Why is client_max_body_size default set to 1m?

After migrating one of our servers to Nginx from Apache, I decided to
test file uploads (as I’ve implemented the Accelerated Upload Support
feature in PHP-FPM/nginx). I found that
client_max_body_size
is an additional directive that affects POST/upload file sizes.

So this means that in addition to the 2 directives in PHP that must be
configured for upload file size, I must also now configure Nginx as
well?

I can understand this directive existing, but why default it to 1mb?

Found this issue due to this thread and my own failed upload attempts:

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,139769,139769#msg-139769

Hello!

On Tue, Oct 12, 2010 at 12:22:12PM -0400, jlangevin wrote:

I can understand this directive existing, but why default it to 1mb?
It is believed to be reasonably high for non-upload use cases, and
reasonably low to prevent DoS by uploading large files (with
default 1 worker processes and 512 worker connections it’s possible to
consume up to 512M in client_body_temp directory).

For upload use cases one is probably going to tune it for his own
limits anyway - taking into account available disk space and so on.

Maxim D.

In that case, if you had a server that you wanted to allow up to 32mb
uploads managed via PHP scripts, how would you do so in a secure fashion
(considering DOS)?

Would you do a check for a certain request type (such as POST) as well
as the requested URL?
Or would it not be worthwhile to be that exact?

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,139769,139782#msg-139782

Hello!

On Tue, Oct 12, 2010 at 01:05:45PM -0400, jlangevin wrote:

In that case, if you had a server that you wanted to allow up to 32mb
uploads managed via PHP scripts, how would you do so in a secure fashion
(considering DOS)?

Ideally, worker_processes * worker_connections * client_max_body_size
should be less than free space normally available for
client_body_temp_path.

Though for large number of worker_connections it’s a bit hard maintain
this invariant, e.g. 64k connections with 32m limit will require 2T
of disk space. So it’s probably good idea to apply other limits
as well, e.g. limit_conn.

Would you do a check for a certain request type (such as POST) as well
as the requested URL?
Or would it not be worthwhile to be that exact?

Configuring client_max_body_size only for particular locations may
be beneficial, especially when combined with limit_conn for
requests in this location.

Maxim D.

Thanks Maxim, that’s very helpful! :slight_smile:

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,139769,139808#msg-139808

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs