我有一些奇怪的服务器行为需要解决。错误表现为:
curl -d "post=`printf '%0.s0' {1..8186}`" -X POST https://<server-name>/index.php/start/post_test
2023-04-02 09:34:51 Length of post is : 8186%
curl -d "post=`printf '%0.s0' {1..8187}`" -X POST https://<server-name>/index.php/start/post_test
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
</body>
</html>
任何小于 8187 个字符的 POST 都可以。 PHP代码是:
public function post_test(): void
{
$post = $this->input->post('post');
echo (new DateTime(NULL, new DateTimeZone('Australia/Hobart')))->format(CKD_DATETIME_MYSQL) . ' Length of post is : ' . strlen($post);
}
服务器详情:
$uname -a
Linux mrffpa5e1d0 4.18.0-425.13.1.el8_7.x86_64 #1 SMP Thu Feb 2 13:01:45 EST 2023 x86_64 x86_64 x86_64 GNU/Linux
$httpd -v
Server version: Apache/2.4.37 (Red Hat Enterprise Linux)
Server built: Jan 31 2023 12:55:09
$ php -v
PHP 7.4.30 (cli) (built: Jun 7 2022 08:38:19) ( NTS )
Copyright (c) The PHP Group
Zend Engine v3.4.0, Copyright (c) Zend Technologies
$php -i | grep post
post_max_size => 128M => 128M
$ php -i | grep max_input_vars
max_input_vars => 5000 => 5000
$sudo grep -ir security_module /etc/httpd
(no output)
$httpd -l
Compiled in modules:
core.c
mod_so.c
http_core.c
$free -m
total used free shared buff/cache available
Mem: 1780 697 318 0 765 924
Swap: 0 0 0
$ getsebool -a | grep post
postfix_local_write_mail_spool --> on
postgresql_can_rsync --> off
postgresql_selinux_transmit_client_label --> off
postgresql_selinux_unconfined_dbadm --> on
postgresql_selinux_users_ddl --> on
selinuxuser_postgresql_connect_enabled --> off
$ getsebool -a | grep httpd
httpd_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_connect_ftp --> off
httpd_can_connect_ldap --> off
httpd_can_connect_mythtv --> off
httpd_can_connect_zabbix --> off
httpd_can_network_connect --> on
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> on
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off
httpd_dbus_avahi --> off
httpd_dbus_sssd --> off
httpd_dontaudit_search_dirs --> off
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> off
httpd_graceful_shutdown --> off
httpd_manage_ipa --> off
httpd_mod_auth_ntlm_winbind --> off
httpd_mod_auth_pam --> off
httpd_read_user_content --> off
httpd_run_ipa --> off
httpd_run_preupgrade --> off
httpd_run_stickshift --> off
httpd_serve_cobbler_files --> off
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_sys_script_anon_write --> off
httpd_tmp_exec --> off
httpd_tty_comm --> off
httpd_unified --> off
httpd_use_cifs --> off
httpd_use_fusefs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off
httpd_use_opencryptoki --> off
httpd_use_openstack --> off
httpd_use_sasl --> off
httpd_verify_dns --> off
我的猜测是防火墙机器上的设置导致了这种行为。我有这台机器的 root 访问权限,但没有关于网络架构的信息。
有谁知道如何取消此限制以允许发布更大的帖子?
这原来是一个 Amazon Web Service Web Application Firewall。 它被配置为具有 8KB 最大正文大小的基本设置。
参见:https://securityboulevard.com/2022/10/8-kb-is-not-enough-why-wafs-cant-protect-apis/ 了解更多信息。
取消此限制后,发布将按预期处理大文件。
$ post=`perl -e 'print "0" x 30000000'` ; echo "post=$post" > post.txt
$ curl -d @post.txt https://<server-name>/index.php/start/post_test
2023-04-04 09:57:13 Length of post is : 30000000