Opened 5 years ago

Last modified 8 weeks ago

#586 new enhancement

variable support for client_max_body_size

Reported by: www.google.com/accounts/o8/id?id=AItOawn3n_KsJNbSpYwnhXmdKn_QxungovHxMJ4 Owned by:
Priority: minor Milestone:
Component: nginx-core Version: 1.7.x
Keywords: Cc:
uname -a:
nginx -V: 1.7.0.1

Description

I would like to suggest adding nginx variable support to the client_max_body_size directive.
This would be quite useful to set this value dynamically.

Change History (7)

comment:1 Changed 5 years ago by vbart

Could you provide use cases as well?

comment:2 Changed 5 years ago by www.google.com/accounts/o8/id?id=AItOawn3n_KsJNbSpYwnhXmdKn_QxungovHxMJ4

Sure:

Using HTTPLuaModule, I am calling an external server (a web application firewall app) in a subrequest that will let me know the max body size depending on the query path.

The external app can offer a rich rules-based environment to deal with security, without having to restart and/or reconfigure all our Nginx servers. The values are slightly cached of course so we don't call the WAF server on every request.

comment:3 Changed 5 years ago by vbart

Any use cases without 3rd-party modules? Your example will not work anyway, because the length is checked before lua code is executed.

comment:4 Changed 5 years ago by www.google.com/accounts/o8/id?id=AItOawn3n_KsJNbSpYwnhXmdKn_QxungovHxMJ4

the length is checked before lua code is executed.

In that case it defeats the purpose for me.

I am a bit confused though as this seemed possible, according to the OpenResty? maintainer - https://groups.google.com/forum/#!topic/openresty-en/qgSjFSSDVrg

comment:5 Changed 5 years ago by agentzh@…

ngx_lua does not call the standard nginx request body reader before executing user Lua code. It is up to the user to decide when to actually read the request body (and even how to, the standard request body reader is just one option).

Speaking of the implementation for this feaure in the nginx core, the "complex value" of client_max_body_size can be evaluated at the time of the ngx_http_read_client_request_body call.

Last edited 5 years ago by agentzh@… (previous) (diff)

comment:6 Changed 5 years ago by agentzh@…

Ideally, this could be an internal feature on the level of the NGINX C API such that 3rd-party modules can choose to use different limits for different requests on-the-fly. This is much more efficient than the nginx variable approach IMHO. And in the context of the ngx_lua module, we can do something like below in Lua:

ngx.req.read_body(4096) -- limiting the max body length for this call to 4096 bytes

Last edited 5 years ago by agentzh@… (previous) (diff)

comment:7 Changed 8 weeks ago by nvollmar@…

One use case without 3rd party modules:

Set client_max_body_size differently depending upon the result of the client certificate verification (allow higher value only when client cert has been verified)

Note: See TracTickets for help on using tickets.