How to limit file upload size on NGINX to mitigate DoS attacks
If you have an NGINX site that must allow users to upload files, try this configuration to help prevent possible Denial-of-Service attacks.
Out of the box, NGINX sets a limit of 1MB for file uploads. For some platforms, that might be considerably too low, especially for sites that allow users to upload items like images and video. However, if you open the floodgates too wide, you run the risk of ne’er-do-wells hitting you with Denial-of-Service (DoS) attacks. You certainly don’t want that.
But what can you do when you need to allow users to upload more than a single MB to your NGINX site? You control it with the client_max_body_size directive. Let me show you how.
What you’ll need
In order to make this work, you’ll need NGINX installed and configured to run your website. You’ll also need a user with sudo privileges. I’ll be demonstrating on Ubuntu Server 18.04, but this process should work on any platform that supports NGINX. With those at the ready, let’s configure.
SEE: How to become a network administrator: A cheat sheet (TechRepublic)
How to configure nginx.conf
The first thing we’re going to do is change the upload limit to 100MB in the nginx.conf file. Open the file with the command:
sudo nano /etc/nginx/nginx.conf
Look for the http section and add the following line (Figure A):
Save and close the file.
Next, open the config file for your website. If you’re using the default, you would open that file with the command:
sudo nano /etc/nginx/sites-available/default
In that file, look for the server section and add the same line as you did in the nginx.conf file (Figure B).
In that same file, locate the location section you’ve configured for site uploads and add the same line (Figure C).
Of course, your uploads directive will probably be a bit more complex than the basic one I’ve illustrated, but you get the point.
Save and close the file.
Run the NGINX configuration test with the command:
sudo nginx -t
You shouldn’t see any errors. Restart NGINX with the command:
sudo systemctl restart nginx
At this point, if anyone attempts to upload a file size larger than 100 MB, they’ll receive a 413 error (Request Entity Too Large). Your NGINX server is now a tiny bit safer from DoS attacks, while still allowing your users to upload files. No, this isn’t a be-all-end-all preventive measure for DoS attacks, but these days anything you can do to stave off the ne’er do wells is a step in the right direction.