Why is client_max_body_size default set to 1m?
mdounin at mdounin.ru
Tue Oct 12 21:42:05 MSD 2010
On Tue, Oct 12, 2010 at 01:05:45PM -0400, jlangevin wrote:
> In that case, if you had a server that you wanted to allow up to 32mb
> uploads managed via PHP scripts, how would you do so in a secure fashion
> (considering DOS)?
Ideally, worker_processes * worker_connections * client_max_body_size
should be less than free space normally available for client_body_temp_path.
Though for large number of worker_connections it's a bit hard maintain
this invariant, e.g. 64k connections with 32m limit will require 2T
of disk space. So it's probably good idea to apply other limits
as well, e.g. limit_conn.
> Would you do a check for a certain request type (such as POST) as well
> as the requested URL?
> Or would it not be worthwhile to be that exact?
Configuring client_max_body_size only for particular locations may
be beneficial, especially when combined with limit_conn for
requests in this location.
More information about the nginx