Apache AH00561 – size of a request header field exceeds server limit
When sending a HTTP request to Apache it might happen that the response is HTTP 400.
<!DOCTYPE HTML PUBLIC \”-//IETF//DTD HTML 2.0//EN\”>\n<html><head>\n<title>400 Bad Request</title>\n</head><body>\n<h1>Bad Request</h1>\n<p>Your browser sent a request that this server could not understand.<br />\nSize of a request header field exceeds server limit.</p>\n</body></html>\n”
The error message is:
Size of a request header field exceeds server limit.
Root cause
The browser is sending a large HTTP header. Apache fails to process the HTTP request because, for instance, the request includes authentication information in the form of an access token. In my case, the authorization header is blowing up the request and already takes > 8Kb of space.
The http request contains a large header because the Authorization header is already larger than 8kb. Large is relative and depends on the Apache (or any web server) configuration. In current Apache version, everything that is larger than 8kb is considered too large.
In the Apache log the error is logged too.
[timestamp] [core:debug] [pid 10:tid 140312387237632] protocol.c(1022): (28)No space left on device: [client 172.21.0.1:63472] Failed to read request header line Authorization: Bearer eyJhbGciOiMjg2OXRyaWFsIiwic[…]
[timestamp] [core:info] [pid 10:tid 140312387237632] [client 172.21.0.1:63472] AH00561: Request header exceeds LimitRequestFieldSize: Authorization
[timestamp] [core:debug] [pid 10:tid 140312387237632] protocol.c(1375): [client 172.21.0.1:63472] AH00567: request failed: error reading the headers
The Apache log contains the error ID: AH00561
Why Apache reports this as HTTP 400 and not as HTTP 413? I have no idea. Maybe because the error is in the Authorization field? I know 413 when the cookies are too large.
Solution
With the error ID AH00561 known, it is easy to find the parameter that causes the error:
- Parameter: LimitRequestFieldSize
Apache documentation shows an explanation for the error: “The max size of the http header permitted by default is 8kb.”
To increase the limit, adjust the parameter LimitRequestFieldSize for the virtual host or location in the Apache configuration.
Example
Increase the max header size to 20Kb.
<VirtualHost *:80> ProxyRequests Off LimitRequestFieldSize 200000 <Location /wf > ProxyPass http://backend/wf ProxyPassReverse http://backend/wf Order allow,deny Allow from all </Location> </VirtualHost>
This is another example that a good error message should contain a hint why something failed and the log should contain an error message ID that is unique. Both make it easy to find a solution.
1 Comment
Vincent · January 24, 2023 at 17:14
Hi Tobias,
You indicate to increase the size to 20Kb, but in your example code, you increase it to 200Kb.
ProxyRequests Off
LimitRequestFieldSize 200000
That may induce to errors with other users.
Kind regards,
Vincent