How `request_body` + `handle`'d subdomains works?

xnaas · August 9, 2023, 2:44am

I’m wondering how request_body works, so I can understand how it might work in the below scenario.

Let’s say I have a Caddyfile that is kind of like this:

(limit_remote_body_size) {
    @remote not remote_ip private_ranges
    request_body @remote {
        max_size 100MB
    }
}

https://example.com {
    import limit_remote_body_size
    [...]
}

https://*.example.com {
    import limit_remote_body_size
    @sub1 host sub1.example.com
    @sub2 host sub2.example.com
    handle @sub1 {
        reverse_proxy :1234
    }
    handle @sub2 {
        reverse_proxy :4321
    }
}

My question is: does that request_body apply to the handles in the above scenario?

Or would I only be limiting the request_body for requests to https://example.com? Do I need to import limit_remote_body_size into every handle/reverse_proxy to actually limit the remote body size for all of the subdomains?

Thanks.

xnaas · August 9, 2023, 2:50am

While this wouldn’t help my specific scenario: I think, perhaps a max_body_size|max_request_size|max_request_body_size option in the servers global (like max_header_size) would be beneficial in general? There’s lots of valid reasons to not want people to just try and POST/PUT a 100GB request or something.

matt · August 9, 2023, 3:22am

Yes (for non-private IPs of course, due to the matcher), because request_body comes before handle.

No, because you import it on both sites, it is as if it was literally copy-pasted into both site blocks.

No, in fact it won’t work as a subdirective, because it is a directive not a subdirective. What you have should work.

You can try it to be sure!

(Maybe for 2.8 we’ll release some config-verification features.)

xnaas · August 9, 2023, 3:48am

Directive order. Right. Darn it. Should’ve remembered to reference that! Thanks.

system · September 8, 2023, 3:49am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.