A client of ours uses a Joomla article for listing internal announcements (the Joomla website is used as an intranet). The Joomla article contains announcements from 2005 and, each time the company has a new announcement (which literally happens at least one time every business day), that announcement is added to the very beginning of the article. Needless to say that with time, the article became very very large, but still this process worked fine for the client all of these years. But, last Friday, something happened: the client tried to add a new announcement, and, to their surprise, what has been working for 13 years suddenly broke, and the Joomla site displayed a 404 error. The client immediately emailed us for help and we promptly started the investigation.
The first thing that we tried to do was to recreate the problem, which wasn’t really hard: we logged in to the backend of the Joomla website, we opened the “Announcements” article, we added the new announcement (which was sent to us by the client), we saved the article, and we saw the 404 error. At first glance we thought it was something that had to do with the text that the client was trying to add (maybe a pattern was triggering a ModSecurity rule), but it wasn’t, because we changed the text to something entirely different, and we still had the same issue.
So, we did a tail on Apache’s error log (for that particular website, as the client had 2 other websites on the same server) in order to have a better idea what went wrong:
grep '[our-client-joomla-website].com' /usr/local/apache/logs/error_log | tail -500
And here’s what we saw:
[Fri Jan 26 09:39:58.597094 2018] [:error] [pid 4079] [client [our-ip]:38805] [client [our-ip]] ModSecurity: Request body no files data length is larger than the configured limit (1048576).. Deny with code (413) [hostname "www.[our-client-joomla-website].com"] [uri "/administrator/index.php"] [unique_id "WmegrFt7NF@XqHcDe6IAywAAABw"], referer: https://www.[our-client-joomla-website].com/administrator/index.php?option=com_content&view=article&layout=edit&id=82
So, it was ModSecurity (which is nearly always the culprit when a weird issue suddenly happens), but it wasn’t anything in the pattern of the text, it was the length of the text. The no files data length (e.g. the HTML length) is larger than the allowed maximum, which is 1 MB. But where is that set?
A quick research revealed that this limit was defined by the ModSecurity global directive SecRequestBodyNoFilesLimit, which defaults to 1 MB (or 1024 kilobytes, or 1048576 bytes). So, we resolved the problem by increasing the limit to 2 MB (which should give our client another 13 years). We did that the following way:
- We opened the file custom.conf file which is located under the /etc/apache2/conf.d folder.
-
We added the following line to it (the file was originally empty):
SecRequestBodyNoFilesLimit 2097152
-
We saved the file and then we restarted Apache.
-
We logged in to the Joomla backend and tried saving the “Announcements” article again after adding the new content.
-
It worked!
Note that the location and the name of the custom ModSecurity rule file may not be the same on your server. So, you will need to make sure of the right location before implementing the solution (or else the solution will be useless).
But, does the above solution compromise security?
Well, not really, but it not ideal either… By limiting the maximum size of non-file content to 1 MB, ModSecurity lessens the impact of a DoS (Denial of Service) attack on your server. Increasing that limit to 2 MB is not bad, but it is not as good (security wise) to having that limit set to 1 MB. So, preferably, you should consider splitting a very large article into smaller articles instead of increasing the SecRequestBodyNoFilesLimit value.
So, the next time you see a 404 error when saving a large article on your Joomla site, investigate the Apache error logs, as it might be ModSecurity. If you need help fixing the problem, then please contact us, we are always ready to help, our work is ultra clean, and our our fees are super right.