How to Increase HTTP Header Size to Prevent Server Limit Errors (Doc ID 819301.1)

Last updated on APRIL 29, 2016

Applies to:

Oracle HTTP Server - Version 10.1.2.0.0 to 10.1.3.5.0 [Release AS10gR2 to AS10gR3]
Oracle Containers for J2EE - Version 10.1.2.0.0 to 10.1.3.5.0 [Release AS10gR2 to AS10gR3]
Web Cache - Version 10.1.2 to 10.1.2.3.0 [Release AS10gR2]
Oracle HTTP Server - Version 11.1.1.2.0 and later
Information in this document applies to any platform.
Update:
-- The scope of this document is primarily for Oracle HTTP Server 10g and its integration with OC4J applications in an Oracle Application Server 10g environment. Larger applications may require compatible header sizes for passing a larger amount of data and need an adjustment through the entire stack as per an OHS/OC4J Bug filed.

-- With newer releases (11g+), OC4J is not integrated, but Oracle HTTP Server itself would have the same header sizes and ability to increase header sizes at an administrator's discretion. This would be through the LimitRequestFieldSize parameter in the httpd.conf as documented at http://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfieldsize. OHS 11g has reported a high limit of 2147483647, but may depend on version and must be coordinated with other servers processing the request (e.g. LBRs, proxies, OAM, WLS) and security and performance best practice standards for the business requirements. Before raising too high, you should always question what the application code is doing to produce the higher requirement or should it be optimized.

-- On the application side for 11g, the concern may be what to set for WebLogic Server. Configure and use a Network Channel on which you specify the appropriate setting for MaxMessageSize to accommodate the headers. The MaxMessageSize on the (Network Channel) MBean controls the max size of HTTP request header size. The MaxPostSize controls the max size of HTTP request body.

Goal


When the HTTP header size is reached, the Oracle HTTP Server 10g rejects the request, thus preventing a buffer overrun. This example abnormally large request is rejected with an HTTP 400 error followed by a 401 error:

X.X.X.X--[date/time]
GET /a/location/your.application?parameter=blahblah HTTP/1.1 400 16784 X.X.X.X--[date/time]
GET /a/location/your.application?parameter=blahblahblah HTTP/1.1 401 5

The "16784" in the above example is the byte size of the object returned to the client, not including the response headers.  If no content was returned to the client, this value will be "-". Tracing this in all requests can help determine if you have an application with higher size requirements when following this document. 

The following error is typically seen in the OHS error log when the headers cannot be read, but it will not explicitly reproduce this way if being truncated behind the OHS processing:

[error] [client xxx.x.x.x] request failed: error reading the headers



In the client browser, there may be text displayed as:

"HEADER FIELD SERVER LIMIT error"

"Internal Error"

"Your browser sent a request that this server could not understand. Size of a request header field exceeds server limit"

 

When processing applications deployed in OC4J, the following errors may be seen in the logs:

"java.lang.ArrayIndexOutOfBoundsException"

"ServletException"

"AJPRequestHandler.run Internal Errorjava.io.IOException: Broken pipe"

 

The Oracle HTTP Server 10g originally had a header maximum size 8K (8190), prior to 9.0.4.3, and 10.1.2.2 releases. In 9.0.4.3, 10.1.2.2 and 10.1.3.1 releases, the limit was allowed to increase to 16K (16380). Starting with the 10.1.2.3 and 10.1.3.3 Patch Sets, the limit has been allowed to increased to 200K (204750).  The reasons to allow for this increased size have been because applications have been more robust and intensive, but not always required. If non-default limits are desired, configuration settings are required.

The header size limit can apply to an application when a large amount of data is passed in the request headers. While its important to keep a limit for security reasons, it is also important to keep the headers at an acceptable size to increase performance. Larger headers means there will be more to load into memory. Note that application developers should be aware and concerned over the header requirements for performance reasons. After fulfilling patching requirements noted below, the following parameters may be set to take advantage of the ability to raise the http header limits:

The value set in each must be between 8190 and 204750 and the same across all configuration files. The only exception is oracle.oc4j.ajp.responseheader.size, which is optional. This may be equal or less than the others, but never higher. The configuration changes must be done at the same time, not separately. This is most important or there may be unexpected results. Basically a large size come through but could be dropped somewhere in the back-end with no real error message depicting the actual cause.    

The difference in the two oracle.oc4j.ajp OC4J values are as follows:

The following two documents describe an issue where an application processing prompted for a larger header size in order to complete:

<Note 295791.1> Kerberos/SSO Session Key With WNA Creates a Header Size Over Server Limit
<Note 332838.1> Enabling IASPT & Larger HTTP Headers in Oracle HTTP Server

Solution

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms