I just ran into an issue where a Sitecore site suffered a service outage due to a large media item being served from the site. A traffic spike to the page with the file essentially caused an unintentional denial of service attack and made the site unavailable until the server recovered. Here is a graph showing the data spike.
The disk and network spike reaches 1.2GB at its peak. This is about the time I got a monitoring alert on the site. There are a number of authors that work on this site, and while there is an effort to train content authors on resizing and compressing images and using third party services to host large video files, sometimes the rush to get content pushed out causes best practices to be forgotten.
Full disclosure here - I am using Sitecore 8.2.7 for these examples. Sitecore 9 may not work quite like this. The advanced upload control uses flash if you browser supports it and flash has been installed and enabled.
In order to restrict how big of a file is allowed in the media library, you are going to have to set the uploader to classic (non flash). There is a bug with the flash based advanced uploader. Although it displays a message when a large file is selected to upload, it still allows the upload.
This is the flash uploader.
I have a restriction setup to limit files to 10MB, yet the flash uploader still allows me to upload larger files.
The classic advanced uploader looks like this -
In order to ensure that users are restricted to the classic uploader, there is a Sitecore setting in the Sitecore.config that can be set to achieve this. Here is the patch file to override the default setting (default is to allow the flash uploader).
<setting name="Upload.Classic" value="false">
With this patch file, I am finding the Upload.Classic setting with value false and changing it to true. Apply this setting and check it using sitecore/admin/showconfig.aspx. You can also verify that only the classic uploader is displayed, even when flash is installed and enabled in your browser.
By default Sitecore allows files of up to 500MB in the media library. This is very large and files of even a 100th of this size will likely be problem for your site. The patch file to override the default size and set the max size to, say, 10MB looks like this.
<setting name="Media.MaxSizeInDatabase" value="500MB">
With this setting and the uploader set to classic, you should no longer be able to upload a file large than 10MB. This dialog is displayed when attempting to upload an oversized file.
You're going to want to allow the web server to allow uploads as big as the maximum media file setting. Check the web.config for this setting. Below is an example.
<httpRuntime targetFramework="4.5.2" maxRequestLength="512000" executionTimeout="3600" enableKernelOutputCache="false" relaxedUrlToFileSystemMapping="false" enableVersionHeader="false"/>
The server is set to receive files up to 500MB in size. This is fine with the media file restriction and can be left as is, but you might want to reduce this setting to be in line with the media file limit you have set so that the web server can provide the initial limit before allowing an upload that is destined to fail in Sitecore through.
I got some good info from this post on Stack Exchange for this article.
If you are interested in Sitecore please take a look at my other Sitecore articles: