From 002f8de3ec9ac10d01ad60bb7e6fb4d27d5d0fb1 Mon Sep 17 00:00:00 2001 From: Kevin Veen-Birkenbach Date: Wed, 19 Nov 2025 10:02:33 +0100 Subject: [PATCH] feat(proxy): add configurable client_max_body_size for HTML and upload locations This commit introduces a unified mechanism to configure client_max_body_size for both HTML and upload locations in the sys-svc-proxy role. The directive is now injected early in html.conf.j2 and moved to a dedicated block in upload.conf.j2 to ensure consistent behavior for large file uploads such as OpenProject attachments. Additionally: - Added client_max_body_size variable override from web-app-openproject (set to 30m). - Reordered header includes to avoid duplicate injection. - Improved comments and structure for better clarity. Reference: https://chatgpt.com/share/691d873e-9b50-800f-ae70-baf8bf1e5454 --- .../sys-svc-proxy/templates/location/html.conf.j2 | 15 +++++++++------ .../templates/location/upload.conf.j2 | 6 +++++- roles/web-app-openproject/tasks/main.yml | 2 ++ 3 files changed, 16 insertions(+), 7 deletions(-) diff --git a/roles/sys-svc-proxy/templates/location/html.conf.j2 b/roles/sys-svc-proxy/templates/location/html.conf.j2 index b45470d7..6ecf8482 100644 --- a/roles/sys-svc-proxy/templates/location/html.conf.j2 +++ b/roles/sys-svc-proxy/templates/location/html.conf.j2 @@ -5,10 +5,17 @@ location {{location}} {% include 'roles/web-app-oauth2-proxy/templates/following_directives.conf.j2'%} {% endif %} + {% include 'roles/sys-svc-proxy/templates/headers/content_security_policy.conf.j2' %} + + {% include 'roles/sys-svc-proxy/templates/headers/access_control_allow.conf.j2' %} + + # Client Limits for HTML + client_max_body_size {{ client_max_body_size | default('100m') }}; + {% set _loc = location|trim %} proxy_pass http://127.0.0.1:{{ http_port }}{{ (_loc|regex_replace('^(?:=|\\^~)\\s*','')) if not (_loc is match('^(@|~)')) else '' }}; - # headers + # Proxyconfiguration for Upload proxy_set_header Host $host; proxy_set_header Authorization $http_authorization; proxy_set_header X-Real-IP $remote_addr; @@ -18,16 +25,12 @@ location {{location}} proxy_set_header X-Forwarded-Ssl on; proxy_pass_request_headers on; - {% include 'roles/sys-svc-proxy/templates/headers/content_security_policy.conf.j2' %} - - {% include 'roles/sys-svc-proxy/templates/headers/access_control_allow.conf.j2' %} - # WebSocket specific header proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; - # timeouts + # Timeouts proxy_connect_timeout 5s; proxy_send_timeout 900s; proxy_read_timeout 900s; diff --git a/roles/sys-svc-proxy/templates/location/upload.conf.j2 b/roles/sys-svc-proxy/templates/location/upload.conf.j2 index c4611b28..8deeb182 100644 --- a/roles/sys-svc-proxy/templates/location/upload.conf.j2 +++ b/roles/sys-svc-proxy/templates/location/upload.conf.j2 @@ -1,13 +1,17 @@ location {{ location_upload }} { + + # Proxyconfiguration for Upload proxy_pass http://127.0.0.1:{{ http_port }}; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; - client_max_body_size {{ client_max_body_size }}; proxy_buffering off; proxy_request_buffering off; proxy_read_timeout 120s; proxy_connect_timeout 120s; proxy_send_timeout 120s; + + # Client Limits for Upload + client_max_body_size {{ client_max_body_size }}; } \ No newline at end of file diff --git a/roles/web-app-openproject/tasks/main.yml b/roles/web-app-openproject/tasks/main.yml index 2c4b25ed..c2137aa0 100644 --- a/roles/web-app-openproject/tasks/main.yml +++ b/roles/web-app-openproject/tasks/main.yml @@ -2,6 +2,8 @@ - name: "load docker, db and proxy for {{ application_id }}" include_role: name: sys-stk-full-stateful + vars: + client_max_body_size: "30m" - name: "Create {{ OPENPROJECT_PLUGINS_FOLDER }}" file: