I have a decent number of hits with very large cookies. It was a bug of
our application and it’s fixed now, but we have to do something with
these clients, because all they are seeing now is the standard 400 Bad
Request page. I tried adding
error_page 400 /errors/400.html;
hoping that I would delete the cookies by javascript or some other way,
but I still get the standard page and connection reset.
Is there any way to override that or is there any other way to flush
those huge cookies?
On Tue, Dec 14, 2010 at 10:16:11AM -0500, Denis wrote:
but I still get the standard page and connection reset.
Is there any way to override that or is there any other way to flush
those huge cookies?
This should be added to default server, as error 400 is generated
before any server_name matching occurs.
Note that you may also bump client_header_buffer_size /
large_client_header_buffers if you want cookies in question to be
actually accepted and processed (this should be done in default
server, too, or at http level).
Yep, I added it to the default server. At least, it’s listening as
listen 80 default;
That’s exactly what I’m bumping. Sorry, I should have made it more clear
in my first post. I don’t want to make my large_client_header_buffer 1
megabyte and I need some kind of way to fall back gracefully when a
client appears with 1Mbyte cookie. Like show him a page saying “your
cookie is too large, please delete it” or delete it in javascript.
But the problem is, I either get that hardcoded simple page or get http
response with no response body at all.
$ curl http://foobar.com/ -b hugecookies.jar
HTTP/1.1 400 Bad Request
Server: nginx
Date: Tue, 14 Dec 2010 17:29:07 GMT
Content-Type: text/html; charset=EUC-JP
Content-Length: 237
Connection: close
curl: (55) Send failure: Connection reset by peer
$
On Tue, Dec 14, 2010 at 12:33:02PM -0500, Denis wrote:
[quote]
But the problem is, I either get that hardcoded simple page or get http
curl: (55) Send failure: Connection reset by peer
$
[/code]
The attached patch allows HTTP lingering close for 400 responses.
However, it will not be included in next releases: I’m going to
introduce a special code, say 490, for long HTTP header lines as
it’s already done for SSL errors (495, 496, and 497). Then you can
set expliclty
Nice patch. I don’t know if ‘Header line too long’ might be better than
‘Too long header line’. Both make sense, but the former sounds a bit
better to me.
On Wed, Dec 15, 2010 at 01:21:19PM +0200, Eugaia wrote:
Hi,
Nice patch. I don’t know if ‘Header line too long’ might be better than
‘Too long header line’. Both make sense, but the former sounds a bit
better to me.
On Wed, Dec 15, 2010 at 01:41:42PM +0200, Eugaia wrote:
May be “Header line is too long” ?
I think ‘Header line too long’ would be more normal for this sort of
thing, as they tend to be shortened English. ‘Header too big’ is
another alternative, or perhaps even ‘Header or cookie too big’. Adding
the ‘cookie’ information may be useful to people who wouldn’t think to
look at cookies when just getting a message about headers.
Yes, mention of “cookie” is useful here, since this is the main cause
of these errors. “Header line or cookie too big”. I use “line”
because nginx has another couse of 400 error: large header.
“Header line is too long” is logged when a single line of client header
is bigger than a buffer in large_client_header_buffers.
“Header is too large” is logged when sum of all header lines are bigger
than client_header_buffer_size plus large_client_header_buffers.
Probably this reason should cause 494 error too. And the resulting
message should be as you have suggested: “Request header or cookie too
big”.
Yes, mention of “cookie” is useful here, since this is the main cause
of these errors. “Header line or cookie too big”. I use “line”
because nginx has another couse of 400 error: large header.
“Header line is too long” is logged when a single line of client header
is bigger than a buffer in large_client_header_buffers.
“Header is too large” is logged when sum of all header lines are bigger
than client_header_buffer_size plus large_client_header_buffers.
Is this for a single header, all the headers or either? It might be
useful to have ‘Headers too large’ if more than a single header is
included in the calculation.
Probably this reason should cause 494 error too. And the resulting
message should be as you have suggested: “Request header or cookie too big”.
Sounds good to me.
It might also be useful to specify ‘Cookie too large’ in the log file,
if it is the cookie that is too large.
On Wed, Dec 15, 2010 at 01:21:19PM +0200, Eugaia wrote:
Hi,
Nice patch. I don’t know if ‘Header line too long’ might be better than
‘Too long header line’. Both make sense, but the former sounds a bit
better to me.
Just an idea.
May be “Header line is too long” ?
I think ‘Header line too long’ would be more normal for this sort of
thing, as they tend to be shortened English. ‘Header too big’ is
another alternative, or perhaps even ‘Header or cookie too big’. Adding
the ‘cookie’ information may be useful to people who wouldn’t think to
look at cookies when just getting a message about headers.
On Wed, Dec 15, 2010 at 03:09:14PM +0300, Igor S. wrote:
“Header is too large” is logged when sum of all header lines are bigger
useful to have ‘Headers too large’ if more than a single header is
The header line name and about 1800 value charecters are logged.
New patch verision.
On Wed, Dec 15, 2010 at 01:57:58PM +0200, Eugaia wrote:
Is this for a single header, all the headers or either?
I have looked in the sources.
“client sent too large request” is logged if all request headers can not
be read in client_header_buffer_size plus large_client_header_buffers.
"client sent too long header line: “…” is logged if a single header
line
does not fit in a buffer of large_client_header_buffers.
It might be
useful to have ‘Headers too large’ if more than a single header is
included in the calculation.
Probably this reason should cause 494 error too. And the resulting
message should be as you have suggested: “Request header or cookie too big”.
Sounds good to me.
The current edition is “Request header or cookie too large”.
It might also be useful to specify ‘Cookie too large’ in the log file,
if it is the cookie that is too large.
The header line name and about 1800 value charecters are logged.