Verify Content-Length matches request body

Hi,

Is there a way for nginx to verify that the Content-Length header isn’t
exceeded by the actual size of the request body?

Context: I’m working on an upload endpoint with a maximum upload size,
and
it seems that client_max_body_size only checks the Content-Length
header,
not the actual body. Additionally, from my testing it appears that
nginx accepts
the entire request body regardless of what the Content-Length is set to.
I
want to be able to defend against a potential slowloris-style attack
where
all of my workers could get tied up with overly-large uploads.

Thanks,
Max Rothman

Hello!

On Thu, Mar 12, 2015 at 11:01:46AM -0400, Max Rothman wrote:

Is there a way for nginx to verify that the Content-Length header isn’t
exceeded by the actual size of the request body?

This can’t happen. Anything after the Content-Length is a next
request.

Context: I’m working on an upload endpoint with a maximum upload size, and
it seems that client_max_body_size only checks the Content-Length header,
not the actual body. Additionally, from my testing it appears that
nginx accepts
the entire request body regardless of what the Content-Length is set to. I
want to be able to defend against a potential slowloris-style attack where
all of my workers could get tied up with overly-large uploads.

After the body is read, nginx will either read the next request
(if allowed as per keepalive_timeout/keepalive_requests, as well
as internal state), or will close the connection. When closing
the connection it will use lingering_timeout / lingering_time
settings to read and discard additional data (if any), if allowed
by the lingering_close directive, see
http://nginx.org/r/lingering_close for details.


Maxim D.
http://nginx.org/

Thank you! That makes a lot of sense.

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs