Can't post files larger than 24 kBytes via forms using NAT port forwarding

garpenholm

I have made a simple test page where I can post files using a standard HTML form:

<form name="AttachmentForm" id="AttachmentForm" enctype="multipart/form-data" method="post" 
      format="HTML" action="upload.cfm">
      <input type="file" name="uploadimage" id="uploadimage" value="">
      <input type="submit" value="Upload Image" name="submit">
</form>

It's posting to a just as simple Lucee CFML script (just for testing):

<cfset savedUploadsPath = "/opt/lucee/tomcat/webapps/ROOT/files">
<cfif Not DirectoryExists( savedUploadsPath )>
    <cfset DirectoryCreate( savedUploadsPath )>
</cfif>
<cfif structKeyExists(form,"uploadimage")>
      <cffile action="upload" nameconflict="overwrite" filefield="form.uploadimage" 
              destination="#savedUploadsPath#" result="fileresult">
<cfelse>
    No struct exists<BR>
</cfif>
<cfif isDefined("form.uploadimage") AND form.uploadimage NEQ "">
    <CFOUTPUT>
    Uploaded file <STRONG>#fileresult.ServerFile#</STRONG><BR />
    File size <STRONG>#trim(fileresult.FileSize)#</STRONG> bytes<BR />
    File overwrite="#fileresult.FileWasOverwritten#"<BR />
    </CFOUTPUT>
<cfelse>
    form.uploadimage is not defined<BR>
</cfif>

This works perfectly with no issues at all as long as I just post files smaller than approximately 25 kBytes, 'sometimes' not even that.
(Smaller than 10 kBytes always get through.) Any larger than that and I get everything from "crbug/1173575, non-JS module files deprecated." errors in the web browser console to Error 500 or sometimes nothing at all.

I know that the first response is to check the settings in the Lucee tomcat installation (Linux Ubuntu 20.04) and adding configs like:

<multipart-config>
  <max-file-size>52428800</max-file-size>
  <max-request-size>52428800</max-request-size>
  <file-size-threshold>0</file-size-threshold>
</multipart-config>

to the web.xml file and:

connectionUploadTimeout="72000000" disableUploadTimeout="false" maxPostSize="67589953" connectionTimeout="60000"

to the <Connector> in the server.xml file.

I have spent an entire weekend doing this and many many other things until I realized that it actually works perfectly with > 50 Mbytes files when I access my web server directly using the local IP address : port and not going via the pfSense firewall. (Current Base System 2.5.1)

The web server uses a SSL certificate and is listening (locally) on port 8443. The pfSense firewall have a NAT rule forwarding incoming requests to the standard SSL port 443 --> 8443. This works like a charm for the entire web site on that machine regardless of any sizes of any files, images, scripts etc.

The issue I have is only related to incoming file POSTs via forms.

I have spent hours of experimenting with different NAT reflection settings like NAT, NAT+Proxy, Disabled etc.
I have also tried with and without "Clear invalid DF bits instead of dropping the packets" for the "IP Do-Not-Fragment" compatibility.
I have tested with and without all possible combinations of checkboxes in the page
Also tried many combination of checkboxes in the System - Advanced - Firewall & NAT page, like: "Hardware Large Receive Offloading" and others.

But the total combinations is almost infinite, so I need help to solve this issue.

/ Roger G

garpenholm

I've spent a couple of days figuring out a solution of my problem.
I hope that this post will spare someone else many hours of frustration. ;)

By changing the Tomcat (ver 9.0.31) server.xml settings so that the <Connector> used by my HTTPS-server uses...

protocol="org.apache.coyote.http11.Http11Nio2Protocol"

and not...

protocol="org.apache.coyote.http11.Http11NioProtocol"

... the POST of files using HTTPS (I'm using "Let's Encrypt") works perfectly!

(It seems to work with any NAT reflection combinations as well.)