Opened 10 years ago

Last modified 5 years ago

#586 new enhancement

variable support for client_max_body_size

Reported by: Tarek Ziade Owned by:
Priority: minor Milestone:
Component: nginx-core Version: 1.7.x
Keywords: Cc:
uname -a:
nginx -V: 1.7.0.1

Description

I would like to suggest adding nginx variable support to the client_max_body_size directive.
This would be quite useful to set this value dynamically.

Change History (7)

comment:1 by Valentin V. Bartenev, 10 years ago

Could you provide use cases as well?

comment:2 by Tarek Ziade, 10 years ago

Sure:

Using HTTPLuaModule, I am calling an external server (a web application firewall app) in a subrequest that will let me know the max body size depending on the query path.

The external app can offer a rich rules-based environment to deal with security, without having to restart and/or reconfigure all our Nginx servers. The values are slightly cached of course so we don't call the WAF server on every request.

comment:3 by Valentin V. Bartenev, 10 years ago

Any use cases without 3rd-party modules? Your example will not work anyway, because the length is checked before lua code is executed.

comment:4 by Tarek Ziade, 10 years ago

the length is checked before lua code is executed.

In that case it defeats the purpose for me.

I am a bit confused though as this seemed possible, according to the OpenResty maintainer - https://groups.google.com/forum/#!topic/openresty-en/qgSjFSSDVrg

comment:5 by Yichun Zhang, 10 years ago

ngx_lua does not call the standard nginx request body reader before executing user Lua code. It is up to the user to decide when to actually read the request body (and even how to, the standard request body reader is just one option).

Speaking of the implementation for this feaure in the nginx core, the "complex value" of client_max_body_size can be evaluated at the time of the ngx_http_read_client_request_body call.

Last edited 10 years ago by Yichun Zhang (previous) (diff)

comment:6 by Yichun Zhang, 10 years ago

Ideally, this could be an internal feature on the level of the NGINX C API such that 3rd-party modules can choose to use different limits for different requests on-the-fly. This is much more efficient than the nginx variable approach IMHO. And in the context of the ngx_lua module, we can do something like below in Lua:

ngx.req.read_body(4096) -- limiting the max body length for this call to 4096 bytes

Last edited 10 years ago by Yichun Zhang (previous) (diff)

comment:7 by nvollmar@…, 5 years ago

One use case without 3rd party modules:

Set client_max_body_size differently depending upon the result of the client certificate verification (allow higher value only when client cert has been verified)

Note: See TracTickets for help on using tickets.