From f3a6461eaa62588ec8364f1b85cdf6acacc37cb8 Mon Sep 17 00:00:00 2001
From: Dave <12233528+kawaiipantsu@users.noreply.github.com>
Date: Tue, 21 Feb 2023 01:13:52 +0100
Subject: [PATCH 1/2] Fixing uri max size

Changing URI max size from 1024 to 1280 bytes
---
 docker/nginx/dist/conf/tpotweb.conf | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/docker/nginx/dist/conf/tpotweb.conf b/docker/nginx/dist/conf/tpotweb.conf
index 68065cba..384fe6ea 100644
--- a/docker/nginx/dist/conf/tpotweb.conf
+++ b/docker/nginx/dist/conf/tpotweb.conf
@@ -46,7 +46,11 @@ server {
     client_body_buffer_size  128k;
     client_header_buffer_size 1k;
     client_max_body_size 2M;
-    large_client_header_buffers 2 1k;
+    
+    ### Changed from OWASP defaults
+    ### To suit Kibana (long ajax uris) breaking 1024
+    ### Still keeping it very true to 1k
+    large_client_header_buffers 2 1280;
 
     ### Mitigate Slow HHTP DoS Attack
     ### Timeouts definition ##

From 350179fc891abc44a269bd3099968beacdb17137 Mon Sep 17 00:00:00 2001
From: Dave <12233528+kawaiipantsu@users.noreply.github.com>
Date: Thu, 23 Feb 2023 16:51:42 +0100
Subject: [PATCH 2/2] Added detailed comment

Added a detailed comment on what the change is needed for and why it's there
---
 docker/nginx/dist/conf/tpotweb.conf | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/docker/nginx/dist/conf/tpotweb.conf b/docker/nginx/dist/conf/tpotweb.conf
index 384fe6ea..24e346ab 100644
--- a/docker/nginx/dist/conf/tpotweb.conf
+++ b/docker/nginx/dist/conf/tpotweb.conf
@@ -47,9 +47,12 @@ server {
     client_header_buffer_size 1k;
     client_max_body_size 2M;
     
-    ### Changed from OWASP defaults
-    ### To suit Kibana (long ajax uris) breaking 1024
-    ### Still keeping it very true to 1k
+    ### Changed from OWASP recommendations: "2 1k" to "2 1280" (So 1.2k)
+    ### When you pass though potentially another reverse proxy/load balancer
+    ### in front of tpotce you can introduce more headers than normal and
+    ### therefore you can exceed the allowed header buffer of 1k.
+    ### An 280 extra bytes seems to be working for most use-cases.
+    ### And still keeping it close to OWASP's recommendation.
     large_client_header_buffers 2 1280;
 
     ### Mitigate Slow HHTP DoS Attack