request body and client_body_buffer_size

Maxim Dounin mdounin at
Sat Sep 14 19:23:22 UTC 2013


On Sat, Sep 14, 2013 at 11:15:39AM -0700, Jeroen Ooms wrote:

> @ Maxim Dounin
> Thanks! This is very helpful. I have also set:
> client_body_buffer_size 1m;
> Could this setting have any side effects? I am not expecting too many
> large POST request. From what I read, client_body_buffer_size is
> actually the maximum amount of memory allocated. Does this mean that
> for small requests (e.g. without a body) there is no additional
> overhead introduced by raising this value?

Yes, it's not allocated if there is no request body, and only 
needed buffer is allocated if a request body is known to be 
smaller.  On the other hand, it can be used as a DoS vector if an 
attacker is allowed to open many connections but you can't afford 
them all to allocate client_body_buffer_size buffer.

Additionally, using such a big $request_body in proxy_cache_key 
implies various overheads.  In particular, proxy_buffer_size should 
be set big enough to be able to contain cache header with a key.  
Not even talking about reading/writing cache files with such keys.

Maxim Dounin

More information about the nginx mailing list