Search code examples
c#asp.net-coreiisazure-web-app-serviceasp.net-core-2.2

ASP.NET Core 2.2 Upgrade - IIS: limit request content length

We used to run our services on ASP.NET Core 1.1 until now. We just upgraded to ASP.NET Core 2.2, which went pretty smooth.

However, we are hosting on Azure App Service on Windows, which in turn seems to run IIS.

Now we have a custom section in the web.config to limit the max content length so when users upload files they know before actually uploading to the limit if their upload will fail:

<?xml version="1.0" encoding="utf-8"?>
<configuration>    
    <location path="api/0.1/files">
        <system.web>
            <httpRuntime maxRequestLength="409600" executionTimeout="3600"/>
        </system.web>

        <system.webServer>
            <security>
                <requestFiltering>

                    <requestLimits maxAllowedContentLength="419430400" />
                </requestFiltering>
            </security>
        </system.webServer>
    </location>

  <location path="." inheritInChildApplications="false">
    <system.webServer>
      <handlers>
        <add name="aspNetCore"
             path="*"
             verb="*"
             modules="AspNetCoreModule"
             resourceType="Unspecified"/>
      </handlers>
      <aspNetCore processPath="dotnet"
                  arguments=".\webapp.dll"
                  stdoutLogEnabled="false"
                  stdoutLogFile="\\?\%home%\LogFiles\stdout"
                  hostingModel="OutOfProcess"
                  forwardWindowsAuthToken="false"/>
    </system.webServer>
  </location>

</configuration>

Now, calling the route api/0.1/files (and of course all routes "beneath" files) will yield a 404 not found result with the following error message:

The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.

The only fix to this I could find, was to globally limit the content length:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <location path="." inheritInChildApplications="false">
    <system.webServer>
      <handlers>
        <add name="aspNetCore"
             path="*"
             verb="*"
             modules="AspNetCoreModule"
             resourceType="Unspecified"/>
      </handlers>
      <aspNetCore processPath="dotnet"
                  arguments=".\webapp.dll"
                  stdoutLogEnabled="false"
                  stdoutLogFile="\\?\%home%\LogFiles\stdout"
                  hostingModel="OutOfProcess"
                  forwardWindowsAuthToken="false"/>

      <security>
        <requestFiltering>
          <!--400 MByte-->
          <requestLimits maxAllowedContentLength="419430400" />
        </requestFiltering>
      </security>
    </system.webServer>
  </location>

</configuration>

What would be the correct way to set the limit per a specific route?

Solution

  • It is possible to use location to set limit for specific route.

    Also, if you want to change the max request body size limit for a specific MVC action or controller, you can use the RequestSizeLimit attribute. 

    // GET api/values/5
[HttpGet("{id}")]
[RequestSizeLimit(40000000)]
public ActionResult<string> Get(int id)
{
    return "value";
}

    It sets the maximum allowed request length for this action method. You can apply this attribute at action level or controller level. This is the recommended approach to increase the limit in an ASP.NET Core MVC app.