3

The documentation of the Azure Web Application Firewall (WAF) lists the following limits:

  • The maximum request body size field is specified in KBs and controls overall request size limit excluding any file uploads. This field can range from 1-KB minimum to 128-KB maximum value. The default value for request body size is 128 KB.
  • The file upload limit field is specified in MB and it governs the maximum allowed file upload size. This field can have a minimum value of 1 MB and a maximum of 500 MB for Large SKU instances while Medium SKU has a maximum of 100 MB. The default value for file upload limit is 100 MB.

However, we are unable to upload files that are larger than 128 KB. Even when we change the WAF to Large SKU.

When sending an HTTP POST request with content-type multipart/form-data and a file of 2 MB, the request is rejected with error 413 Request Entity Too Large.

We used the following HTML form to upload files:

<form action="/upload" method="post" enctype="multipart/form-data">
  <div>
    <label for="image_uploads">Choose images to upload (PNG, JPG)</label>
    <input type="file" id="image_uploads" name="image_uploads" multiple>
  </div>
  <div class="preview">
    <p>No files currently selected for upload x</p>
  </div>
  <div>
    <button>Submit</button>
  </div>
</form>

With which method should we upload files so that the maximum file size will become 500 MB instead of 128 KB?

Rahatur
  • 3,147
  • 3
  • 33
  • 49
Alexander van Trijffel
  • 2,916
  • 1
  • 29
  • 31

2 Answers2

0

After several conversations with Microsoft we found that the WAF considers only file attachments if they are sent using multipart/form-data

Multipart example

If you send it this way the WAF will understand it is a file and thus will apply the limits configured for files instead than for bodies.

There is no other way to send files supported by the WAF for now.

Ignacio Soler Garcia
  • 21,122
  • 31
  • 128
  • 207
0

In addition to Ignacio Soler's response, if the application's frontend uses a nginx to serve static files and uses a "proxy_pass" to access a restricted backend API, then you need to increase "client_max_body_size" configuration inside location used.

enter image description here

Daniel Weil
  • 1
  • Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Jul 18 '23 at 09:39