Close Apache connection with too large file uploads

2018-06-22 02:59:12

I am currently working on a website where users can upload files. How can I prevent large files to be uploaded? At the time, no option (PHP's post_max_size and upload_max_filesize ) has been useful: the file is uploaded entirely. I would simply like the connection to be closed with too large files (by checking Content-Length HTTP header beforehand, and by checking while the file is being uploaded). Is there an Apache directive, or a PHP configuration key for this?

Thank you for your time!

EDIT: added Apache conf (CentOS default).
EDIT2: added PHP conf (CentOS default) as well.

EDIT3: It seems that PHP closes the pipe when given a too large file. Nevertheless, Apache still allows transfer til it ends.

Ok.

So the main problem you are facing is that Apache directive LimitRequestBody or LimitXMLRequestBody are applied after the completion of the upload. Seems like apache is waiting for a complete file in a temporary folder before checking is size.

So you need to cut-down the connection right after the detection of too big uploads. One upon a time mod_throttle was a module available to do that. Checking this Alternative to mod_throttle servfault question you can have a list of bandwith control modules that may fit your needs.

mod_bwshare for example is able to limit bandwith per client IP, but that's not a per-request per_IP limit. There is also mod_quos, handling a lot of limitations on download things, but I can't find a lot of things for upload managment (only closing early slow upload maybe). See also this answer on throttling uploads.

So you may also check for OS level limitation (on the TCP stack) or advanced firewall capabilities (ask on servfault).

You can also use client side limitation tools, like hidden form values or js uploader settings, but like anything used client-side, in term of security you cannot avoid someone altering the client-side limitations.

You can use apache's LimitRequestBody . Syntax is simple (and in bytes):

LimitRequestBody 10490000 # 10 MB

This works in both httpd.conf and .htaccess , just be mindful to restart if you edit httpd.conf ( sudo service apache2 restart on Ubuntu).

If you need to set restrictions on a per file basis (limit avatar upload to 5 MB, but limit attachments to 20 MB), you can use <Files> :

<Files avatarUpload.php>
    LimitRequestBody 5242880 # 5 MB
</Files>

<Files attachmentUpload.php>
    LimitRequestBody 20971520 # 20 MB
</Files>

链接地址: http://www.djcxy.com/p/62094.html

上一篇: 以（后缀）结尾，并包含在SQLite FTS中使用MATCH进行字符串搜索

下一篇: 关闭超大文件上传的Apache连接