9

i was wondering if there is any securitiy risk involved with raising the client_max_body_size in nginx from 1MB to 20GB?

S.L. Barth
  • 5,486
  • 8
  • 38
  • 47
Daniel Guldberg Aaes
  • 215
  • 2
  • 5

1 Answers1

8

Setting client_max_body_size to 20 GB is, obviously, not reasonable and I wonder why you would allow (users?, yourself?) to upload such very huge files.

client_max_body_size governs the corresponding HTTP Header parameter. As a security good practice, we must always limit the header and message body to a minimal reasonable length. Why ? 20 GB is so huge that you put your server in the same scenario as by 2013 when Django allowed users to use a very long password forcing Django (rather the server where it is hosted) to perform very expensive hash calculations leading, as you may guess, to a denial-of-service attack against the whole Django's authentication framework.

This is said, there are other things you need to think about if you increase too much the size of client_max_body_size. For instance, how will you set keepalive_timeout parameter ? How could you calculate it based on the fact that client_max_body_size is set to 20 GB ? May be 20 seconds ? 20 minutes ? Two hours ? Same question concerns client_header_timeout and client_body_timeout that set, respectiely, set the maximum amount of time Nginx will wait around on the client to specify a request header or ask for an object to be served.

  • I have a Reverse proxy and behind that there is a server with owncloud on, the reverse proxy was putting a limit where i could only upload 1 mb. to my Owncloud server, and that was the only solution i could come up with. – Daniel Guldberg Aaes Jul 21 '15 at 07:08
  • @DanielGuldbergAaes That is good. And remember to think about security in terms of [layered defense](https://en.wikipedia.org/wiki/Layered_security) –  Jul 21 '15 at 07:18
  • so it wont be a problem ? is that what you mean? – Daniel Guldberg Aaes Jul 21 '15 at 07:40
  • @DanielGuldbergAaes By *good* I mean it is *better* you expose your proxy rather than your main servers. That is all. But I said you have to think in terms of **layered security**, I mean what I outlined through my answer concerning your main server is applicable to your proxy server too because this late one is not DDoS safe by default. –  Jul 21 '15 at 07:59