CR Limits

Airlock Microgateway performs various size checks on requests with a default configuration to repel denial of service (DoS) attacks. The CR Limits can be used to configure these limit checks on the route level.

Limit checks are available for:
Number and size of parameters.
General request properties like body size or path length.
Various aspects of JSON Payload.
A global header size check (can be configured in the Limiting request headers length).

This CR needs to be referenced in the CR ContentSecurity.

Example configuration

For the default and an example configuration, see the latest API Reference information in chapter Limits.

All limits are calculated in bytes:
JSON limits will only be applied if the JSON parser in the CR Parser is enabled.
Body size limits are calculated for the payload without percent or HTML decoding. Limits will only be applied for request bodies that Airlock Microgateway effectively parses.
Other limits, such as parameter size, are counted in decoded form.

The maximum headersLength count includes Envoy pseudo headers and can be configured in the CR SidecarGateway as described here: Limiting request headers length.

Size limits like bodySize, nameLength , etc., can be specified in bytes or Kubernetes memory limit units.

Examples of Kubernetes memory limits:
1k = 1'000 bytes
1Ki = 1'024 bytes
1M = 1'000'000 bytes
1Mi = 1'048'576 bytes

Limits can be deactivated with unlimited {}. Keep in mind that this disables the denial of service (DoS) protection and therefore is not recommended in production environments.

Threat handling mode settings

When a request causes a block due to reaching the request size limit in Block mode, it is possible that the total request size is not fully logged. For example, it can happen that the actual parameter name length is not part of the logging information because the request size limit has already been reached before and the request is already blocked. This behavior is to mitigate the risk of being vulnerable to DoS attacks.

Detailed limit violations can be logged with settings.threatHandlingMode: LogOnly. Keep in mind that this disables the denial of service (DoS) protection and therefore is not recommended in production environments.

Logging

The logs may vary depending on the settings.threatHandlingMode. In Block mode, only the available information are logged to still provide protection against denial of service attacks. This could lead that some information are missing. In LogOnly mode, all limits-related information are logged but the Limits feature itself does not provide any protection against denial of service attacks.

Example log output in both threadHandlingMode:

The following examples show two types of limit violations, body size and JSON key length, in both threathandling modes.

As expected, the body.size value is not shown in Block mode in opposition to the JSON key.length value (which requires parsing the JSON body for length calculation).

Block mode	LogOnly mode
# body size, block "limits": { "matches": [ { "blocked_data": { "body": {} }, "rule": "Built-in: Request body size", "threat_handling_mode": "block" } ] },	# body size, logOnly "limits": { "matches": [ { "blocked_data": { "body": { "size": 219 } }, "rule": "Built-in: Request body size", "threat_handling_mode": "logOnly" } ] },
# JSON key length, block "limits": { "matches": [ { "blocked_data": { "json_key": { "json_path": "$['username']", "key": "username", "length": 12 } }, "rule": "Built-in: JSON key length", "threat_handling_mode": "block" } ] },	# JSON key length, logOnly "limits": { "matches": [ { "blocked_data": { "json_key": { "json_path": "$['username']", "key": "username", "length": 12 } }, "rule": "Built-in: JSON key length", "threat_handling_mode": "logOnly" } ] },

Block mode

LogOnly mode

# body size, block 
 
    "limits": { 
      "matches": [ 
        { 
          "blocked_data": { 
            "body": {} 
          }, 
          "rule": "Built-in: Request body size", 
          "threat_handling_mode": "block" 
        } 
      ] 
    },

# body size, logOnly 
 
    "limits": { 
      "matches": [ 
        { 
          "blocked_data": { 
            "body": { 
              "size": 219 
            } 
          }, 
          "rule": "Built-in: Request body size", 
          "threat_handling_mode": "logOnly" 
        } 
      ] 
    },

# JSON key length, block 
 
    "limits": { 
      "matches": [ 
        { 
          "blocked_data": { 
            "json_key": { 
              "json_path": "$['username']", 
              "key": "username", 
              "length": 12 
            } 
          }, 
          "rule": "Built-in: JSON key length", 
          "threat_handling_mode": "block" 
        } 
      ] 
    },

# JSON key length, logOnly 
 
    "limits": { 
      "matches": [ 
        { 
          "blocked_data": { 
            "json_key": { 
              "json_path": "$['username']", 
              "key": "username", 
              "length": 12 
            } 
          }, 
          "rule": "Built-in: JSON key length", 
          "threat_handling_mode": "logOnly" 
        } 
      ] 
    },

If the request's body is not in UTF8, the body-size calculation will fail due to an internal check. In this case, no information about the body size is available.

Further information and links

API Reference:
CR Limits reference documentation
CR Content Security reference documentation

Internal links:
CR ContentSecurity
CR Parser
Logging configuration and output formatting
Default access log field reference