在Jetty中设置最大URL长度 [英] Set maximum URL length in Jetty
问题描述
我查看了一下,发现有些人遇到的问题是GET请求URL超过Jetty的最大长度,这是将jetty.xml中的headerBufferSize设置为一个更大的数字,如此.
但是,我很难理解标题缓冲区大小与请求URL的长度有什么关系?如果设置headerBufferSize增加请求的URL长度限制,headerBufferSize的6 KB值对应于请求URL的最大长度是什么?我问的原因是大多数浏览器施加的URL的最大长度约为2000个字符,如解决方案
在典型的POST请求中,您将看到以下内容...
POST /to/my/path HTTP/1.1
Content-Type: application/x-www-form-urlencoded;charset=utf-8
Host: https://my.machine.com
Content-Length: 10
Action=Add
打破这一点:
- 通过Content-Length行的POST是请求标头.
- 在HTTP术语中,
POST
行被称为请求行,其中包含方法(POST)+ abs_path(/to/my/path)+ http版本(HTTP/1.1) -
Content-Type
-让我们知道正文内容是如何格式化/编码的. -
Host
-让服务器知道正在访问哪个主机(主要由虚拟主机设置使用) -
Content-Length
-让我们知道正文内容有10个字节
- 在HTTP术语中,
-
Action=Add
是POST正文内容.
本质上,请求或响应包括标题和正文内容两部分.
设置headerBufferSize
时,将设置标题内容(而不是正文内容)的最终上限.
当您具有不受限制的标头大小时,存在许多滥用/漏洞,范围从滥用内存消耗到故意的哈希映射冲突(导致过度使用CPU).限制头缓冲区的大小限制了这类问题的范围. (这些漏洞不是Jetty独有的,而是所有Web服务器都存在)
如果达到这些限制,则应考虑评估如何使用solr(例如,当您应该使用POST时错误地使用GET),因为增加headerBufferSize也将使您暴露于各种已知的Web漏洞. /p>
更新时间:2013年10月24日
查看与 URL的最大长度有关的其他答案
I looked and found the answer to some people having issue with GET request URL exceeding the maximum length in Jetty is to set the headerBufferSize in jetty.xml to be a bigger number as in this Solr troubleshooting manual and this.
However, I have a hard time to understand what the header buffer size has to do with the request URL's length? If setting headerBufferSize increase request's URL length limit, what does a value of 6 KB to headerBufferSize correspond to the maximum length of the request's URL? The reason I ask because the maximum length of URL imposed by most browsers is around 2000 characters as in What is the maximum length of a URL in different browsers? and headerBufferSize's unit is in Bytes.
In a typical POST request you will see the following ...
POST /to/my/path HTTP/1.1
Content-Type: application/x-www-form-urlencoded;charset=utf-8
Host: https://my.machine.com
Content-Length: 10
Action=Add
Breaking this down:
- The POST through Content-Length lines are the Request Headers.
- The
POST
line is known, in HTTP terminology, as the Request-Line, it contains the method (POST) + abs_path (/to/my/path) + http version (HTTP/1.1) Content-Type
- lets us know how the body content is formatted/encoded.Host
- lets the server know what host was being accessed (used mainly by virtual host setups)Content-Length
- lets us know that there is 10 bytes of body content
- The
- The
Action=Add
is the POST body content.
At its heart there are 2 parts of a request or response, the Headers and the Body Content.
When you set the headerBufferSize
you are setting the ultimate upper limit for the header content (not body content).
There are a number of abuses / vulnerabilities present when you have unlimited header sizes, ranging from abusive memory consumption, to intentional hashmap collisions resulting in excessive CPU use. Limiting the header buffer sizes limits the scope of these kinds of issues. (these vulnerabilities are not unique to Jetty, but exist for all web servers)
If you are hitting these limits, you should consider evaluating how you are using solr (such as incorrectly using GET when you should be using POST), as increasing the headerBufferSize will also open you up to the various known web vulnerabilities.
Update: Oct 24, 2013
See other answer related to What is the maximum length of a URL
这篇关于在Jetty中设置最大URL长度的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!