Forum

MaxUploadSize suddenly active

dustball
20 June 2016, 20:55
I've set up owncloud and am using it for a few weeks now, and everything worked perfectly fine, up until about today. I've never set MaxUploadSize and could upload files of any size to my heart's content. However, today I noticed the server starts to ban me left and right whenever I upload a file with a size bigger than 1 MB, no matter if it's via the webinterface or the webdav. I now have set MaxUploadSize = 1024 (which should let me upload a gigabyte) in both the port 80 as well as the port 443 binding, but even after a restart of hiawatha and php-fpm, it bans me again when I try to upload a 6mb file.

I'm at a loss. While I did upgrade hiawatha from 10.2 to 10.3 recently, and rebooted inbetween, I could still upload afterwards. The only real thing that did change was that I rebooted the server on the weekend, and it couldn't get an IPv4. After a reboot via the management console (it's a VPS on QEMU-KVM) it got the IPs back.

What am I missing?
dustball
21 June 2016, 07:23
I did some more testing, it seems to block and ban at exactly 2 MB. But from what I can see, neither the defaults nor the configs have anything with a 2MB limit. There's also no .hiawatha file in any of the directories that could overwrite the settings.


# Hiawatha main configuration file
#

# VARIABLES
# With 'set', you can declare a variable. Make sure the name of the
# variable doesn't conflict with any of the configuration options.
# The variables are case-sensitive and cannot be redeclared.
#
#set LOCALHOST = 127.0.0.0/8


# GENERAL SETTINGS
#
ServerId = http
ConnectionsTotal = 1000
ConnectionsPerIP = 25
SystemLogfile = /var/log/hiawatha/system.log
GarbageLogfile = /var/log/hiawatha/garbage.log


# BINDING SETTINGS
# A binding is where a client can connect to.
#
Binding {
Port = 80
Interface = <IP>
MaxUploadSize = 1024
}
#
Binding {
Port = 443
TLScertFile = <SSL-Cert>
Interface = <IP>
MaxRequestSize = 2048
TimeForRequest = 30
MaxUploadSize = 1024
}


# BANNING SETTINGS
# Deny service to clients who misbehave.
#
BanOnGarbage = 300
BanOnMaxPerIP = 60
BanOnMaxReqSize = 300
KickOnBan = yes
RebanDuringBan = yes

# COMMON GATEWAY INTERFACE (CGI) SETTINGS
# These settings can be used to run CGI applications.
#
CGIhandler = /usr/bin/perl:pl
#CGIhandler = /usr/bin/php-cgi:php
#CGIhandler = /usr/bin/python:py
#CGIhandler = /usr/bin/ruby:rb
#CGIhandler = /usr/bin/ssi-cgi:shtml
#CGIextension = cgi
#TriggerOnCGIstatus = no
#
FastCGIserver {
FastCGIid = PHP7
ConnectTo = /run/php-fpm/php-fpm.sock
Extension = php
SessionTimeout = 30
}


UrlToolkit {
ToolkitID = wordpress
RequestURI exists Return
Match [^?]*(\?.*)? Rewrite /index.php$1
}

UrlToolkit {
ToolkitID = subdomains
}

# URL TOOLKIT
# This URL toolkit rule was made for the Banshee PHP framework,
# which can be downloaded from http:/www.banshee-php.org/
#
#UrlToolkit {
# ToolkitID = banshee
# RequestURI isfile Return
# Match ^/(css|files|fonts|images|js)($|/) Return
# Match ^/(favicon.ico|robots.txt)$ Return
# Match [^?]*(\?.*)? Rewrite /index.php$1
#}


# DIRECTORY SETTINGS
# You can specify some settings per directory.
#
#Directory {
# DirectoryID = static
# Path = /css, /fonts, /images, /js
# ExpirePeriod = 2 weeks
#}
#
#Directory {
# DirectoryID = files
# Path = /files
# ShowIndex = yes
# StartFile = index.html
# ExecuteCGI = no
#}


# DEFAULT WEBSITE
# It is wise to use your IP address as the hostname of the default website
# and give it a blank webpage. By doing so, automated webscanners won't find
# your possible vulnerable website.
#
Hostname = <IP>
WebsiteRoot = /srv/http/hiawatha
StartFile = index.php
AccessLogfile = /var/log/hiawatha/access.log
ErrorLogfile = /var/log/hiawatha/error.log
UseFastCGI=PHP7

include enabled/


VHost:
VirtualHost {
Hostname = <hostname>
WebsiteRoot = <root>
StartFile = index.php
RequireTLS = yes
AccessLogfile = /var/log/hiawatha/hostname.access.log
ErrorLogfile = /var/log/hiawatha/hostname.error.log
TimeForCGI = 86400
UseFastCGI = PHP7
Alias = /oc:/usr/share/webapps/owncloud
EnablePathInfo = yes
FollowSymlinks = yes
AllowDotFiles = yes
WebDAVapp = yes
UseToolkit = subdomains
}
Hugo Leisink
21 June 2016, 07:36
Could it be in the PHP configuration? Perhaps the upload_max_filesize setting?
dustball
21 June 2016, 16:58
No, there's php-fpm running in the background and whenever I restart hiawatha, it works again (php-fpm runs untouched). Also, I doubt I'd see the following in system.log if it was php-related:

<my IP>|Tue 21 Jun 2016 07:10:21 +0200|Maximum request size reached
<my IP>|Tue 21 Jun 2016 07:10:21 +0200|Client banned because of sending a too large request
Hugo Leisink
21 June 2016, 21:32
Could it be those requests where sent via HTTP instead of HTTPS? Try adding the MaxRequestSize setting to the port 80 binding.
dustball
21 June 2016, 21:54
Increasing the MaxRequestSize on HTTPS alone works, the previous limit was 2 MB. So apparently this is an OwnCloud problem. I'm still puzzled as to why it magically worked before though.

Thank you
This topic has been closed.