What HTTP header length limits are in force?

jbriggs

I am wondering what limitations are imposed on the length of a single HTTP header and what limitations are imposed on the aggregate length of all HTTP headers in a client request on an http port.

We stumbled over a problem with some clients where the Authorization: header is in excess of 12 kbytes. The connection is reset and never passed on to the server. We are (or were) using insert-client-ip X-Forwarded-For in an http template.

Shifting back to a port type of "tcp-proxy" was an effective work-around, but I have had no luck finding this restriction documented or at finding a parameter setting to increase the limit.

tmitsuhata

Hi jbriggs,
Based on my knowledge, maximum header line length is 16 kbytes (fixed) on A10 ADC (AX/Thunder) . This is max size for each header field and you can have multiple headers, of course. There is no max total header length defined. So, the "Authorization:" header with 12 kbytes should be no problem. Do you know how many headers are there in the problematic client request? Also, did you notice any error counter increased due to this? (i.e. show errors or show slb http-proxy)

jbriggs

Thank you, tmitsuhata.

After posting, I had logged a support call on this and was informed, as you indicate, that the header length limit is 16K and is fixed. A second look at the packet capture showed that the failing Authorization header was actually in excess of 18K. Subequent testing demonstrated that the cut-off is at 16162 bytes and applies to the header line length (header name plus header value).

Authorization headers this large occur with Kerberos authentication when users are members of many AD groups. Our browsers and web servers are able to deal with headers this long.

coquinpa

Hi everybody.

We are now in 2023. Does this 16k limit still exist or can we customize it ?

Currently, I need to handle http header more than 32k. (stuff with SAML token)

Thank you in advance.

dquinn

The maximum http header size is 64KB