I did not try your ruleset.
Just few comments based on what I see in the screenshot:
- The action is "Continue". You probably want to change this to "Block"
- The second rule checks for the RESPONSE-Header Content-Length. But you want to look at the REQUEST-Header as it is the POST request message you are interested in.
- The first rule will never trigger because the condition at the rule set will only match for HTTP/HTTPS and POST/PUT but for FTP or MPUT.
- Make sure the rule set is executed in the request cycle for POSTs. You may have this set but I cannot verify on the screenshot. I only mention because it is a typical error.
Usually it is a good strategy to create these kind of rules, step-by-step, e.g. first try to block ALL Post messages. When this works, block if the POST message has a Content-Length header. And in a third step add the condition to compare the header value against your 100MB constant.