nginx + cookies + firefox = 400 Bad Request

Jim Ohlstein jim.ohlstein at
Mon Dec 15 08:00:05 MSK 2008

That would explain why it doesn't happen on my installation as I use
database to track thread/forum read info for users, not cookie. That's a
quick setting change in the vBulletin admin panel to fix though it does put
a bit more load on the processor.

-----Original Message-----
From: owner-nginx at [mailto:owner-nginx at] On Behalf Of
Maxim Dounin
Sent: Sunday, December 14, 2008 10:44 PM
To: nginx at
Subject: Re: nginx + cookies + firefox = 400 Bad Request


On Sun, Dec 14, 2008 at 09:17:02PM -0500, Jim Ohlstein wrote:

> It might be but I don't have that problem with my moderately busy
> board and 31% of my visitors (including myself) use Firefox. The
> is that I use php-fcgi not Apache. Looking at Google search the problem
> appears with other apps but the common denominator in most cases seems to
> when nginx is being used as a reverse proxy and only with Firefox. The
> problem is more likely with Firefox than with vBulletin. As for number of

Other browsers seems to have lower limits on total cookie size, and 
hence the problem doesn't manifest itself (instead, some cookies 
probably just discarded by other browsers).

> cookies, my browser has 11 from my vBulletin installation. The average
> has one fewer since they don't have an admin control panel cookie. In
> contrast, I have 28 cookies from (which uses nginx to serve some
> the content that I browse), 30 from VerizonWireless (my cell phone
> and 16 from American Express, so 11 (or 10 as a typical user might have)
> does not seem "enormous".

Yep, I was wrong in my assumption (just did a quick-review of 
vbulletin code).  It doesn't create many cookies, it just uses 
several ones that may grow really big.

Anyway, the problem is that client sent too long Cookie header to 

Quick fix is to enlarge large_client_header_buffers.  And the next 
thing to tune is proxy_buffer_size, which in turn will require 

More correct fix would be to limit backend somehow, but it's out 
of scope of this list.

> Consider a brief test proxying your php requests to php-cgi (I use php-fpm
> but you can use spawn-fcgi from lighttpd and you probably won't need to
> recompile php for this test). There are lots of "recipes" online for doing
> so. If the problem resolves then you can make a more informed decision. It
> appears that the problem has existed in at least some versions of nginx
> 0.7.x - see
> so a recompile may not help. I don't know if it's been rectified at that

BTW, looks like vbulletin on was patched to 
avoid bbthread_lastview cookie (the one that grows for each forum 
tread visited by user).

Maxim Dounin

> site but I have visited it without issue. They are still using nginx but
> it is configured I do not know. If you decide to do this, also consider
> running some benchmarks using a simple php script: Apache alone, nginx as
> reverse proxy to Apache, nginx using fastcgi.
> Good luck!
> Jim
> -----Original Message-----
> From: owner-nginx at [mailto:owner-nginx at] On Behalf Of
> Maxim Dounin
> Sent: Sunday, December 14, 2008 7:57 PM
> To: nginx at
> Subject: Re: nginx + cookies + firefox = 400 Bad Request
> Hello!
> On Sun, Dec 14, 2008 at 01:26:59PM +0100, Oliver Pestring wrote:
> > Hi guys, this week is was about to move partially to nginx for all
> > static content. The full switch was planned in about a month on a new
> > server. I followed this guide
> > and
> > it worked instantly. After some minutes I got some t-calls about saying
> > that the page isnt reachable with a 400 - Bad Request for them. It runs
> > a vbulletin-forum and a Mantis-Bugtracker, it happens on both.
> > 
> > Some hours later I could nail that problem down to nginx (same with 0.5x
> > from etch and 0.632 from lenny) and firefox users (versions 2&3). It
> > works again if the related domain-cookies are deleted. apache2 doesnt
> > cause any trouble, same for IE/Opera-users.
> > 
> > Tried a quick google search and I found endless posts on a lot of sites
> > with the same 400 problem and ff after they switched to nginx (even
> > famous ones like electronicarts). Sadly none if these contain a solution
> > besides cleaning the cookies but that doesnt seem to help for long
> > according to that posts.
> > 
> > As I have over 60% FF-users Im a little afraid of the results and
> > switched back to pure apache for the moment. Is there any known solution
> > to this problem on serverside? May a selfcompiled-0.7-version help on
> > this? Couldnt find anything related in the changelog.
> You should tune large_client_header_buffers in your nginx config, see 
> for details.
> The problem AFAIK is vbulletin which sets enormous number of 
> various cookies.
> Maxim Dounin

More information about the nginx mailing list