5

We have been running into an issue when our cookies reach a certain size (over 7k) where nginx is returning 400 Bad Request with an empty response when proxying to our tomcat. This doesn't happen when nginx is serving the static content however. We have already tried updating the nginx config to increase the buffer size so it should handle individual headers up to 16k (we've also tried to set it on server level):

http {
  # ...
  client_body_buffer_size     32k;
  client_header_buffer_size 16k;
  large_client_header_buffers 4 16k;
  # ...
}

We have also upped the tomcat max-http-header-size to 16k. If we increase the cookie size to over 16k we still get a 400 bad request but the response has the "Request Header Or Cookie Too Large" error message. Something strange is happening between 8k and 16k header sizes that we can't figure out.

cnaut
  • 144
  • 1
  • 12
  • This does not appear to be an nginx issue, as it's unlikely for it to be returning empty pages, which are usually the classic tomcat signature. – cnst Feb 04 '17 at 06:37
  • 1
    can you please add your nginx & tomcat exact versions? – Tair Feb 09 '17 at 00:56

1 Answers1

1

This does not appear to be an nginx issue, as it's unlikely for it to be returning empty pages, which are usually the classic tomcat signature.

It would appear that setting up the header size may depend on the connector that you're using:

Community
  • 1
  • 1
cnst
  • 25,870
  • 6
  • 90
  • 122
  • We are using HTTP connecter though – cnaut Feb 05 '17 at 18:54
  • So, have you tried changing `maxHttpHeaderSize` as per http://tomcat.apache.org/tomcat-6.0-doc/config/http.html? I'm not too sure why you mention `max-http-header-size` in your question instead, perhaps that's a setting further down the line of your tomcat application. – cnst Feb 05 '17 at 19:05
  • We've tried both but are still having the problem. Strangely, hitting tomcat directly gives no problem. Just from nginx to tomcat. – cnaut Feb 05 '17 at 21:20
  • @cnaut, it should be relatively easy to make a distinction of when the error comes out from nginx or tomcat; can you definitively confirm either way? Also, are you sure you're having the misbehaving cookie payload when you're hitting it directly? Can you reproduce the issue with a shell script (e.g., w/ curl), e.g., not through a browser? Have you tried doing a [`tcpdump`](http://mdoc.su/o/tcpdump.8) to see where does the buck stop? – cnst Feb 06 '17 at 22:33