Core Apache module provides LimitRequestBody option to limit request body. That works well with HTTP protocol but doesn't work with HTTPS. That happens because mod_ssl does not support this option and instead has it's own hard coded limit. The limit is set to 128K in ssl_engine_io.c: /* 128K maximum buffer size by default. */ #ifndef SSL_MAX_IO_BUFFER #define SSL_MAX_IO_BUFFER (128 * 1024) #endif .... /* Fail if this exceeds the maximum buffer size. */ if (total > SSL_MAX_IO_BUFFER) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "request body exceeds maximum size for SSL buffer"); return HTTP_REQUEST_ENTITY_TOO_LARGE; } That leads to two problems: 1. Inability to submit POST requests bigger than 128K 2. Inability to lower that limit to something smaller than 128K Ideal solution for this problem would implementing suport for LimitRequestBody in mod_ssl or providing an alternative SSLLimitRequestBody option.
*** This bug has been marked as a duplicate of 12355 ***
I'm absolutely disagree that this is a duplicate for 12355. In fact it has nothing to do with this problem, besides that they both related to mod_ssl of course. The code that I quoted is still in 2.2.4 version of Apache and it's still impossible to control limits for HTTPS requests body. If I'm wrong please tell me how I can submit posts greater than 128K using Apache 2.2.4 or how I can limit such requests to 64K.
You can do this with LimitRequestBody as long as no SSL renegotiation is needed for your request (e.g. due to SSLrequire used in a Directory / Location context) and even then you can use LimitRequestBody to limit what is being sent to your application (cgi script, whatever). If the request body is larger than what you set via LimitRequestBody but smaller than 128k, mod_ssl will consume the whole body and the error checking for LimitRequestBody will bail out later. If the request body is larger than 128k then mod_ssl will bail out regardless what is set for LimitRequestBody. As said this is only true in the case that a SSL renegotiation is needed. So the only limit that remains is that you cannot have request bodies larger than 128k if an SSL renegotiation is needed for your request and this is what is left from the original PR12355. Before the patch for PR12355 was applied no request body at all was possible with such renegotiated requests and now it can be up to 128k. Nevertheless many people complained afterwards that this size is not configurable and that 128k is not enough for their application. Please see PR12355 for further details. As far as I remember there were some proposals how to avoid renegotiation in such cases. To cut a long story short: If your request needs SSL renegotiation, then you are affected from what is left of PR12355 and if not it is highly likely that it is a misconfiguration on your side since the LimitRequestBody check in the HTTP_INPUT filter knows nothing about SSL. In this case please try using exactly the same configuration for SSL and non SSL and post both (SSL/non SSL) configurations here if it still does not work.
Thank you very much for a such detailed explanation. *** This bug has been marked as a duplicate of 12355 ***