We are trying to limit overall client_max_body_size to something relatively low across the server to limit it as an attack vector, but then allow larger requests to a specific endpoint that needs the larger upload limit.
In this example config, the attempt was to specify overall limit of 50M but then allow 500M in /uploadtest/index.php
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
keepalive_timeout 1200;
types_hash_max_size 4096;
proxy_connect_timeout 1200;
proxy_send_timeout 1200;
proxy_read_timeout 1200;
send_timeout 1200;
include /etc/nginx/mime.types;
default_type application/octet-stream;
include /etc/nginx/conf.d/*.conf;
server {
listen 80;
listen [::]:80;
server_name _;
root /usr/share/nginx/html;
client_max_body_size 50M;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
try_files $uri $uri/ /index.php?$args;
}
location = /uploadtest/index.php {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(.*)$;
fastcgi_param HTTPS off;
fastcgi_pass unix:/run/php-fpm/www.sock;
fastcgi_read_timeout 1200;
http2_push_preload on;
fastcgi_buffers 16 128k;
fastcgi_buffer_size 256k;
fastcgi_busy_buffers_size 256k;
client_max_body_size 500M;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(.*)$;
fastcgi_param HTTPS off;
fastcgi_pass unix:/run/php-fpm/www.sock;
fastcgi_read_timeout 1200;
http2_push_preload on;
fastcgi_buffers 16 128k;
fastcgi_buffer_size 256k;
fastcgi_busy_buffers_size 256k;
}
}
}
No matter what, we receive "Entity too large" errors when trying to upload to /uploadtest/index.php.
(Values in php.ini and php-fpm.conf are not restricting this and we're able to upload the files if we raise the entire server limit.)
Also tried this the opposite way - setting large global limit and then restricting everything except /uploadtest/index.php, but this method doesn't end up restricting other upload paths and leaves everything open to the limit of 500m
server {
listen 80;
listen [::]:80;
server_name _;
root /usr/share/nginx/html;
client_max_body_size 500M;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location = /uploadtest/index.php {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(.*)$;
fastcgi_param HTTPS off;
fastcgi_pass unix:/run/php-fpm/www.sock;
fastcgi_read_timeout 1200;
http2_push_preload on;
fastcgi_buffers 16 128k;
fastcgi_buffer_size 256k;
fastcgi_busy_buffers_size 256k;
client_max_body_size 500M;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(.*)$;
client_max_body_size 50M;
fastcgi_param HTTPS off;
fastcgi_pass unix:/run/php-fpm/www.sock;
fastcgi_read_timeout 1200;
http2_push_preload on;
fastcgi_buffers 16 128k;
fastcgi_buffer_size 256k;
fastcgi_busy_buffers_size 256k;
}
location / {
try_files $uri $uri/ /index.php?$args;
client_max_body_size 50M;
}
}
So - is there any way to restrict global upload limits in this manner? And if so, what am I missing?