3

I am getting a 400 Bad Request request header or cookie too large from nginx with my springboot app, because the JWT key is 38.7kb.When I use a smaller JWT key,everything is fine. I try to modify the nginx's configuration by add this in the server context.

    client_header_buffer_size 64k;
    large_client_header_buffers 4 64k;
    proxy_buffer_size   128k;
    proxy_buffers   4 256k;
    proxy_busy_buffers_size   256k;

Unfortunately nginx still return the same 400 Bad Request. The strange thing is I can't find any trace in the nginx error log. My OS is centOS 7.6, the nginx version is 1.18.1.

Here is my full nginx config file.

http {

##
# Basic Settings
##

sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;


# server_names_hash_bucket_size 64;
# server_name_in_redirect off;

include /etc/nginx/mime.types;
default_type application/octet-stream;

##
# Logging Settings
##

access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;

##
# Gzip Settings
##

gzip on;
gzip_disable "msie6";

# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;

##
# nginx-naxsi config
##
# Uncomment it if you installed nginx-naxsi
##

#include /etc/nginx/naxsi_core.rules;

##
# nginx-passenger config
##
# Uncomment it if you installed nginx-passenger
##

#passenger_root /usr;
#passenger_ruby /usr/bin/ruby;

##
# Virtual Host Configs
##

include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;

limit_req_zone $binary_remote_addr zone=one:10m rate=5r/s;
    limit_conn_zone $binary_remote_addr zone=two:10m;
     

server {
    keepalive_requests 120; 
    listen       80;   
    server_name  10.254.9.31;     

    client_header_buffer_size 64k;
    large_client_header_buffers 4 64k;
    proxy_buffer_size   128k;
    proxy_buffers   4 256k;
    proxy_busy_buffers_size   256k;

    location /api {
   #limit_conn two 1;
   #limit_req  zone=one burst=2 nodelay;
   proxy_pass http://commonapi/;
    }


   location /isse-auth/ {
   proxy_pass http://10.254.9.31:8888/;
    }


    }

}

Xiao Liu
  • 31
  • 1
  • 3
  • 3
    The fact that your JWT key is 38.7kb is ludicrous. You should fix that, rather than trying to brute-force an entire tree through a hole intended for a pencil. – Andreas Sep 13 '20 at 02:25
  • 2
    Thanks for your reply, Andreas! In fact we already fixed the JWT to a reasonable size.But we still want to know what is the problem of the nginx's config, in case of we need it in the furture. – Xiao Liu Sep 13 '20 at 05:35
  • @XiaoLiu did you find solution of this problem ? – Yassine Hakim Feb 26 '21 at 12:59

0 Answers0