What I have:
I have an iPhone app that sends HTTP POST requests (XML format) to a web service written in PHP. This is on a hosted virtual private server so I can edit httpd.conf and other files on the server, and restart Apache.

The problem:
The web service works perfectly as long as the request is not too large, but around 1MB is the limit. After that, the server responds with:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>413 Request Entity Too Large</title>
</head><body>
<h1>Request Entity Too Large</h1>
The requested resource<br />/<br />
does not allow request data with POST requests, or the amount of data
provided in the request exceeds the capacity limit.
</body></html>

The web service writes its own log file, and I can see that small messages are processed fine. Larger messages are not logged at all so I guess that something in Apache rejects them before they even reach the web service?

Things I've tried without success:
(I've restarted Apache after every change. These steps are incremental.)

1. hosting provider's web-based configuration panel: disable mod_security
2. httpd.conf: LimitXMLRequestBody 0 and LimitRequestBody 0
3. httpd.conf: LimitXMLRequestBody 100000000 and LimitRequestBody 100000000
4. httpd.conf: SecRequestBodyLimit 100000000

At this stage, Apache's error.log contains a message:
ModSecurity: Request body no files data length is larger than the configured limit (1048576)

It looks like my step #4 didn't really take, which is consistent with step #1 but does not explain why mod_security appears to be active after all.

What more can I try, to get the web service to receive large messages?