Thank you! That makes a lot of sense. On Thu, Mar 12, 2015 at 11:15 AM, Maxim Dounin <mdou...@mdounin.ru> wrote:
> Hello! > > On Thu, Mar 12, 2015 at 11:01:46AM -0400, Max Rothman wrote: > > > Is there a way for nginx to verify that the Content-Length header isn't > > exceeded by the actual size of the request body? > > This can't happen. Anything after the Content-Length is a next > request. > > > Context: I'm working on an upload endpoint with a maximum upload size, > and > > it seems that client_max_body_size only checks the Content-Length header, > > not the actual body. Additionally, from my testing it appears that > > nginx accepts > > the entire request body regardless of what the Content-Length is set to. > I > > want to be able to defend against a potential slowloris-style attack > where > > all of my workers could get tied up with overly-large uploads. > > After the body is read, nginx will either read the next request > (if allowed as per keepalive_timeout/keepalive_requests, as well > as internal state), or will close the connection. When closing > the connection it will use lingering_timeout / lingering_time > settings to read and discard additional data (if any), if allowed > by the lingering_close directive, see > http://nginx.org/r/lingering_close for details. > > -- > Maxim Dounin > http://nginx.org/ > > _______________________________________________ > nginx mailing list > nginx@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx >
_______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
