Nginx 431 - Request Header Fields Too Large - in reverse proxy

Question

I am using auth_request module in nginx to act as an authentication module.

location ~ ^/apigw/cws/(.*)$ {
        log_subrequest on;
        auth_request  /_sessionvalidate;
        auth_request_set $token $upstream_http_authorization;
        proxy_set_header Authorization $token;
        proxy_pass http://cws/$1$is_args$args;
}



location = /_sessionvalidate {
        internal;
        proxy_method POST;
        proxy_busy_buffers_size   512k;
        proxy_buffers   4 512k;
        proxy_buffer_size   256k;
        proxy_pass_request_body off;
        proxy_set_header Content-Length "";
        proxy_set_header X-Original-URI $request_uri;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://apigw/sessionValidate/;
}

The problem here is when i try to pass the token passed by the sessionvalidate to the cws upstream server

 proxy_set_header Authorization $token;

I get 431 error. I tried setting up the below in server/http directive

        large_client_header_buffers 4 64k;
        client_header_buffer_size 16k;

but I am still facing the error. I am not sure how make sure increase the header size of the upstream request. Please help.

Answer 1

I had this issue after setting up SWAG and Authelia.

The tl;dr is that SWAG was by default setup to allow 16k headers but Authelia was by default only configured to allow 4k.

My fix was to update Authelia's config as follows to match the nginx settings:

# Authelia `configuration.yml`

server:
  buffers:
    read: 16384
    write: 16384

https://www.authelia.com/configuration/prologue/common/#server-buffers

---

Here is the nginx configuration line if you want to cross reference what your setup is current using:

# `nginx.conf`

http {
  large_client_header_buffers 4 16k;
}

http://nginx.org/en/docs/http/ngx_http_core_module.html#large_client_header_buffers