WebFaction
Community site: login faq

Hi all,

I've got a monkey-patched Bottle/WSGI application with a file upload component and I'm trying to limit the file upload sizes to 200KB. I've set Apache's LimitRequestBody to 204800 but when I upload a 10MB file Apache doesn't close the connection when the limit is exceeded. It lets the whole file enter the buffer (slowing the server down) and then returns the 413 Limit Exceeded error after the whole upload.

Does anybody have any suggestions to stop the upload as soon as the limit is reached without resorting to fudged client-side validations?

EDIT:

I've captured the headers for the request and one thing just struck me - this is being tested on on https so I'm guessing that the problem is because the whole file needs sending through before it is decrypted at the other end or should Apache LimitRequestBody terminate the connection whether it's https or http?

Here is the header anyway:

https://mysite.test

POST /upload/formproc HTTP/1.1
Host: mysite.test
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0 Iceweasel/36.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://mysite.test/upload
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------18124004878234993141671201319
Content-Length: 4997103
-----------------------------18124004878234993141671201319
Content-Disposition: form-data; name="category"


-----------------------------18124004878234993141671201319
Content-Disposition: form-data; name="upload"; filename="telescope.jpg"
Content-Type: image/jpeg

HTTP/1.1 413 Request Entity Too Large
Server: nginx
Date: Fri, 10 Apr 2015 11:25:21 GMT
Content-Type: text/html; charset=iso-8859-1
Transfer-Encoding: chunked
Connection: keep-alive

UPDATE:

I have tried both with SSL enabled and disabled and still getting the same result. I've read somewhere that it's nginx that may need the limit configuration but I can't find any method of doing this with WebFaction's servers. Does anyone else have any knowledge of this?

asked 30 Mar '15, 13:36

zilog8bit
(suspended)
accept rate: 0%

edited 16 Apr '15, 13:24

Could you please edit your question to include your httpd.conf (minus any sensitive info like usernames)?

(30 Mar '15, 19:25) seanf

Sorry Sean, not had any internet connection all day today. Here is my httpd.conf for that application:

ServerRoot "/home/username/webapps/bottle_app/apache2"

LoadModule dir_module        modules/mod_dir.so
LoadModule env_module        modules/mod_env.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule mime_module       modules/mod_mime.so
LoadModule rewrite_module    modules/mod_rewrite.so
LoadModule setenvif_module   modules/mod_setenvif.so
LoadModule wsgi_module       modules/mod_wsgi.so

LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
CustomLog /home/username/logs/user/access_bottle_app.log combined
DirectoryIndex index.py
DocumentRoot /home/username/webapps/bottle_app/htdocs
ErrorLog /home/username/logs/user/error_bottle_app.log
KeepAlive Off
Listen 14234
LimitRequestBody 204800
MaxSpareThreads 3
MinSpareThreads 1
ServerLimit 1
SetEnvIf X-Forwarded-SSL on HTTPS=1
ThreadsPerChild 5
WSGIDaemonProcess bottle_app processes=1 python-path=/home/username/webapps/bottle_app/lib/python2.7 threads=1
WSGIProcessGroup bottle_app
WSGIRestrictEmbedded On
WSGILazyInitialization On
WSGIApplicationGroup %{GLOBAL}
WSGIScriptAlias / /home/username/webapps/bottle_app/main.wsgi

As I say, the limit does work but it doesn't prevent the file being loaded into the buffer in Apache first which is slowing the server up.

(01 Apr '15, 16:22) zilog8bit

Is your browser sending a content-length header when you submit the upload?

(01 Apr '15, 23:19) seanf

Yes the content-length is sent in the header from the browser.

(11 Jan '16, 20:48) zilog8bit

According to this Apache mailing list post, Apache uses the actual size of the request, and not the Content-Length header, when it checks to see if a request exceeds LimitRequestBody. That means it's always going to upload the file first.

According the this post you might be able to work around that by using mod_security and SecRequestBodyLimit.

permanent link

answered 12 Jan '16, 01:15

seanf
12.2k42136
accept rate: 37%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×226
×9
×2
×1

question asked: 30 Mar '15, 13:36

question was seen: 6,018 times

last updated: 12 Jan '16, 01:15

                              
WEBFACTION
REACH US
SUPPORT
LEGAL
© COPYRIGHT 2003-2021 SWARMA LIMITED - WEBFACTION IS A SERVICE OF SWARMA LIMITED
REGISTERED IN ENGLAND AND WALES 5729350 - VAT REGISTRATION NUMBER 877397162
5TH FLOOR, THE OLD VINYL FACTORY, HAYES, UB3 1HA, UNITED KINGDOM