shaba/traefik
1
0
Fork 0
mirror of https://github.com/containous/traefik.git synced 2025-11-22 00:23:55 +03:00
Code Releases Activity

Add warning when maxBodySize is not set

Browse Source
This commit is contained in:
Kian Eliasi
2025-10-03 13:24:16 +03:30
committed by GitHub
parent a030638183
commit 5d830477b7
2 changed files with 37 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
docs/content/reference/routing-configuration/http/middlewares/forwardauth.md
View File

@@ -62,7 +62,7 @@ spec:
| <a id="authRequestHeaders" href="#authRequestHeaders" title="#authRequestHeaders">`authRequestHeaders`</a> | List of the headers to copy from the request to the authentication server. <br /> It allows filtering headers that should not be passed to the authentication server. <br /> If not set or empty, then all request headers are passed. | [] | No |
| <a id="addAuthCookiesToResponse" href="#addAuthCookiesToResponse" title="#addAuthCookiesToResponse">`addAuthCookiesToResponse`</a> | List of cookies to copy from the authentication server to the response, replacing any existing conflicting cookie from the forwarded response.<br /> Please note that all backend cookies matching the configured list will not be added to the response. | [] | No |
| <a id="forwardBody" href="#forwardBody" title="#forwardBody">`forwardBody`</a> | Sets the `forwardBody` option to `true` to send the Body. As body is read inside Traefik before forwarding, this breaks streaming. | false | No |
| <a id="maxBodySize" href="#maxBodySize" title="#maxBodySize">`maxBodySize`</a> | Set the `maxBodySize` to limit the body size in bytes. If body is bigger than this, it returns a 401 (unauthorized). | -1 | No |
| <a id="maxBodySize" href="#maxBodySize" title="#maxBodySize">`maxBodySize`</a> | Set the `maxBodySize` to limit the body size in bytes. If body is bigger than this, it returns a 401 (unauthorized). If left unset, the request body size is unrestricted which can have performance or security implications. < br/>More information [here](#maxbodysize).| -1 | No |
| <a id="headerField" href="#headerField" title="#headerField">`headerField`</a> | Defines a header field to store the authenticated user. | "" | No |
| <a id="preserveLocationHeader" href="#preserveLocationHeader" title="#preserveLocationHeader">`preserveLocationHeader`</a> | Defines whether to forward the Location header to the client as is or prefix it with the domain name of the authentication server. | false | No |
| <a id="PreserveRequestMethod" href="#PreserveRequestMethod" title="#PreserveRequestMethod">`PreserveRequestMethod`</a> | Defines whether to preserve the original request method while forwarding the request to the authentication server. | false | No |
@@ -81,6 +81,40 @@ The start of string (`^`) and end of string (`$`) anchors should be used to ensu
Regular expressions and replacements can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).
### maxBodySize
The `maxBodySize` option controls the maximum size of request bodies that will be forwarded to the authentication server.
**⚠️ Important Security Consideration**
By default, `maxBodySize` is not set (value: -1), which means request body size is unlimited. This can have significant security and performance implications:
- **Security Risk**: Attackers can send extremely large request bodies, potentially causing DoS attacks or memory exhaustion
- **Performance Impact**: Large request bodies consume memory and processing resources, affecting overall system performance
- **Resource Consumption**: Unlimited body size can lead to unexpected resource usage patterns
**Recommended Configuration**
It is strongly recommended to set an appropriate `maxBodySize` value for your use case:
```yaml
# For most web applications (1MB limit)
maxBodySize: 1048576 # 1MB in bytes
# For API endpoints expecting larger payloads (10MB limit)
maxBodySize: 10485760 # 10MB in bytes
# For file upload authentication (100MB limit)
maxBodySize: 104857600 # 100MB in bytes
```
**Guidelines for Setting maxBodySize**
- **Web Forms**: 1-5MB is typically sufficient for most form submissions
- **API Endpoints**: Consider your largest expected JSON/XML payload + buffer
- **File Uploads**: Set based on your maximum expected file size
- **High-Traffic Services**: Use smaller limits to prevent resource exhaustion
## Forward-Request Headers
The following request properties are provided to the forward-auth target endpoint as `X-Forwarded-` headers.