Opened 8 years ago

Closed 8 years ago

#1076 closed defect (invalid)

client_max_body_size has no effect with ssl configured

Reported by: kuceram@… Owned by:
Priority: blocker Milestone:
Component: other Version: 1.11.x
Keywords: Cc:
uname -a: Linux ef465051a9a8 4.4.11-23.53.amzn1.x86_64 #1 SMP Wed Jun 1 22:22:50 UTC 2016 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.11.3
built by gcc 4.9.2 (Debian 4.9.2-10)
built with OpenSSL 1.0.1t 3 May 2016
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_perl_module=dynamic --add-dynamic-module=debian/extra/njs-0.1.0/nginx --with-threads --with-stream --with-stream_ssl_module --with-stream_geoip_module=dynamic --with-http_slice_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-http_v2_module --with-cc-opt='-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,--as-needed'

Description

When I set client_max_body_size 30m; without ssl everything works (files up to 30MB are accepted). However when I switch to ssl it completely ignores this directive.

My configuration looks like (/etx/nginx/conf.d/my-sites.com.conf):

server {

listen 443 ssl;
server_name my-sites.com;
ssl_certificate /etc/nginx/ssl/my-sites.com/uni_my-sites.com.crt;
ssl_certificate_key /etc/nginx/ssl/my-sites.com/my-sites.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

client_max_body_size 30m;

location / {

proxy_pass http://my-backend.com;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;

}

}

My configuration is:

AWS EC2 nano instance
Nginx in docker (latest stable - 1.10.1)
Only one virtual host on single IP address

See stackoverflow: http://stackoverflow.com/questions/39509355/nginx-client-max-body-size-has-no-effect-with-ssl-configured

Change History (2)

comment:1 by Maxim Dounin, 8 years ago

Please provide full configuration as shown with "nginx -T".

Please also make sure that you are testing it properly and the problem is in nginx, not in Amazon balancer or in your backend. A trivial way to test it locally would be:

$ curl --insecure -H 'Content-Length: 10000000' https://127.0.0.1/

If it immediately returns 413 Request Entity Too Large, then there is a problem with nginx configuration. If it hangs till timeout, then everything is fine (timeout is expected as the command above indicates there will be 10m request body, but doesn't provide any).

To be sure I've just tested the configuration above, and it works as expected: accepts requests with less than 30m of body data, and rejects anything above 30m.

comment:2 by Maxim Dounin, 8 years ago

Resolution: invalid
Status: newclosed

Closing this, update on stackoverflow confirms that the problem is not in nginx.

Note: See TracTickets for help on using tickets.