After migrating one of our servers to Nginx from Apache, I decided to
test file uploads (as I’ve implemented the Accelerated Upload Support
feature in PHP-FPM/nginx). I found that client_max_body_size
is an additional directive that affects POST/upload file sizes.
So this means that in addition to the 2 directives in PHP that must be
configured for upload file size, I must also now configure Nginx as
well?
I can understand this directive existing, but why default it to 1mb?
Found this issue due to this thread and my own failed upload attempts:
On Tue, Oct 12, 2010 at 12:22:12PM -0400, jlangevin wrote:
I can understand this directive existing, but why default it to 1mb?
It is believed to be reasonably high for non-upload use cases, and
reasonably low to prevent DoS by uploading large files (with
default 1 worker processes and 512 worker connections it’s possible to
consume up to 512M in client_body_temp directory).
For upload use cases one is probably going to tune it for his own
limits anyway - taking into account available disk space and so on.
In that case, if you had a server that you wanted to allow up to 32mb
uploads managed via PHP scripts, how would you do so in a secure fashion
(considering DOS)?
Would you do a check for a certain request type (such as POST) as well
as the requested URL?
Or would it not be worthwhile to be that exact?
On Tue, Oct 12, 2010 at 01:05:45PM -0400, jlangevin wrote:
In that case, if you had a server that you wanted to allow up to 32mb
uploads managed via PHP scripts, how would you do so in a secure fashion
(considering DOS)?
Ideally, worker_processes * worker_connections * client_max_body_size
should be less than free space normally available for
client_body_temp_path.
Though for large number of worker_connections it’s a bit hard maintain
this invariant, e.g. 64k connections with 32m limit will require 2T
of disk space. So it’s probably good idea to apply other limits
as well, e.g. limit_conn.
Would you do a check for a certain request type (such as POST) as well
as the requested URL?
Or would it not be worthwhile to be that exact?
Configuring client_max_body_size only for particular locations may
be beneficial, especially when combined with limit_conn for
requests in this location.
