Hello, tonight i got an error "400 Bad RequestRequest Header Or Cookie Too Large nginx"

Tonight to me happens the error “400 Bad RequestRequest Header Or Cookie Too Large nginx” and gets stuck on that, I was trying to change large_client_header_buffers but then I got 1024 workers_connetions not enough when I changed both it bounced from “400 Bad RequestRequest Header Or Cookie Too Large nginx” to workers_connections. I’m no familiar with nginx at all, but here is /etc/nginx/ngin.conf

# Server globals
user                    www-data;
worker_processes        auto;
worker_rlimit_nofile    65535;
error_log               /var/log/nginx/error.log;
pid                     /run/nginx.pid;

include /etc/nginx/modules-enabled/*.conf;


# Worker config
events {
        worker_connections  2048;
        use                 epoll;
        multi_accept        on;
}

http {
    include /home/igzak/cloudflare/allow-cloudflare.conf;
    # Main settings
    sendfile                        on;
    tcp_nopush                      on;
    tcp_nodelay                     on;
    client_header_timeout           180s;
    client_body_timeout             180s;
    client_header_buffer_size       2k;
    client_body_buffer_size         512k;
    client_max_body_size            256m;
    large_client_header_buffers     16 16k;
    send_timeout                    60s;
    keepalive_timeout               30s;
    keepalive_requests              100000;
    reset_timedout_connection       on;
    server_tokens                   off;
    server_name_in_redirect         off;
    server_names_hash_max_size      512;
    server_names_hash_bucket_size   512;
    charset                         utf-8;

    # FastCGI settings
    fastcgi_buffers                 8 256k;
    fastcgi_buffer_size             256k;
    fastcgi_busy_buffers_size       256k;
    fastcgi_temp_file_write_size    256k;
    fastcgi_connect_timeout         30s;
    fastcgi_read_timeout            300s;
    fastcgi_send_timeout            180s;
    fastcgi_cache_lock              on;
    fastcgi_cache_lock_timeout      5s;
    fastcgi_cache_background_update on;
    fastcgi_cache_revalidate        on;
    
    # Proxy settings
    proxy_redirect                  off;
	proxy_buffering                 on;
    proxy_set_header                Host $host;
    proxy_set_header                X-Real-IP $remote_addr;
    proxy_set_header                X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_pass_header               Set-Cookie;
    proxy_buffers                   8 16k;
	proxy_buffer_size				16k;
    proxy_connect_timeout           30s;
    proxy_read_timeout              300s;
    proxy_send_timeout              180s;

    # Log format
    log_format  main    '$remote_addr - $remote_user [$time_local] $request '
                        '"$status" $body_bytes_sent "$http_referer" '
                        '"$http_user_agent" "$http_x_forwarded_for"';
    log_format  bytes   '$body_bytes_sent';
    log_not_found off;
    access_log off;

    # Mime settings
    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    # Compression
    gzip                on;
    gzip_static         on;
    gzip_vary           on;
    gzip_comp_level     6;
    gzip_min_length     1024;
    gzip_buffers        16 8k;
    gzip_http_version   1.1;
    gzip_types          text/plain text/css text/javascript text/js text/xml application/json application/javascript application/x-javascript application/xml application/xml+rss application/x-font-ttf image/svg+xml font/opentype;
    gzip_proxied        any;
    gzip_disable        "MSIE [1-6]\.";

    # Cloudflare https://www.cloudflare.com/ips
    include /etc/nginx/conf.d/cloudflare.inc;

    # SSL PCI compliance
    ssl_session_cache   shared:SSL:20m;
    ssl_session_timeout 60m;
    ssl_buffer_size     1400;
    ssl_protocols       TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers         "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
    ssl_dhparam         /etc/ssl/dhparam.pem;
    ssl_ecdh_curve      secp384r1;
    ssl_session_tickets off;
    resolver 127.0.0.53  valid=300s ipv6=off;
    resolver_timeout    5s;

    # Error pages
    error_page 403 /error/404.html;
    error_page 404 /error/404.html;
    error_page 410 /error/410.html;
    error_page 500 501 502 503 504 505 /error/50x.html;

    # Proxy cache
    proxy_cache_path /var/cache/nginx levels=2 keys_zone=cache:10m inactive=60m max_size=1024m;
    proxy_cache_key "$host$request_uri $cookie_user";
    proxy_temp_path  /var/cache/nginx/temp;
    proxy_ignore_headers Expires Cache-Control;
    proxy_cache_use_stale error timeout invalid_header http_502;
    proxy_cache_valid any 1d;

    # FastCGI cache
    fastcgi_cache_path /var/cache/nginx/micro levels=1:2 keys_zone=microcache:10m max_size=1024m inactive=30m;
    fastcgi_cache_key "$scheme$request_method$host$request_uri";
    fastcgi_cache_methods GET HEAD;
    fastcgi_cache_use_stale updating error timeout invalid_header http_500 http_503;
    fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
    add_header X-FastCGI-Cache $upstream_cache_status;

    # Cache bypass
    map $http_cookie $no_cache {
        default 0;
        ~SESS 1;
        ~wordpress_logged_in 1;
    }

    # File cache (static assets)
    open_file_cache          max=10000 inactive=30s;
    open_file_cache_valid    60s;
    open_file_cache_min_uses 2;
    open_file_cache_errors   off;
    
    # Wildcard include
    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/conf.d/domains/*.conf;
}

I was changing large_client_header_buffers and then happen error 2048 worker_connections not enough and if change limit of worker_connections it comes back “Request Header Or Cookie Too Large”

Nginx only or Nginx + Apache2

Only Nginx, I used this script before to use only nginx and all works ok 56 days

#!/bin/bash

# Function Description
# Manual upgrade script from Nginx + Apache2 + PHP-FPM to Nginx + PHP-FPM

#----------------------------------------------------------#
#                    Variable&Function                     #
#----------------------------------------------------------#

# Includes
# shellcheck source=/etc/hestiacp/hestia.conf
source /etc/hestiacp/hestia.conf
# shellcheck source=/usr/local/hestia/func/main.sh
source $HESTIA/func/main.sh
# shellcheck source=/usr/local/hestia/conf/hestia.conf
source $HESTIA/conf/hestia.conf

#----------------------------------------------------------#
#                    Verifications                         #
#----------------------------------------------------------#

if [ "$WEB_BACKEND" != "php-fpm" ]; then
	check_result $E_NOTEXISTS "PHP-FPM is not enabled" > /dev/null
	exit 1
fi

if [ "$WEB_SYSTEM" != "apache2" ]; then
	check_result $E_NOTEXISTS "Apache2 is not enabled" > /dev/null
	exit 1
fi

#----------------------------------------------------------#
#                       Action                             #
#----------------------------------------------------------#

# Remove apache2 from config
sed -i "/^WEB_PORT/d" $HESTIA/conf/hestia.conf
sed -i "/^WEB_SSL/d" $HESTIA/conf/hestia.conf
sed -i "/^WEB_SSL_PORT/d" $HESTIA/conf/hestia.conf
sed -i "/^WEB_RGROUPS/d" $HESTIA/conf/hestia.conf
sed -i "/^WEB_SYSTEM/d" $HESTIA/conf/hestia.conf

# Remove nginx (proxy) from config
sed -i "/^PROXY_PORT/d" $HESTIA/conf/hestia.conf
sed -i "/^PROXY_SSL_PORT/d" $HESTIA/conf/hestia.conf
sed -i "/^PROXY_SYSTEM/d" $HESTIA/conf/hestia.conf

# Add Nginx settings to config
echo "WEB_PORT='80'" >> $HESTIA/conf/hestia.conf
echo "WEB_SSL='openssl'" >> $HESTIA/conf/hestia.conf
echo "WEB_SSL_PORT='443'" >> $HESTIA/conf/hestia.conf
echo "WEB_SYSTEM='nginx'" >> $HESTIA/conf/hestia.conf

# Rebuild web config

for user in $($BIN/v-list-users plain | cut -f1); do
	echo $user
	for domain in $($BIN/v-list-web-domains $user plain | cut -f1); do
		$BIN/v-change-web-domain-tpl $user $domain 'default'
		$BIN/v-rebuild-web-domain $user $domain no
	done
done

systemctl restart nginx

Also when I try to open pages I see this, is it possible that something with redirects?

image962×250 13.6 KB

Enabled error_log in debug mode, there X-Forward-For with a lot of ips of my server, looks like here somethings with redirects but I don’t understand where a problem to fix

Try this:

# Includes
# shellcheck source=/etc/hestiacp/hestia.conf
source /etc/hestiacp/hestia.conf
# shellcheck source=/usr/local/hestia/conf/hestia.conf
source $HESTIA/conf/hestia.conf

# Remove apache2 from config
sed -i "/^WEB_PORT/d" $HESTIA/conf/hestia.conf
sed -i "/^WEB_SSL/d" $HESTIA/conf/hestia.conf
sed -i "/^WEB_SSL_PORT/d" $HESTIA/conf/hestia.conf
sed -i "/^WEB_RGROUPS/d" $HESTIA/conf/hestia.conf
sed -i "/^WEB_SYSTEM/d" $HESTIA/conf/hestia.conf

# Remove nginx (proxy) from config
sed -i "/^PROXY_PORT/d" $HESTIA/conf/hestia.conf
sed -i "/^PROXY_SSL_PORT/d" $HESTIA/conf/hestia.conf
sed -i "/^PROXY_SYSTEM/d" $HESTIA/conf/hestia.conf

# Add Nginx settings to config
echo "WEB_PORT='80'" >> $HESTIA/conf/hestia.conf
echo "WEB_SSL='openssl'" >> $HESTIA/conf/hestia.conf
echo "WEB_SSL_PORT='443'" >> $HESTIA/conf/hestia.conf
echo "WEB_SYSTEM='nginx'" >> $HESTIA/conf/hestia.conf

This helps, ty

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.