Why is client_max_body_size default set to 1m?

Maxim Dounin mdounin at mdounin.ru
Tue Oct 12 21:42:05 MSD 2010


On Tue, Oct 12, 2010 at 01:05:45PM -0400, jlangevin wrote:

> In that case, if you had a server that you wanted to allow up to 32mb
> uploads managed via PHP scripts, how would you do so in a secure fashion
> (considering DOS)?

Ideally, worker_processes * worker_connections * client_max_body_size 
should be less than free space normally available for client_body_temp_path. 

Though for large number of worker_connections it's a bit hard maintain 
this invariant, e.g. 64k connections with 32m limit will require 2T 
of disk space.  So it's probably good idea to apply other limits 
as well, e.g. limit_conn.

> Would you do a check for a certain request type (such as POST) as well
> as the requested URL?
> Or would it not be worthwhile to be that exact?

Configuring client_max_body_size only for particular locations may 
be beneficial, especially when combined with limit_conn for 
requests in this location.

Maxim Dounin

More information about the nginx mailing list