Menu
I am currently working on a website where users can upload files. How can I prevent large files to be uploaded? At the time, no option (PHP’s post_max_size and upload_max_filesize) has been useful: the file is uploaded entirely. I would simply like the connection to be closed with too large files (by checking Content-Length HTTP header beforehand, and by checking while the file is being uploaded). Is there an Apache directive, or a PHP configuration key for this?
Thank you for your time!
EDIT: added Apache conf (CentOS default).
EDIT2: added PHP conf (CentOS default) as well.
EDIT3: It seems that PHP closes the pipe when given a too large file. Nevertheless, Apache still allows transfer til it ends.
569
From now on, if a user tries to upload a file into the directory /var/www/example.com/wp-uploads whose size exceeds the above limit, the server will return an error response instead of servicing the request. Reference: Apache LimitRequestBody Directive.
In this short article, we will show how to limit the size of uploads in Apache web server. The directive LimitRequestBody is used to limit the total size of the HTTP request body sent from the client. You can use this directive to specifies the number of bytes from 0 (meaning unlimited) to 2147483647 ( 2GB) that are allowed in a request body.
For example, if you are permitting file upload to a particular location, say /var/www/example.com/wp-uploads and wish to restrict the size of the uploaded file to 5M = 5242880Bytes, add the following directive into your .htaccess or httpd.conf file. Save the file and reload the HTTPD server to effect the recent changes using following command.
Ok.
So the main problem you are facing is that Apache directive LimitRequestBody or LimitXMLRequestBody are applied after the completion of the upload. Seems like apache is waiting for a complete file in a temporary folder before checking is size.
So you need to cut-down the connection right after the detection of too big uploads. One upon a time mod_throttle was a module available to do that. Checking this Alternative to mod_throttle servfault question you can have a list of bandwith control modules that may fit your needs.
mod_bwshare for example is able to limit bandwith per client IP, but that's not a per-request per_IP limit. There is also mod_quos, handling a lot of limitations on download things, but I can't find a lot of things for upload managment (only closing early slow upload maybe). See also this answer on throttling uploads.
So you may also check for OS level limitation (on the TCP stack) or advanced firewall capabilities (ask on servfault).
You can also use client side limitation tools, like hidden form values or js uploader settings, but like anything used client-side, in term of security you cannot avoid someone altering the client-side limitations.
64
You can use apache's LimitRequestBody. Syntax is simple (and in bytes):
LimitRequestBody 10490000 # 10 MB
This works in both httpd.conf and .htaccess, just be mindful to restart if you edit httpd.conf (sudo service apache2 restart on Ubuntu).
If you need to set restrictions on a per file basis (limit avatar upload to 5 MB, but limit attachments to 20 MB), you can use <Files>:
<Files avatarUpload.php>
LimitRequestBody 5242880 # 5 MB
</Files>
<Files attachmentUpload.php>
LimitRequestBody 20971520 # 20 MB
</Files>
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
