Opened 6 years ago

Last modified 6 months ago

#586 new enhancement

variable support for client_max_body_size

Reported by: Tarek Ziade Owned by:
Priority: minor Milestone:
Component: nginx-core Version: 1.7.x
Keywords: Cc:
uname -a:
nginx -V:


I would like to suggest adding nginx variable support to the client_max_body_size directive.
This would be quite useful to set this value dynamically.

Change History (8)

comment:1 by Valentin V. Bartenev, 6 years ago

Could you provide use cases as well?

comment:2 by Tarek Ziade, 6 years ago


Using HTTPLuaModule, I am calling an external server (a web application firewall app) in a subrequest that will let me know the max body size depending on the query path.

The external app can offer a rich rules-based environment to deal with security, without having to restart and/or reconfigure all our Nginx servers. The values are slightly cached of course so we don't call the WAF server on every request.

comment:3 by Valentin V. Bartenev, 6 years ago

Any use cases without 3rd-party modules? Your example will not work anyway, because the length is checked before lua code is executed.

comment:4 by Tarek Ziade, 6 years ago

the length is checked before lua code is executed.

In that case it defeats the purpose for me.

I am a bit confused though as this seemed possible, according to the OpenResty maintainer -!topic/openresty-en/qgSjFSSDVrg

comment:5 by Yichun Zhang, 6 years ago

ngx_lua does not call the standard nginx request reader before executing user Lua code. It is up to the user to decide when to actually read the request body (and even how to, the standard request body reader is just one option). The "complex value" of client_max_body_size can be evaluated at the time of the ngx_http_read_client_request_body call.

Version 0, edited 6 years ago by Yichun Zhang (next)

comment:6 by Yichun Zhang, 6 years ago

Ideally, this could be an internal feature on the level of the NGINX C API such that 3rd-party modules can choose to use different limits for different requests on-the-fly. This is much more efficient than the nginx variable approach IMHO. And in the context of the ngx_lua module, we can do something like below in Lua:

ngx.req.read_body(4096) -- limiting the max body length for this call to 4096 bytes

Last edited 6 years ago by Yichun Zhang (previous) (diff)

comment:7 by nvollmar@…, 16 months ago

One use case without 3rd party modules:

Set client_max_body_size differently depending upon the result of the client certificate verification (allow higher value only when client cert has been verified)

comment:8 by rubo77@…, 6 months ago

Is there a simple workaround how to set a globaly and set it to a lower value in a certain domain?

I would like to solve this in the nginx config folder without having to recompile nginx.

Maybe you can solve this by defining an upstream and use proxy_pass to redirect at the right condition?

Note: See TracTickets for help on using tickets.