Resolving “Request Entity Too Large (413)” Error for File Uploads >128KB in Spring/Tomcat with SSL Renegotiation Buffer Issues


9 views

When working with Spring applications deployed on Tomcat behind Apache with SSL termination, the 128KB upload limit is actually an Apache-imposed restriction related to SSL renegotiation buffers. The key error messages tell the story:

AH02018: request body exceeds maximum size (131072) for SSL buffer
AH02257: could not buffer message body to allow SSL renegotiation to proceed

The common suggestion of increasing SSLRenegBufferSize often fails because:

  • Modern Apache versions handle SSL differently
  • The directive must be placed in correct context
  • Other size limits may still interfere

Here's what actually works in Apache 2.4:

<VirtualHost *:443>
    ServerName yourdomain.com
    SSLEngine on
    # Disable renegotiation completely (modern best practice)
    SSLInsecureRenegotiation off
    
    # Set buffer for legacy clients that require it
    SSLRenegBufferSize 10485760  # 10MB buffer
    
    # Also adjust these related parameters:
    LimitRequestBody 10485760    # 10MB max upload
    SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 # Modern TLS only
</VirtualHost>

Ensure your Tomcat connector in server.xml has proper settings:

<Connector port="8009" protocol="AJP/1.3"
    maxPostSize="10485760"      # 10MB
    maxSavePostSize="10485760"  # 10MB
    redirectPort="8443" />

In your Spring Boot application.properties/yml:

spring.servlet.multipart.max-file-size=10MB
spring.servlet.multipart.max-request-size=10MB

Or for XML configuration:

<bean id="multipartResolver" class="org.springframework.web.multipart.commons.CommonsMultipartResolver">
    <property name="maxUploadSize" value="10485760"/>
</bean>

To verify everything is working, create a simple test endpoint:

@PostMapping("/upload-test")
public ResponseEntity<String> handleUpload(@RequestParam("file") MultipartFile file) {
    return ResponseEntity.ok("Uploaded: " + file.getOriginalFilename() 
        + " (" + file.getSize() + " bytes)");
}

Then test with curl:

curl -X POST -H "Content-Type: multipart/form-data" \
-F "file=@largefile.zip" https://yourserver.com/upload-test

If you still face issues, consider:

  • Using Nginx instead of Apache as reverse proxy
  • Implementing chunked uploads for very large files
  • Direct uploads to cloud storage (S3, etc.)

When working with file uploads over HTTPS in Apache/Tomcat environments, many developers encounter the frustrating 413 error with messages like:

AH02018: request body exceeds maximum size (131072) for SSL buffer
AH02257: could not buffer message body to allow SSL renegotiation to proceed

This typically occurs when uploading files larger than 128KB through SSL connections. The root cause lies in Apache's SSL renegotiation buffer - by default configured to 128KB (131072 bytes).

Many online resources suggest simply increasing SSLRenegBufferSize, but as our experience shows, this alone often doesn't resolve the issue. The complete solution requires multiple configuration adjustments:

# In your Apache virtual host configuration
SSLRenegBufferSize 10485760  # 10MB buffer
SSLInsecureRenegotiation off
SSLVerifyClient none
LimitRequestBody 10485760    # Must match buffer size

Since you're using JK connector, ensure your Tomcat connector configuration matches:

<Connector port="8009" protocol="AJP/1.3" 
    maxPostSize="10485760"
    maxSavePostSize="10485760"/>

Here's a tested configuration that works for file uploads up to 10MB:

# Apache httpd.conf or SSL virtual host
<VirtualHost *:443>
    ServerName yourdomain.com
    SSLEngine on
    SSLCertificateFile /path/to/cert.pem
    SSLCertificateKeyFile /path/to/key.pem
    
    # SSL buffer settings
    SSLRenegBufferSize 10485760
    SSLInsecureRenegotiation off
    
    # Connection to Tomcat
    JkMount /* worker1
    JkMount /teamleadchoachingtracking/* worker1
    
    # Size limits
    LimitRequestBody 10485760
    
    # Prevent renegotiation
    SSLVerifyClient none
    SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2
</VirtualHost>

After applying changes, verify with:

apachectl configtest
systemctl restart apache2

Then test uploads with various file sizes using cURL:

curl -X POST -H "Content-Type: multipart/form-data" \
  -F "file=@largefile.zip" \
  https://yourdomain.com/teamleadchoachingtracking/doFileUpload

If performance allows, you can completely disable SSL renegotiation:

SSLInsecureRenegotiation off
SSLVerifyClient none
SSLRenegBufferSize 10485760
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2

This combination typically resolves the 413 error while maintaining security.