Verify Content-Length matches request body

Max Rothman max at edx.org
Thu Mar 12 15:17:32 UTC 2015


Thank you! That makes a lot of sense.

On Thu, Mar 12, 2015 at 11:15 AM, Maxim Dounin <mdounin at mdounin.ru> wrote:

> Hello!
>
> On Thu, Mar 12, 2015 at 11:01:46AM -0400, Max Rothman wrote:
>
> > Is there a way for nginx to verify that the Content-Length header isn't
> > exceeded by the actual size of the request body?
>
> This can't happen.  Anything after the Content-Length is a next
> request.
>
> > Context: I'm working on an upload endpoint with a maximum upload size,
> and
> > it seems that client_max_body_size only checks the Content-Length header,
> > not the actual body. Additionally, from my testing it appears that
> > nginx accepts
> > the entire request body regardless of what the Content-Length is set to.
> I
> > want to be able to defend against a potential slowloris-style attack
> where
> > all of my workers could get tied up with overly-large uploads.
>
> After the body is read, nginx will either read the next request
> (if allowed as per keepalive_timeout/keepalive_requests, as well
> as internal state), or will close the connection.  When closing
> the connection it will use lingering_timeout / lingering_time
> settings to read and discard additional data (if any), if allowed
> by the  lingering_close directive, see
> http://nginx.org/r/lingering_close for details.
>
> --
> Maxim Dounin
> http://nginx.org/
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20150312/f3fa7156/attachment.html>


More information about the nginx mailing list