Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[gateway] Default max_header size for the gateway is not configurable #2037

Closed
johnlithgow88 opened this Issue Mar 13, 2019 · 0 comments

Comments

@johnlithgow88
Copy link

johnlithgow88 commented Mar 13, 2019

The default max_header size is 8192 bytes for the gateway, but it is not configurable at the current version.

Expected Behavior

Expect that one could adjust the max_header_size to increase or decrease the default. This could be adjusted through the management API/UI or the gravitee.yml.

Also expect that if this did occur, that there would be an entry in the access.log or the gravitee.log and that the X-Gravitee-Transaction-Id would be added to the response.

Current Behavior

the max_header is not configurable. This is an issue when sending requests with header sizes greater than 8192 bytes which can occur with abnormally large cookies or JWT tokens as well as other large items in the header.

There is also no corresponding log in the access.log or gravitee.log or in the analytics section of the management UI. No X-Gravitee-Transaction-Id is added to the response to indicate that the request made it to the gravitee gateway.

Possible Solution

Create a policy to adjust this setting in the API/UI or allow this to be set globally via the gravitee.yml;.

Also adjust the code such that if a request comes in with a header size > max_header , ensure that a log is written to inform the client what has occurred.

Steps to Reproduce (for bugs)

  1. submit a HTTP get with a HTTP header > 8192 bytes. (using any means necessary, a fake Header, or a large JWT or large cookie)
  2. receive a HTTP 400 response
  3. check the Gravitee logs and note there is no evidence that this occurred.

Context

clients of our service are unable to submit requests when using large JWTs combined with large cookies. Large cookies and large JWTs are bad practice, and should be avoided at all costs. However adding the flexibility to Gravitee.io would still be beneficial for edge cases.

Your Environment

  • Version used: 120.3
  • Browser Name and version: Chrome Version 72.0.3626.121
  • Operating System and version: Mac OS 10.14.3
    gravitee-example-400.txt

@brasseld brasseld self-assigned this Mar 14, 2019

@brasseld brasseld changed the title Default max_header size for the gateway is not configurable [gateway] Default max_header size for the gateway is not configurable Mar 14, 2019

brasseld added a commit to gravitee-io/gravitee-gateway that referenced this issue Mar 14, 2019

@brasseld brasseld added this to the APIM - 1.24.0 milestone Mar 14, 2019

NicolasGeraud added a commit to gravitee-io/gravitee-gateway that referenced this issue Mar 18, 2019

NicolasGeraud added a commit to gravitee-io/gravitee-gateway that referenced this issue Mar 18, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.