Verify Content-Length matches request body

Maxim Dounin mdounin at
Thu Mar 12 15:15:24 UTC 2015


On Thu, Mar 12, 2015 at 11:01:46AM -0400, Max Rothman wrote:

> Is there a way for nginx to verify that the Content-Length header isn't
> exceeded by the actual size of the request body?

This can't happen.  Anything after the Content-Length is a next 

> Context: I'm working on an upload endpoint with a maximum upload size, and
> it seems that client_max_body_size only checks the Content-Length header,
> not the actual body. Additionally, from my testing it appears that
> nginx accepts
> the entire request body regardless of what the Content-Length is set to. I
> want to be able to defend against a potential slowloris-style attack where
> all of my workers could get tied up with overly-large uploads.

After the body is read, nginx will either read the next request 
(if allowed as per keepalive_timeout/keepalive_requests, as well 
as internal state), or will close the connection.  When closing 
the connection it will use lingering_timeout / lingering_time 
settings to read and discard additional data (if any), if allowed 
by the  lingering_close directive, see for details.

Maxim Dounin

More information about the nginx mailing list