How to block POST requests?

Calomel nginxlist at calomel.org
Wed May 21 20:33:56 MSD 2008


RT,

Igor would probably have more accurate information, but the regular
expression should be more efficient than accepting a stream of data up
to 1k and closing the connection. (client_max_body_size 1k 1k;)


As I understand it you have two(2) buffers of the size 4k. This should
mean you will accept up to 8K of data. (large_client_header_buffers 2
4k;) I will change the wording on my site to make it a bit clearer.

I am not sure what would be more efficient. 2x4 or 1x8 buffers. I am
going to guess that if you had a data size of less than 4K then you
would only need to setup one small buffer. But, if you had 8K of data
then there would be more overhead setting up 2 4k buffers compared to
1 8k buffer. I am not really sure it makes that much difference since
the sizes are so small.

Does anyone else have any insights?

--
  Calomel @ https://calomel.org
  Open Source Research and Reference


On Tue, May 20, 2008 at 08:03:02PM -0700, Rt Ibmer wrote:
>Calomel,
>
>>>## Only allow GET and HEAD request methods
>>>      if ($request_method !~ ^(GET|HEAD)$ ) {
>>>         return 444;
>>>      }
>
>Regarding the above - no one should ever do a POST operation to our site.  However since the above check can slow things down a tad (someone said as much as 15% compared to other methods), I was thinking to instead simply use:
>
>   client_max_body_size 1k 1k;
>
>Well, I will use that in any event. However I'm wondering then if the request_method check above is then even worth it.  If someone is going to use POST the most they could do is 1KB so perhaps the large_client_header_buffer is enough protection for that and not worth adding slight overhead on the request_type check. What do you think?
>
>Also I am trying to see if I understand something properly from your excellent website article... If I use this:
>   large_client_header_buffers 2 4k;
>
>Does that mean that a request URI that comes in can be up to 8KB in size.  Or does it mean it can only be up to 4kb? I was a bit confused by the text for this on your site.  You said "is the limit of the URI request line
>which can not be larger then the size of ***ONE*** buffer.  I wasn't sure if you meant one buffer because that is what you were using in your example, or it is indeed limited to one?
>
>In our case most of the query strings we get will be small.  However some can be up to 4-6KB in size.  What do you recommend - using ..._buffers 2 4k; or ..._buffers 1 8k;  etc?
>
>Thanks!
>
>
>
>      
>





More information about the nginx mailing list