How to Increase the Maximum URL Length Limit in Apache HTTPd for API and Web Services


5 views

When running a web service or API on Apache HTTPd, you might encounter the HTTP 414 Request-URI Too Large error. This occurs when the length of the incoming URL exceeds the server's configured limit. Unlike browser-based applications (which typically enforce a ~2KB limit), programmatic clients (e.g., APIs, scripts, or backend services) may require longer URLs for complex queries or data transmission.

Apache HTTPd imposes a default URL length limit of 8,192 bytes (8KB) via the LimitRequestLine directive. This restriction is defined in the main server configuration or virtual host files. For APIs handling large query parameters or encoded data, this limit can be insufficient.

To increase the maximum allowed URL length, edit your Apache configuration file (e.g., httpd.conf, apache2.conf, or a virtual host file) and add or modify the following directives:


# Increase URL length limit to 16KB (adjust as needed)
LimitRequestLine 16384

# Optional: Also increase the maximum header size if needed
LimitRequestFieldSize 16384

Key parameters:

  • LimitRequestLine: Controls the maximum URL length (in bytes).
  • LimitRequestFieldSize: Sets the maximum size for any single HTTP header field.

After modifying the configuration, restart Apache and test with a long URL:


sudo systemctl restart apache2   # For systemd-based systems
sudo service apache2 restart     # For SysVinit systems

Use curl to verify the change:


curl -I "http://yourserver.com/$(python3 -c 'print("a"*16000)')"

For extremely large requests, consider:

  1. POST requests: Send data in the request body instead of the URL.
  2. HTTP/2: Reduces overhead for header compression.
  3. Query parameter optimization: Use shorter keys or encode data more efficiently.

Increasing URL limits may expose your server to buffer overflow attacks or excessive resource usage. Mitigate risks by:

  • Setting conservative limits (e.g., 16KB–64KB).
  • Implementing rate limiting.
  • Monitoring logs for abuse patterns.

While most web browsers enforce a ~2KB URL length limit, API clients and automated scripts often need to send much longer URLs. Apache's default LimitRequestLine directive sets this threshold at 8190 bytes (8KB). When exceeded, you'll see:

[Fri Oct 27 14:32:17.123456] [core:error] [pid 12345] (36)File name too long: 
[client 192.168.1.100:12345] AH00569: client sent too long URI

Edit your Apache config (httpd.conf, apache2.conf, or virtual host file):

# For global configuration
LimitRequestLine 16384  # Sets 16KB limit

# If using mod_proxy with backend servers
ProxyPass /api http://backend:8080/api
ProxyPassReverse /api http://backend:8080/api
LimitRequestLine 32768  # 32KB for proxy requests

For dynamic environments using .htaccess:

<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteCond %{REQUEST_URI} ^(.{8190,})$
  RewriteRule ^(.*)$ /error/414.php [L,R=414]
</IfModule>

Before increasing limits:

# Measure current URL lengths in access logs
awk '{print $7, length($7)}' access_log | sort -nk2 | tail -20

# Check existing limits
apache2ctl -t -D DUMP_RUNTIME_CONFIG | grep -i limit

Security implications to consider:

  • Long URLs may indicate injection attempts
  • Buffer overflow risks in older Apache versions
  • Increased memory usage per request

For APIs that need to transmit large data:

// Instead of:
GET /api/data?param1=value1&...¶m100=value100

// Use:
POST /api/data
Content-Type: application/json
{
  "params": {
    "param1": "value1",
    ...
    "param100": "value100"
  }
}

For web applications, consider URL shortening techniques:

# Using hash maps in your application
$url_map = [
  'abc123' => '/long/url/path?with=many¶meters=and&values=here'
];

# Then reference short URLs
GET /s/abc123