Opened 6 years ago
Last modified 6 years ago
#1483 new enhancement
client_max_body_size vs. auth_request unexpected behaviour
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | nginx-module | Version: | 1.13.x |
| Keywords: | client_max_body_size, auth_request | Cc: | |
| uname -a: | Linux box 4.4.0-112-generic #135-Ubuntu SMP Fri Jan 19 11:48:36 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux | ||
| nginx -V: |
nginx version: nginx/1.13.8
built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.5) built with OpenSSL 1.0.2g 1 Mar 2016 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie' |
||
Description
Hi there,
I configured an upload location (to use the client_body_in_file_only feature). Additionally, I am using auth_request for that location to authorize uploads. When configuring the client_max_body_size for the upload location, I noticed that I have to repeat it in the internal auth location in order to become effective, i.e. uploads exceeding the default of 1MB would fail because the size of original (but removed) request body in the auth request, is checked against the limit of the auth location.
I don't know whether this is a bug. For me, it was at least unexpected behaviour because the request body for the auth request is empty.
Kind regards,
Christoph
server {
listen 80 default_server;
listen [::]:80 default_server;
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
ssl_certificate /etc/nginx/ssl/cert.pem;
ssl_certificate_key /etc/nginx/ssl/key.pem;
root /var/www/html;
index index.html index.htm;
location /upload {
auth_request /auth;
limit_except POST { deny all; }
client_body_temp_path /dev/shm/upload;
client_body_in_file_only on;
client_max_body_size 1000M;
proxy_set_header Request-Body-File $request_body_file;
proxy_set_header Content-Length "";
proxy_set_body "";
proxy_pass http://localhost:8080/upload;
}
location = /auth {
internal;
client_max_body_size 1000M;
proxy_set_header Content-Length "";
proxy_set_header X-Original-URI $request_uri;
proxy_set_body "";
proxy_pass http://localhost:8080/auth;
}
location / {
proxy_pass http://localhost:8080;
}
}
Note:
See TracTickets
for help on using tickets.
Bypassing
client_max_body_sizecheck for auth subrequests might be an option. We already do this ifr->discard_bodyis set, may be usingr->discard_bodyfor auth subrequests will be enough (though it needs careful checking to make sure it won't cause any unwanted side effects).