We love everything about Nginx, but there is this one type of evil within, which can hurt your website traffic without being noticed for a long time. The evil is called “Large Client Headers” and it is invisible to people who are not advanced system engineers. This evil operates under certain circumstances and these circumstances make it even harder to detect.
What is Large Client Header Buffer ?
Well for many people in systems engineering, it is probably nothing to be worried about. In IIS, Apache and Tomcat the default value of client header size is big enough to cause this evil wake up from its dream state. On contrary, in Nginx, the default value is so low that sets the perfect environment for chaos. So what are we dealing with here?
When a user is visiting websites, his browser stores information in cookies. Cookies often get bigger and bigger when users don’t clear their cache. Although having lots of cookies don’t pose a big threat to anyone, they may sometimes create chaos if they are not programmed well. Especially, many newspapers use marketing software, which tracks user behavior by looking at which articles a user is often interested in. These software collects information which allows newspapers to segment their readers. Some of these software may increase a size of its tracking cookie for a user well beyond default limits. Once this cookie is large enough and not cleared by the user, it is carried to all websites the user visits.
While IIS, Apache and Tomcat sites don’t have too much problem dealing with cookies due to their initial configuration, NGINX has a lower value that denies the user with a large cookie. The Nginx server responds with a 5XX page and the user thinks the website is not available. If the user clears his browser’s cache, then he can access the website without any problem.
The large client header buffer value, which can be modified in IIS, Apache, NGINX, Tomcat etc, determines the limit that allows a user in or not.
Below are the default values:
Apache 2.0, 2.2: 8K
NGINX: 4K – 8K
IIS: varies by version, 8K – 16K
Tomcat: varies by version, 8K – 16K
As you can see, Nginx may have a 4K value for its large client header buffer, which can deny any user whose browser carries a large cookie that is beyond this limit.
How To Fix Nginx Large Client Header Size ?
The solution is simple. If your nginx configuration file is located at /etc/nginx/nginx.conf, simply edit this file via your favorite editor and add the following like under http section:
large_client_header_buffers 4 32k;
Now restart your Nginx server and you should be fine. If you are using Nginx as reverse proxy, then make sure the server you reverse proxy also has a high large client header buffer.