Limiting File Uploads¶
Limiting the maximum size for file uploads can be desirable for a few reasons, e.g. to prevent a single record to fill up the entire disk space, and to make it more difficult for malicious users to upload a lot of data.
Invenio-Files-REST provides some configuration values configuration values that are relevant for limiting file uploads.
The most relevant ones are
FILES_REST_DEFAULT_MAX_FILE_SIZE which limits the maximum size for each uploaded file (in bytes) and
FILES_REST_DEFAULT_QUOTA_SIZE which limits the maximum overall size of all files uploaded per record (also in bytes).
For instance, consider the case that the maximum file size is set to 10GiB, and the default quota is set to 30GiB. Then, the user can upload several files with a maximum size of 10GiB each. The user could upload 3 files with 10GiB each, or several smaller ones, or anything in between. However, the total size of all files deposited with a single record cannot exceed 30GiB.
Note that the Flask configuration option
MAX_CONTENT_LENGTH is only applied for multi-part form uploads (e.g. community logos), but not for the files deposited with records.
While the above mentioned configuration would already prevent the backend from accepting files that are too large, an additional layer of defense can be added by configuring
nginx to reject client requests above a certain size.
This can be achieved by setting the
client_max_size_body for the REST API file content endpoint (
location ~ /api/records/.+/draft/files/.+/content) to a desired value, e.g.
The relevant file for this configuration on a default cookiecutter installation is
Mind the multi-byte units!
nginx configuration uses binary units (KiB, MiB, GiB, ...) rather than decimal units (kB, MB, GB, ...), i.e.
1024K rather than
Given the example above, this means that
75G would be equivalent to
75 * 1024^3 (=
This should be carefully considered while creating the configuration in all the various spots!