WAF error Request body length exceeded the limit

Razzi29 331 Reputation points
2024-02-12T16:08:18.1+00:00

Our waf rules are blocking some content to our backend web servers; I searched the wag logs and found a few OWASAP rules but two in particular did not have a rule number associated with it, the error below. I searched the OWASP code links below as well to try to identify it but came empty-handed :-( the error message: Request body length exceeded the limit https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-crs-rulegroups-rules?tabs=drs21 Also, I am fairly new at troubleshooting application gateways and web application firewalls; would appreciate any insights on learning other than the obvious content of Microsoft's website.

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
962 questions
Azure Web Application Firewall
Accepted answer
  1. ChaitanyaNaykodi-MSFT 23,031 Reputation points Microsoft Employee
    2024-02-12T23:02:47.99+00:00

    @Razzi29

    Thank you for reaching out. I understand you are getting the error below for your WAF attached to an Application Gateway.

    the error message: Request body length exceeded the limit

    The error above actually not received when a OWASP rule is blocking the request but is received due to Request body inspection functionality offered by Web Application Firewall as documented here

    In this functionality WAF offers a configuration setting to enable or disable the request body inspection. By default, the request body inspection is enabled. If the request body inspection is disabled, WAF doesn't evaluate the contents of an HTTP message's body. In such cases, WAF continues to enforce WAF rules on headers, cookies, and URI. If the request body inspection is turned off, then maximum request body size field isn't applicable and can't be set.

    This setting is configurable and can be found under Policy Settings on the portal as shown below:

    User's image

    For CRS 3.2 (on the WAF_v2 SKU) the limit is 2 MB for request body size. For others the limit is 128Kb

    For the error received above you can try the following steps:

    • Increase the Max request body size to 2MB if you are using CRS 3.2 (on the WAF_v2 SKU). If you are using any older version then you see if the value is set to 128 Kb. Check is this helps in resolving the issue User's image
    • If that does not help, the alternative here will be to disable "Inspect request body" functionality.

    User's image

    Although if only a particular URL path is getting blocked due to the inspect request body size limit, then the recommended solution here will be to enable a Per URI policy for this particular path and then disable the "Inspect request body" functionality. In this scenario rest of the Website will still have "Inspect request body" functionality enabled and only for the particular URL path above the request body inspection will be skipped.

    I hope this has been helpful! Your feedback is important so please take a moment to accept answers. If you still have questions, please let us know what is needed in the comments so the question can be answered. Thank you for helping to improve Microsoft Q&A! User's image

    1 person found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest