinerx(at)calomel.org>		 2007-12-06 17:19:42 [ FULL ] 
Good Morning,

While testing Pound I have run into a problem with the directive,
"MaxRequest".  When I set MaxRequest to the amount of bytes I want to limit
the GET request to, Pound lets the request through to the back end no matter
what value I use.  All other directives in my pound.conf work without
issue.

I am testing Pound on OpenBSD v4.2. Pound v2.3.2 is built from source using
OpenSSL 0.9.8g built with pthreads enabled.

To test: I send the pound server a 5 kilobyte (5KB) GET request to look
like a malicious scan. If I set "MaxRequest 1000" then I believe the GET
should be rejected as it is over 1000 bytes in size. Even if I reduce
"MaxRequest" to "1" the request still goes through. Am I reading the the
man page definition correctly?

I also built Pound v2.4e and used the same config file. The problem is I
had to keep reducing the MaxRequest down to "5" in order to block a 1.9
kilobyte (1.9KB) GET request. This is not an expected result.

Could this possibly be a problem with Pound on OpenBSD?


This is the "how to" I wrote that explains exactly how I setup the testing
environment.

  Pound reverse proxy "how to"
  http://calomel.org/pound.html

This is the pound.conf file I made:

####################################
#### Calomel.org  Pound.conf   BEGIN
####################################
User        "pound"
Group       "pound"
LogFacility daemon
LogLevel    4
Alive       30
Client      10
TimeOut     10
Grace       10

ListenHTTP
   Address    127.0.0.1
   CheckURL   "(^\/|\.html|\.css|\.jpg|favicon\.ico|robots\.txt|\.png)$"
   HeadRemove "X-Forwarded-For"
   MaxRequest 1000
   Port       8081
   xHTTP      0

   Err414 "/var/www/htdocs/error/generic_error_page"
   Err500 "/var/www/htdocs/error/generic_error_page"
   Err501 "/var/www/htdocs/error/generic_error_page"
   Err503 "/var/www/htdocs/error/generic_error_page"

   Service
      HeadDeny    "^(HEAD|POST)"
      HeadRequire "(Host: your_host.com|Host: www.your_host.com)"
      BackEnd
         Address  127.0.0.1
         Port     8080
      End
   End
End
####################################
#### Calomel.org  Pound.conf     END
####################################

--
 Calomel (at) http://calomel.org
 Open Source Research and Reference
Re: MaxRequest not working as expected (OpenBSD v4.2, Pound 2.3.2, OpenSSL 0.9.8g)
Calomel <cinerx(at)calomel.org>		 2007-12-07 17:58:33 [ FULL ] 
Good Morning,

After some exhaustive testing I have a bit more information.

I could not get "MaxRequest" blocking to work all the time in Pound v2.3.2,
but I was able to get it working in v2.4e (current).

Test environment: OpenBSD v4.2, Pound v2.4e is built from source using
OpenSSL 0.9.8g built with pthreads enabled.

The request is in the form:
  wget http://your_host.com/abc...<1024
bytes of text>...abc.htm


If MaxRequest is set anywhere from 1 to 1024 the results were the same.

If I make the GET request less than or equal to 1024 (<= 1024) bytes the
request goes through. If the GET request is greater than 1024 (>1024) bytes
it gets blocked.

This may be a network socket limit, buffer or something else. If anyone has
any insight into this problem I would be interested in hearing it. The "how
to " has been updated with the latest test build instructions. 

  Pound reverse proxy "how to"
  http://calomel.org/pound.html

--
 Calomel (at) http://calomel.org
 Open Source Research and Reference


On Thu, Dec 06, 2007 at 11:19:42AM -0500, Calomel wrote:[...]
Re: [Pound Mailing List] Re: MaxRequest not working as expected (OpenBSD v4.2, Pound 2.3.2, OpenSSL 0.9.8g)
Robert Segall <roseg(at)apsis.ch>		 2007-12-08 09:02:20 [ FULL ] 
On Fri, 2007-12-07 at 11:58 -0500, Calomel wrote:[...]

I think you are mixing two things here:

- the length of the request URL is limited by the MAXBUF parameter
(default: 1024, can be set to something else at compile time). Anything
longer than that will be rejected by Pound, and never seen on the
back-end.

- the MaxRequest parameter defines how large is the BODY of a request
(for example, if you upload a file). Requests are allowed through to the
back-end, but the body (contents) is truncated to this size.

Hope this helps.[...]
Re: [Pound Mailing List] Re: MaxRequest not working as expected (OpenBSD v4.2, Pound 2.3.2, OpenSSL 0.9.8g)
Calomel <cinerx(at)calomel.org>		 2007-12-08 18:01:41 [ FULL ] 
Robert,

Thank you for the reply. It helped immensely. When recompiled with a
smaller MAXBUF, Pound blocked the body of the requests as expected.

I am going to post this information on my site for others to find. A few
readers had mailed me directly about this very same concern.

Again, thanks for a great product.

--
 Calomel (at) http://calomel.org
 Open Source Research and Reference


On Sat, Dec 08, 2007 at 09:02:20AM +0100, Robert Segall wrote:[...][...][...]
MailBoxer