For some users the connection to application based on Apache Server fails with error of “Access denied” , when you look in server logs you see this error:
[Thu Jan 23 07:26:31 2024] [error] [client x.x.x.x] request failed: error reading the headers
This error depend on the number of user group membership , if user belongs to many groups is “header” pass the number of bytes that will be allowed in an HTTP request header.
one solution for this is to remove user from groups that he don’t need more to be belong (ex , temporary group, old group from is previous location , etc … )
A more major Solution is to increase the “LimitRequestFieldSize” parameter on the apache configuration.
LimitRequestFieldSize : This directive specifies the number of bytes that will be allowed in an HTTP request header. on apache documentation :
The LimitRequestFieldSize directive allows the server administrator to set the limit on the allowed size of an HTTP request header field. A server needs this value to be large enough to hold any one header field from a normal client request. The size of a normal request header field will vary greatly among different client implementations, often depending upon the extent to which a user has configured their browser to support detailed content negotiation. SPNEGO authentication headers can be up to 12392 bytes.
This directive gives the server administrator greater control over abnormal client request behavior, which may be useful for avoiding some forms of DDOS (denial-of-service) attacks.
Where to change LimitRequestFieldSize ?
The configuration file, httpd.conf, is found in /etc/httpd/conf/httpd.conf (RHEL, CentOS, Fedora, Scientific Linux).
In Debian, and derivatives like Ubuntu , the configuration file is apache2.conf and can be found in /etc/apache2/apache2.conf.
This issue can be solved by updating the directive LimitRequestFieldSize either in the apache httpd.conf or in the virtual hosts.
<VirtualHost 10.10.1.1:80>
ServerName www.YourSite.com
LimitRequestFieldSize 12392
RewriteEngine On
...
...
</VirtualHost>SHMUEL H.