Is your feature request related to a problem? Please describe.
We are seeing bursts of requests that we believe are possible enumeration attacks. These requests have large payloads that are not typical for the payloads expected for our apps and impact the performance of our edge proxy.
Describe the solution you'd like
We would like to block these requests at our edge proxy layer to try and reduce the impact. Client should receive 413 response from the edge proxy.
Describe alternatives you've considered
We have tried using per_connection_buffer_limit_bytes, but that setting does not work for HTTP/2 connections.
We also tried using SecRequestBodyNoFilesLimit on WAF listener, but that did not block the request (likely because the connection is HTTP/2).
We considered using a custom upstream for these requests, but this would require many new upstreams for the granularity of control we would like to have.
Additional context
Ideally we would like to be able to specify a global limit that is very low and then override that limit on a per-vs or per-route basis to allow larger payloads. If that is not possible, then specification at the vs or route level will allow the granularity we would like.
We are running v1.6, so a backport or patch would be necessary for this to be immediately beneficial in our stack.
This issue has been marked as stale because of no activity in the last 180 days. It will be closed in the next 180 days unless it is tagged "no stalebot" or other activity occurs.
Is your feature request related to a problem? Please describe. We are seeing bursts of requests that we believe are possible enumeration attacks. These requests have large payloads that are not typical for the payloads expected for our apps and impact the performance of our edge proxy.
Describe the solution you'd like We would like to block these requests at our edge proxy layer to try and reduce the impact. Client should receive 413 response from the edge proxy.
Describe alternatives you've considered We have tried using
per_connection_buffer_limit_bytes
, but that setting does not work for HTTP/2 connections.We also tried using
SecRequestBodyNoFilesLimit
on WAF listener, but that did not block the request (likely because the connection is HTTP/2).We considered using a custom upstream for these requests, but this would require many new upstreams for the granularity of control we would like to have.
Additional context Ideally we would like to be able to specify a global limit that is very low and then override that limit on a per-vs or per-route basis to allow larger payloads. If that is not possible, then specification at the vs or route level will allow the granularity we would like.
We are running v1.6, so a backport or patch would be necessary for this to be immediately beneficial in our stack.