reverse_proxy: problems with fastcgi requests with unknown body length

[WeidiDeng]

Right now, caddy has problems handling fastcgi requests when the client sends a body with unknown body length, for http1.1 it's usually chunked encoded body. Users have to buffer the request manually and the buffer doesn't work right now because Content-length is not set in this case, and it will leads to some easy attacks.

Here, an attacker doesn't need to do much to block all processes spawned by php-fpm.

Caddy should handle this type of requests with a sane default just like nginx does, i.e. buffer requests with unknown body length in this case, and reject requests whose body is too large to buffer.

[WeidiDeng]

With 6638, that specific issue should be gone. However, for request bodies larger than whatever is defined will still cause problems, unless -1 is defined which means all the request body is buffered in memory, which can be used in attacks as well.

I checked nginx configurations, request and response buffering is on by default. But let's just buffer those requests with unknown content length for now.

[WeidiDeng]

Done, it's now available in this patch. Though the maximum request body size can't be limited there, it's available in request_body. Set that if some clients send some arbitrary large body to mount a ddos attack.