Opened 6 years ago

Last modified 6 years ago

#1483 new enhancement

client_max_body_size vs. auth_request unexpected behaviour

Reported by: chschmitt@… Owned by:
Priority: minor Milestone:
Component: nginx-module Version: 1.13.x
Keywords: client_max_body_size, auth_request Cc:
uname -a: Linux box 4.4.0-112-generic #135-Ubuntu SMP Fri Jan 19 11:48:36 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.13.8
built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.5)
built with OpenSSL 1.0.2g 1 Mar 2016
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/ --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'


Hi there,

I configured an upload location (to use the client_body_in_file_only feature). Additionally, I am using auth_request for that location to authorize uploads. When configuring the client_max_body_size for the upload location, I noticed that I have to repeat it in the internal auth location in order to become effective, i.e. uploads exceeding the default of 1MB would fail because the size of original (but removed) request body in the auth request, is checked against the limit of the auth location.

I don't know whether this is a bug. For me, it was at least unexpected behaviour because the request body for the auth request is empty.

Kind regards,

server {
	listen 80 default_server;
	listen [::]:80 default_server;

	listen 443 ssl default_server;
	listen [::]:443 ssl default_server;

	ssl_certificate /etc/nginx/ssl/cert.pem;
	ssl_certificate_key /etc/nginx/ssl/key.pem;

	root /var/www/html;

	index index.html index.htm;

    location /upload {
        auth_request /auth;
        limit_except POST { deny all; }

        client_body_temp_path /dev/shm/upload;
        client_body_in_file_only on;

        client_max_body_size 1000M;

        proxy_set_header Request-Body-File $request_body_file;
        proxy_set_header Content-Length "";

        proxy_set_body "";

        proxy_pass http://localhost:8080/upload;

    location = /auth {

        client_max_body_size 1000M;

        proxy_set_header Content-Length "";
        proxy_set_header X-Original-URI $request_uri;

        proxy_set_body "";

        proxy_pass http://localhost:8080/auth;

    location / {
        proxy_pass   http://localhost:8080;

Change History (1)

comment:1 by Maxim Dounin, 6 years ago

Bypassing client_max_body_size check for auth subrequests might be an option. We already do this if r->discard_body is set, may be using r->discard_body for auth subrequests will be enough (though it needs careful checking to make sure it won't cause any unwanted side effects).

Note: See TracTickets for help on using tickets.