client_max_body_size

Hagai Avrahami hagaia at qwilt.com
Sun Mar 24 11:52:42 UTC 2013


Hi

Is there any way to deny all requests with body?
I know I can set set client_max_body_size to 1 (byte)
But.. in that case Nginx reads all body request before finalizing the
request.

In case of requests with body as part of attack I would like to close the
connection
immediately without wasting any processing on that request.

*I thought changing the code (ngx_http_core_module.c:996) from:*

if (r->headers_in.content_length_n != -1
        && !r->discard_body
        && clcf->client_max_body_size
        && clcf->client_max_body_size < r->headers_in.content_length_n)
    {
        ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
                      "client intended to send too large body: %O bytes",
                      r->headers_in.content_length_n);

        (void) ngx_http_discard_request_body(r);
        ngx_http_finalize_request(r, NGX_HTTP_REQUEST_ENTITY_TOO_LARGE);
        return NGX_OK;
    }


*To:*

if (r->headers_in.content_length_n != -1
        && !r->discard_body
        && clcf->client_max_body_size
        && clcf->client_max_body_size < r->headers_in.content_length_n)
    {
        ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
                      "client intended to send too large body: %O bytes",
                      r->headers_in.content_length_n);

       * ngx_close_connection(r->connection);*

        return NGX_OK;
    }

Is that cover all or more changes are needed?
Thanks
Hagai
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20130324/d6556f94/attachment.html>


More information about the nginx mailing list