ModSecurity: Output filter: Response body too large

When you are using ModSecurity and your site has large response body size for pages you might get errors like these in the log files:

............
[Sun Apr 26 14:30:59.248983 2020] [:error] [pid 13208] [client 194.230.155.218:42742] [client 184.230.155.218] ModSecurity: Output filter: Response body too large (over limit of 524288, total not specified). [hostname "example.com"] [uri "/index.php"] [unique_id "XqX9kHInnJiGBmJfXD-lrwAAAAQ"]
[Sun Apr 26 14:31:03.009284 2020] [:error] [pid 15090] [client 194.230.155.218:42746] [client 184.230.155.218] ModSecurity: Output filter: Response body too large (over limit of 524288, total not specified). [hostname "example.com"] [uri "/index.php"] [unique_id "XqX9laq3KUoVjMxIYq-dWgAAAAU"]
[Sun Apr 26 14:31:10.302389 2020] [:error] [pid 15591] [client 194.230.155.218:42748] [client 184.230.155.218] ModSecurity: Output filter: Response body too large (over limit of 524288, total not specified). [hostname "example.com"] [uri "/index.php"] [unique_id "XqX9nbiyGbOc27aKAiE0VAAAAA8"]
............

On the user-side these errors will be seen as 500 HTTP messages – the manual specifies:

Anything over this limit will be rejected with status code 500 (Internal Server Error). This setting will not affect the responses with MIME types that are not selected for buffering. There is a hard limit of 1 GB.

ModSecurity Manual

This is happening due to the fact that the ModSecurity default value for SecResponseBodyLimit is by default 524228 bytes (512 KB):

SecResponseBodyLimit 524228

For more information please check the ModSecurity manual at https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#SecResponseBodyLimit

To fix this issue you must alter the SecResponseBodyLimit value – you can double it for example to ‭1048576‬ bytes =1024KB = 1MB. Test if the site is loading correctly, check the Apache logs, and increase the value accordingly.

The new value

#increase the value per your needs
SecResponseBodyLimit 1048576‬

should be added to the ModSecurity configuration. For cPanel you can add it to /etc/apache2/conf.d/modsec/modsec2.user.conf . Don’t forget to reload/restart Apache.

Pay attention to the ModSecurity file where you add the new value. ModSecurity is using many configuration files, and many of them are controlled by the panel you are using (cPanel, DirectAdmin, Plesk etc.) – meaning that any changes you make to these files may be lost.

Leave a Reply