Mbedthis Home Documentation Home Administration Programmers Reference
Documentation Home > User Reference > Configuration Directives > Sandbox Directives

Sandbox Directives

Appweb supports directives that limit its use of system resources such as memory and threads. This technique is know as "sandboxing" because it creates a limited / safer area in which Appweb executes.

LimitClients

Description Set the number of simultaneous clients
Synopsis
LimitClient count
Context Default Server
Example
LimitClient 10
The LimitClient directive defines the maximum number of simultaneous client connections that can be supported. Client connection requests in excess of this count will be rejected. A limit of 0 means unlimited.

NOTE that many browsers can and will initiate multiple connections when requesting a page.

LimitRequestBody

Description Set the maximum size of the request body from the client.
Synopsis
LimitRequestBody limit
Context Default Server
Example
LimitRequestBody 65536
The LimitRequestBody directive defines a maximum size for the request body. For embedded applications, it is useful to limit the maximum request body to the expected maximum. This ensures that rogue or malicious requests will not cause the server to allocate unwanted memory to servicing the request.

The limit is an integer between zero and 2147483647 (2GB), where zero means unlimited. If a request is received that is larger than the limit, it will be rejected and the client will receive an error. The default limit is 64 MB.

SECURITY NOTE: This directive can be quite useful in certain denial-of-service attacks where the attacker sends large documents of a certain type.

LimitRequestFields

Description Maximum number of header lines in the request body from the client.
Synopsis
LimitRequestFields limit
Context Default Server
Example
LimitRequestFields 64
The LimitRequestFields directive defines a maximum number of header lines that may be in a request from a client. For embedded applications, it is useful to limit the number of header lines to the expected maximum. This ensures that rogue or malicious requests will not cause the server to allocate unwanted memory to servicing the request. Typically, HTTP requests will not have more than 15-20 header lines.

The limit is an integer between zero and 4096, where zero means unlimited. If a request is received that has more header lines than the limit, it will be rejected and the client will receive an error. The default limit is 40.

SECURITY NOTE: This directive can be quite useful in certain denial-of-service attacks where the attacker sends requests with many spurious header lines.

LimitRequestFieldSize

Description Maximum size of the request headers from the client
Synopsis
LimitRequestFieldSize limit
Context Default Server
Example
LimitRequestFieldSize 65536
The LimitRequestFieldSize directive defines the maximum size of the request header from the client. For embedded applications, it is useful to limit the size of the header to the expected maximum. This ensures that rogue or malicious requests will not cause the server to allocate unwanted memory to servicing the request. Typically, HTTP requests will not have more than 4K of header data.

The limit is an integer between zero and 1 MB, where zero means unlimited. If a request is received that has a header larger than the limit, it will be rejected and the client will receive an error. The default limit is 8 K.

SECURITY NOTE: This directive can be quite useful in certain denial-of-service attacks where the attacker sends requests with large bogus headers.

LimitRequestLine

Description Maximum size of the request first line from the client
Synopsis
LimitRequestLine limit
Context Default Server
Example
LimitRequestLine 65536

The LimitRequestLine directive defines a maximum size of the first line of the request from a client. For embedded applications, it is useful to limit the size of the first line of the requestto the expected maximum. This ensures that rogue or malicious requests will not cause the server to allocate unwanted memory to servicing the request.

The limit is an integer between zero and 256 K where zero means unlimited. If a request is received that has a first line larger than the limit, it will be rejected and the client will receive an error. The default limit is 4 K.

SECURITY NOTE: This directive can be quite useful in certain denial-of-service attacks where the attacker sends requests with large bogus request headers.

LimitResponseBody

Description Set the maximum size of the response body buffered by a dynamic Appweb handler.
Synopsis
LimitResponseBody number
Context Default Server
Example
LimitResponseBody 65536
The LimitResponseBody directive defines the maximum size for data generated by an Appweb handler that uses unchunked buffered output. Appweb handlers that generate dynamic output typically buffer output for performance. This directive places a limit on the amount of memory consumed by such buffering handlers.

NOTE: this does not imply a maximum response size. It merely limits the memory consumed when trying to buffer the data. Appweb handlers will flush the buffer and use HTTP/1.1 chunked output if the amount of response data exceeds the output buffer size..

The limit is an integer between zero and 4 MB, where zero means unlimited. These limits can be increased by recompiling Appweb using the source code. The default limit is 64K or 8K in squeeze mode.

NOTE: this is a proprietary directive of Appweb and is not supported by Apache.

LimitScriptSize

Description Set the maximum size of the response body buffered by a dynamic Appweb handler.
Synopsis
LimitResponseBody number
Context Default Server
Example
LimitResponseBody 65536
The LimitResponseBody directive defines the maximum size for data generated by an Appweb handler that uses unchunked buffered output. Appweb handlers that generate dynamic output typically buffer output for performance. This directive places a limit on the amount of memory consumed by such buffering handlers.

NOTE: this does not imply a maximum response size. It merely limits the memory consumed when trying to buffer the data. Appweb handlers will flush the buffer and use HTTP/1.1 chunked output if the amount of response data exceeds the output buffer size..

The limit is an integer between zero and 4 MB, where zero means unlimited. These limits can be increased by recompiling Appweb using the source code. The default limit is 64K or 8K in squeeze mode.

NOTE: this is a proprietary directive of Appweb and is not supported by Apache.

LimitUrl

Description Maximum size of a URL in a request from a client.
Synopsis
LimitUrl limit
Context Default Server
Example
LimitUrl 4096
The LimitUrl directive defines the maximum size of a URL in Appweb. IFor embedded applications, it is useful to limit the number of header lines to the expected maximum. This ensures that rogue or malicious requests will not cause the server to allocate unwanted memory to servicing the request.

The limit is an integer between zero and 256 K where zero means unlimited. If a request is received that has a URL larger than the limit, it will be rejected and the client will receive an error. The default limit is 4 K.

SECURITY NOTE: This directive can be quite useful in certain denial-of-service attacks where the attacker sends requests with bogus URLs.

NOTE: this is a proprietary directive of Appweb and is not supported by Apache.

StartThreads

Description Number of threads to preallocate in the Appweb thread pool
Synopsis
StartThreads number
Context Default Server
Example
StartThreads 100
The StartThreads directive will preallocate the specified number of threads on startup and then ensure that the thread pool always has at least this number of threads.

Appweb will automatically adjust the number of pool thread between the minimum specified by this directive and the maximum specified by the ThreadLimit directive or via the Appweb command line. Appweb will prune idle threads to reduce resource consumption as required.

ThreadLimit

Description Maximum number of threads to allocate for the Appweb thread pool.
Synopsis
ThreadLimit number
Context Default Server
Example
ThreadLimit 8
The ThreadLimit directive defines a maximum number of threads for the Appweb thread pool. When running in multithreaded mode, Appweb will use a pool thread to service each request and then will return the thread to the pool. This results in a highly responsive and scalable architecture with excellent throughput characteristics. Each thread requires a thread stack and thus consumes memory. By limiting the number of threads, memory can be conserved.

If the maximum number of threads is also specified via the Appweb command line, the command line value will take precedence.

Appweb will automatically adjust the number of pool thread between the minimum specified by the StartThreads directive and the maximum specified by this directive. Appweb will prune idle threads to reduce resource consumption as required.

ThreadStackSize


Description Define the size of the stack to allocate for each thread
Synopsis
ThreadStackSize limit
Context Default Server
Example
ThreadStackSize 65536
The ThreadStackSize directive defines the size of the thread stack to allocate for each thread.

The limit is an integer between zero and an operating system defined maximum  where zero means use the system default. The default limit is 0 which implies the system default.

If you are experiencing crashes when running multi-threaded and Appweb runs without error when running single-threaded, you may need to increase this value. See the Appweb command line for details on running single user by setting the "-p 0" option.
 
 

Quick Nav

LimitRequestBody
LimitRequestFields
LimitRequestFieldSize
LimitResponseBody
LimitScriptSize
LimitUrl
StartThreads
ThreadLimit
ThreadStackSize

See Also

Logging Overview
Configuration
Configuration Directives

© Mbedthis Software LLC, 2003-2009. All rights reserved. Mbedthis is a trademark of Mbedthis Software LLC.