Add HTTP header size guideline to production deployment checklist#11601
Add HTTP header size guideline to production deployment checklist#11601dushaniw wants to merge 1 commit into
Conversation
Documents that the default maxHttpHeaderSize on the HTTP and HTTPS Tomcat connectors is 32 KB, and calls out the requirement to keep it >= 32 KB on the ACP node when Multi-Option Authentication is used for federated portal logins. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
📝 WalkthroughAdds a production deployment guideline for HTTP header sizing, documenting the 32 KB default, configuration requirements for federated authentication, and matching limits for upstream network components. Includes WalkthroughAdds an “HTTP header size” row to the production deployment checklist. It documents the 32 KB 🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Pull request overview
Adds guidance to the production deployment checklist about ensuring sufficient HTTP header/request size capacity for federated portal logins (notably Multi-Option Authentication), and updates the checklist table row striping after inserting the new entry.
Changes:
- Adds a new “HTTP header size” checklist row with background/context and a
deployment.tomloverride snippet. - Highlights a minimum
maxHttpHeaderSizerequirement (32 KB) to avoid broken federated login redirects. - Adjusts subsequent table row
odd/evenclasses to preserve zebra striping.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| <p>The default value of <code>maxHttpHeaderSize</code> on both the HTTP and HTTPS connectors in <code><APIM_HOME>/repository/conf/tomcat/catalina-server.xml</code> is set to <strong>32 KB (32768 bytes)</strong>.</p> | ||
| <p>This value <strong>must not be set to less than 32 KB (32768 bytes)</strong>, specifically on the <strong>API Control Plane (ACP) node</strong> in a distributed deployment (or on the single node in an all-in-one deployment), if <strong>Multi-Option Authentication</strong> is used for portal (Publisher, DevPortal, Admin) logins in federated authentication flows.</p> |
| </div> | ||
| </div> | ||
| </div> | ||
| <p>If a reverse proxy, load balancer, ingress controller, or CDN is deployed in front of APIM, ensure its header and URL size limits are also aligned to at least 32 KB — otherwise the request will be rejected at the front tier before it reaches APIM.</p> |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In
`@en/docs/install-and-setup/setup/deployment-best-practices/production-deployment-guidelines.md`:
- Around line 122-140: Align the maxHttpHeaderSize default consistently: update
the transport templates and config catalog from 8192 to 32768, matching the
documentation and generated configuration, or revise the documentation to apply
only to the release that changes the default. Locate the relevant
maxHttpHeaderSize entries in the transport configuration templates and config
catalog and update them together.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: e8a2ac07-5d67-4664-986c-779b45379956
📒 Files selected for processing (1)
en/docs/install-and-setup/setup/deployment-best-practices/production-deployment-guidelines.md
| <td>HTTP header size</td> | ||
| <td> | ||
| <div class="content-wrapper"> | ||
| <p>The default value of <code>maxHttpHeaderSize</code> on both the HTTP and HTTPS connectors in <code><APIM_HOME>/repository/conf/tomcat/catalina-server.xml</code> is set to <strong>32 KB (32768 bytes)</strong>.</p> | ||
| <p>This value <strong>must not be set to less than 32 KB (32768 bytes)</strong>, specifically on the <strong>API Control Plane (ACP) node</strong> in a distributed deployment (or on the single node in an all-in-one deployment), if <strong>Multi-Option Authentication</strong> is used for portal (Publisher, DevPortal, Admin) logins in federated authentication flows.</p> | ||
| <p>If set lower, the <code>/commonauth</code> redirect from the external Identity Provider carries the full OAuth scope list in the request URI, and the combined size of the request line and headers exceeds the buffer. Tomcat then rejects the request with a <code>400 Bad Request</code> or <code>414 Request-URI Too Long</code> error, breaking the federated login flow.</p> | ||
| <p>If you need to override the value via <code>deployment.toml</code>, keep it at or above the default:</p> | ||
| <div class="code panel pdl" style="border-width: 1px;"> | ||
| <div class="codeContent panelContent pdl"> | ||
| <div class="sourceCode" id="cb2" data-syntaxhighlighter-params="brush: text; gutter: false; theme: Confluence" data-theme="Confluence" style="brush: text; gutter: false; theme: Confluence"> | ||
| <pre class="sourceCode text"><code class="sourceCode text">[transport.http.properties] | ||
| maxHttpHeaderSize = 32768 | ||
|
|
||
| [transport.https.properties] | ||
| maxHttpHeaderSize = 32768</code></pre> | ||
| </div> | ||
| </div> | ||
| </div> | ||
| <p>If a reverse proxy, load balancer, ingress controller, or CDN is deployed in front of APIM, ensure its header and URL size limits are also aligned to at least 32 KB — otherwise the request will be rejected at the front tier before it reaches APIM.</p> |
There was a problem hiding this comment.
🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
printf '\n== Relevant files ==\n'
git ls-files \
'en/docs/install-and-setup/setup/deployment-best-practices/production-deployment-guidelines.md' \
'en/tools/config-catalog-generator/data/_http-transport.toml' \
'en/tools/config-catalog-generator/data/_https-transport.toml' \
'en/tools/config-catalog-generator/data/*transport*.toml' \
'en/tools/config-catalog-generator/data/*toml' | sort
printf '\n== Document excerpt ==\n'
sed -n '118,145p' en/docs/install-and-setup/setup/deployment-best-practices/production-deployment-guidelines.md
printf '\n== Template defaults ==\n'
for f in en/tools/config-catalog-generator/data/_http-transport.toml en/tools/config-catalog-generator/data/_https-transport.toml; do
echo "--- $f"
rg -n 'maxHttpHeaderSize|default|32768|8192' "$f" || true
done
printf '\n== Search for other mentions ==\n'
rg -n 'maxHttpHeaderSize|32768|8192|HTTP header size|header size' \
en/docs \
en/tools/config-catalog-generator/data \
. \
-g '!**/node_modules/**' \
-g '!**/dist/**' \
-g '!**/build/**' || trueRepository: wso2/docs-apim
Length of output: 50371
Align the documented default with the generated config defaults.
maxHttpHeaderSize is documented here as 32768, but the transport templates and config catalog still default it to 8192. Update both sources together, or narrow this note to the release where the default changes.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In
`@en/docs/install-and-setup/setup/deployment-best-practices/production-deployment-guidelines.md`
around lines 122 - 140, Align the maxHttpHeaderSize default consistently: update
the transport templates and config catalog from 8192 to 32768, matching the
documentation and generated configuration, or revise the documentation to apply
only to the release that changes the default. Locate the relevant
maxHttpHeaderSize entries in the transport configuration templates and config
catalog and update them together.
Summary
en/docs/install-and-setup/setup/deployment-best-practices/production-deployment-guidelines.md.maxHttpHeaderSizeon the HTTP and HTTPS Tomcat connectors is 32 KB (32768 bytes).deployment.tomloverride snippet and a note to align upstream reverse proxy / load balancer / ingress / CDN header limits to at least 32 KB.Related
Test plan
🤖 Generated with Claude Code