Appendix G - Sizing Parameters in the Nevis Proxy
This appendix page lists the most important nevisProxy parameters regarding buffer sizes, memory sizes, file sizes, HTTP message (part) sizes. These parameters can be relevant for tuning memory consumption.
Excluded
Log file sizing, lua helper methods involving buffers, crypto key sizes and parameters involving the size of other structures are not discussed here.
Parameter description structure
The description of each parameter contains the following elements:
- Parameter ID
- The configuration file in which the parameter can be used, or the owning filter/servlet, followed by the full parameter name
- Description
- Warnings
- Related parameters
- Reference guide link
- Type and default value
Notations
In XML configuration files, the notation SomeElement.SomeAttribute means: The SomeAttribute attribute of the SomeElement element.
Global parameters
ID | Location and Full Name | Description | Warnings | Related Parameters | Relevant Reference Guide Page | Type, Default Value |
---|---|---|---|---|---|---|
S4 | bc.properties, ch.nevis.navajo.request.BufferSize | Defines the number of bytes for request body buffering | byte, 64 KByte | |||
S6 | navajo.xml, Server.LimitRequestBody | Apache level. Defines the maximum body size of an upload HTTP request | byte, 512000 | |||
S7 | navajo.xml, Server.LimitRequestLine | Apache level. Defines the maximum length of the HTTP request line. | byte, 5120 | |||
S9 | bc.properties, bc.lang.system.MaxAllocSize | Protects/limits the "Process Heap" memory. This property allows you to increase the maximal allocable size.Important: Be aware that an attacker may try to allocate several times the defined size. leading to a memory overflow on your server. This is a low-level, technical parameter, consult support before changing it. | This property sets a limit for a single allocation, not for the total usage. Basically every buffer has to fit into a single allocation, so it will be limited by S9. | S4 < S9 should be true | - [Low-level properties] | byte, 16777215 |
S16 | navajo.xml, LimitRequestFieldsize | Defines the maximum length of one HTTP header line. | S6, S7 | |||
S17 | navajo.xml, ThreadStackSize | Configures the size of a thread stack. | Each thread has its own stack. Each request has its own thread. So many concurrent requests will use a lot of memory. For example, 8 MByte stacksize * 1000 requests = 8 GByte, only for stacks. | Not related to the BC parameters | byte, 1048576 | |
S18 | navajo.xml, Connector.SSLCache.maxEntrySize | The attribute maxEntrySize configures the maximum size of one serialized TLS/SSL session, in bytes. | If client certificates are used, increase the attribute's value (to, for example, "1500"). | integer, 150 |
Filter- or servlet-level parameters
ID | Owning Filter/Servlet - Full Name | Description | Warnings | Related Parameters | Reference Guide Link | Type, Default Value |
---|---|---|---|---|---|---|
S11 | InputValidationFilter.MaxBodySize | Defines the maximum size of a request body. If not configured, an unlimited length is allowed. The InputValidationFilter may block the request, depending on the setting of the filter parameter BlockOnError. | S15 | [InputValidationFilter] | byte, unlimited | |
S12 | EncryptionFilter.RewriteBufferSize | Defines the size of the internal buffer for buffering HTML tags. | [EncryptionFilter] | bytes, 16 KByte | ||
S13 | IdentityCreationFilter.BodyReadSize | Sets a limit for the Content-Length of the intercepted request, if the filter parameter StoreInterceptedRequest is enabled. If the request is too large to be stored, an error will be traced and the request will be handled as if StoreInterceptedRequest was false. | [IdentityCreationFilter] | byte, 5120 | ||
S21 | CacheFilter.MaxEntrySize | Defines the maximum size (in bytes) of a document to be placed in the cache. Documents bigger than MaxEntrySize will never be cached. For the CacheType "file", the cache directory requires MaxEntrySizeMaxEntries* of free disk space. | [CacheFilter] | byte, 1000000 | ||
S27 | ICAPFilter.RequestBufferSize | Defines the maximum size of an HTTP request body that will be buffered. | [ICAPFilter] | byte, 100000 | ||
S28 | ICAPFilter.ResponseBufferSize | Defines the maximum size of an HTTP response body that will be buffered. | Every response buffer must fit into a single allocation, so S28 < S9 | [ICAPFilter] | byte, 100000 | |
S30 | ICAPFilter.BlockSize | Defines the block size for read/write operations. | [ICAPFilter] | byte, 4096 | ||
S31 | ICAPFilter.PreviewSize | Defines the ICAP "Preview Size". This parameter sets the header Preview on REQMOD and RESPMOD. If the PreviewSize is "0", no preview header will be set. | [ICAPFilter] | ICAP-specific size, 4096 | ||
S33 | IdentityCreationFilter.StoreInterceptedRequest.MaxSize | Defines the maximum size (Content-Length) of a request that may have to be stored by the filter parameter StoreInterceptedRequest. If the Content-Length is bigger than the StoreInterceptedRequest.MaxSize, then the StoreInterceptedRequest.FallbackURI will be called. | Seems to be the same as S32. The intercepted request will not be stored if the body is bigger than this value. | [IdentityCreationFilter] | bytes, not set | |
S38 | LocalSessionStoreServlet.MemorySize | Defines the number of bytes available in the store for local session storage. The maximum value is 4294973847 bytes (ca. 4 GB).- If 90% of the memory is used, an ERROR will be traced. It is no longer possible to create a new session.- If 95% of the memory is used, an ERROR will be traced. It is no longer possible to modify a session. | Does not relate to S9 (meaning that S9 > S38 must not be hold). The LocalSessionStore uses a different memory system (non-BC, called TLSF memory). This memory has a maximum size of around 4 Gigabyte. | [LocalSessionStoreServlet] | ||
S42 | HttpConnectorServlet.ResponseLineSize | Defines the maximum allowed line size in the HTTP header of the response. Minimum value: 512, maximum value: 524288 | [HttpConnectorServlet] | byte, no default | ||
S43 | HttpConnectorServlet.RewriteBufferSize | Defines the size of the internal buffer for buffering HTML tags. Only relevant if the response is rewritten (see AutoRewrite). Minimum value: 5120 | [HttpConnectorServlet] | byte, no default | ||
S44 | MySQLSessionStoreServlet.MaxAttributeSize | Defines the maximum expected size of a session attribute. Usually the default is enough, unless you have hundreds of roles per login, or the parameter StoreInterceptedRequest of the IdentityCreationFilter is set to "true". If the latter is the case, you should set the bc property ch.nevis.navajo.request.BufferSize (S4) to at least the same value as the parameter MaxAttributeSize of the MysqlSessionStoreServlet. | S4, S45,S45 >= S44 | [MySQLSessionStoreServlet] | byte, 256 kB | |
S45 | ATTRIBUTE table, VALUE column | Defines the data type of the VALUE column in the ATTRIBUTE table of the MySQL-based remote session store. | Your database will also have limitations for a table column size. Be aware that the number of bytes given in S44 is the maximum size supported by nevisProxy, even if a BLOB is configured as the column datatype. | S44, S45 >= S44 | `http://mariadb.com/kb/en/varbinary/ | VARBINARY, (60000)This is 60000 bytes |