nginx + cookies + firefox = 400 Bad Request

Jim Ohlstein jim.ohlstein at gmail.com
Mon Dec 15 08:00:05 MSK 2008


That would explain why it doesn't happen on my installation as I use
database to track thread/forum read info for users, not cookie. That's a
quick setting change in the vBulletin admin panel to fix though it does put
a bit more load on the processor.


-----Original Message-----
From: owner-nginx at sysoev.ru [mailto:owner-nginx at sysoev.ru] On Behalf Of
Maxim Dounin
Sent: Sunday, December 14, 2008 10:44 PM
To: nginx at sysoev.ru
Subject: Re: nginx + cookies + firefox = 400 Bad Request

Hello!

On Sun, Dec 14, 2008 at 09:17:02PM -0500, Jim Ohlstein wrote:

> It might be but I don't have that problem with my moderately busy
vBulletin
> board and 31% of my visitors (including myself) use Firefox. The
difference
> is that I use php-fcgi not Apache. Looking at Google search the problem
> appears with other apps but the common denominator in most cases seems to
be
> when nginx is being used as a reverse proxy and only with Firefox. The
> problem is more likely with Firefox than with vBulletin. As for number of

Other browsers seems to have lower limits on total cookie size, and 
hence the problem doesn't manifest itself (instead, some cookies 
probably just discarded by other browsers).

> cookies, my browser has 11 from my vBulletin installation. The average
user
> has one fewer since they don't have an admin control panel cookie. In
> contrast, I have 28 cookies from CNN.com (which uses nginx to serve some
of
> the content that I browse), 30 from VerizonWireless (my cell phone
company),
> and 16 from American Express, so 11 (or 10 as a typical user might have)
> does not seem "enormous".

Yep, I was wrong in my assumption (just did a quick-review of 
vbulletin code).  It doesn't create many cookies, it just uses 
several ones that may grow really big.

Anyway, the problem is that client sent too long Cookie header to 
nginx.

Quick fix is to enlarge large_client_header_buffers.  And the next 
thing to tune is proxy_buffer_size, which in turn will require 
enlargement.

More correct fix would be to limit backend somehow, but it's out 
of scope of this list.

> Consider a brief test proxying your php requests to php-cgi (I use php-fpm
> but you can use spawn-fcgi from lighttpd and you probably won't need to
> recompile php for this test). There are lots of "recipes" online for doing
> so. If the problem resolves then you can make a more informed decision. It
> appears that the problem has existed in at least some versions of nginx
> 0.7.x - see http://www.linuxquestions.org/questions/project.php?issueid=30
> so a recompile may not help. I don't know if it's been rectified at that

BTW, looks like vbulletin on www.linuxquestions.org was patched to 
avoid bbthread_lastview cookie (the one that grows for each forum 
tread visited by user).

Maxim Dounin

> site but I have visited it without issue. They are still using nginx but
how
> it is configured I do not know. If you decide to do this, also consider
> running some benchmarks using a simple php script: Apache alone, nginx as
> reverse proxy to Apache, nginx using fastcgi.
> 
> Good luck!
> 
> Jim
> 
> -----Original Message-----
> From: owner-nginx at sysoev.ru [mailto:owner-nginx at sysoev.ru] On Behalf Of
> Maxim Dounin
> Sent: Sunday, December 14, 2008 7:57 PM
> To: nginx at sysoev.ru
> Subject: Re: nginx + cookies + firefox = 400 Bad Request
> 
> Hello!
> 
> On Sun, Dec 14, 2008 at 01:26:59PM +0100, Oliver Pestring wrote:
> 
> > Hi guys, this week is was about to move partially to nginx for all
> > static content. The full switch was planned in about a month on a new
> > server. I followed this guide
> > http://www.dikant.de/2008/07/10/nginx-as-a-reverse-proxy-for-apache/ and
> > it worked instantly. After some minutes I got some t-calls about saying
> > that the page isnt reachable with a 400 - Bad Request for them. It runs
> > a vbulletin-forum and a Mantis-Bugtracker, it happens on both.
> > 
> > Some hours later I could nail that problem down to nginx (same with 0.5x
> > from etch and 0.632 from lenny) and firefox users (versions 2&3). It
> > works again if the related domain-cookies are deleted. apache2 doesnt
> > cause any trouble, same for IE/Opera-users.
> > 
> > Tried a quick google search and I found endless posts on a lot of sites
> > with the same 400 problem and ff after they switched to nginx (even
> > famous ones like electronicarts). Sadly none if these contain a solution
> > besides cleaning the cookies but that doesnt seem to help for long
> > according to that posts.
> > 
> > As I have over 60% FF-users Im a little afraid of the results and
> > switched back to pure apache for the moment. Is there any known solution
> > to this problem on serverside? May a selfcompiled-0.7-version help on
> > this? Couldnt find anything related in the changelog.
> 
> You should tune large_client_header_buffers in your nginx config, see 
>
http://wiki.codemongers.com/NginxHttpCoreModule#large_client_header_buffers 
> for details.
> 
> The problem AFAIK is vbulletin which sets enormous number of 
> various cookies.
> 
> Maxim Dounin
> 
> 






More information about the nginx mailing list