fix(nginx): Handle large header responses for root

[mschilli87]

☑️ Resolves

• See https://help.nextcloud.com/t/resolved-502-on-nextcloud-root-after-update/233954/11.

🖼️ Screenshots

I do not know how to locally build and render the documentation but I only added a few lines to the sample nginx config files that fix an issue I faced after upgrading to NC32.

[mschilli87]

I will add the sign-off later today. If you auto-block PRs based on linting errors, it would be great to get notified by a comment. I only noticed the failing check because I still had the PR open in a browser tab from yesterday. Also, a PR template pointing with a short checklist of what you expect would be useful.

[github-actions]

Hello there,
Thank you so much for taking the time and effort to create a pull request to our Nextcloud project.

We hope that the review process is going smooth and is helpful for you. We want to ensure your pull request is reviewed to your satisfaction. If you have a moment, our community management team would very much appreciate your feedback on your experience with this PR review process.

Your feedback is valuable to us as we continuously strive to improve our community developer experience. Please take a moment to complete our short survey by clicking on the following link: https://cloud.nextcloud.com/apps/forms/s/i9Ago4EQRZ7TWxjfmeEpPkf6

Thank you for contributing to Nextcloud and we hope to hear from you soon!

(If you believe you should not receive this message, you can add yourself to the blocklist.)

[kesselb]

Hi,

Thanks for your PR. You are absolutely right that it is not ideal that no one responded timely. That does not leave a good impression, and I understand your frustration.

For now, I would prefer not to merge the change. If something in 32 caused these values to become necessary, we need to look into that. I do not think this was intentional, and increasing those limits is a big step, so it is not something we want to do without understanding the root cause.

Regarding the invitation to the community survey, that is an automated process we have set up for most of our repositories. We do not expect you to participate. If you want to share your frustration about not receiving feedback within a reasonable time frame, the survey is actually a good place to do that because it goes directly to our community management.

Thanks again for taking the time to contribute.

cc @DaphneMuller

[skjnldsv]

@kesselb do you still have the same opinion on merging this or not?
Shall we lure other devs for their opinions on this ?

[skjnldsv]

Hey @mschilli87, thanks for the contribution, it's genuinely apreciated 🙏

I get the frustration, and the survey bot timing was pretty unfortunate timing ngl. But 15 days is actually pretty normal for a busy OSS project like this one, lots of PRs in popular repos wait months before getting any response at all. It's not a reflection on your work, just the reality of a big backlog run mostly by volunteers 😅

And we are actively trying tobe better at this! We've managed to bring the open PR count here from 120+ down to around 40 in just a couple of weeks, so things are definetly moving in the right direction 💪

And to be fair, @kesselb did give you a pretty thougtful response in the end! It's not a rejection either, just a ask to understand why NC32 produces larger headers before bumping the recommended nginx config values. That's a reasonable technical concern.

If you want to keep this moving, digging into the root cause on the NC32 side would be the way to go
Happy to help if you want to dig into it! Otherwize, I would understand.

[mschilli87]

I get it and I don't mind waiting for months as long as I don't get a bot response suggesting there is no interest but apologies if I overreacted

[skjnldsv]

All good!
The bot is an automated message to actually catch PRs where we failed to properly help the community. Kind of a way to feel the vibe and get an extra ping if something went under the radar ☺️

Back to the topic, what do you think of Daniel's answer regarding the 32 change ?
If it suddenly become necessary for you to have this config, maybe we did something unexpected 🤔
Have you more insight to give regarding your use case/situation?

[mschilli87]

No I don't. I noticed the issue, tried to track it down, found this header response being too big and increased the limit on my setup. I am running it with the increased values ever since. I just figured it might be useful to bump the defaults as well. But if I am the only one with some weird workload or configuration that causes these big header responses, I don't mind if you close this without merging. It just took me a few hours to make it work on my system and I wanted to save others some time. That was all the motivation for this tiny PR.
If you want me to run specific checks, let me know and I'll try to get to it as soon as I have some time on my hands.

[mschilli87]

Follwing @kesselb's question in the forum, here the output of

curl -i https://nextcloud.mydomain.tld

:

HTTP/2 302 
server: nginx
date: <time stamp>
content-type: text/html; charset=UTF-8
location: https://nextcloud.mydomain.tld/login
set-cookie: oc_sessionPassphrase=<redacted>; path=/; secure; HttpOnly; SameSite=Lax
content-security-policy: default-src 'self'; script-src 'self' 'nonce-<redacted>'; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *; object-src 'none'; base-uri 'self';
set-cookie: __Host-nc_sameSiteCookielax=true; path=/; httponly;secure; expires=<expiration time & date>; SameSite=lax
set-cookie: __Host-nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=<expiration time & date>; SameSite=strict
set-cookie: <redacted>; path=/; secure; HttpOnly; SameSite=Lax
strict-transport-security: max-age=31536000
referrer-policy: no-referrer
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-robots-tag: noindex, nofollow

Note that this is with the changes proposed in this PR applied.

[skjnldsv]

It just took me a few hours to make it work on my system and I wanted to save others some time.

How most of us ended up contributing at Nextcloud! That's a great spirit 😊

Are you sure the proxy part is needed ?
From my quick thinking, I think only the fastcgi would matter, no ?

If so, I would adjust the PR to add a dedicated comment for this

+    # If you encounter "upstream sent too big header while reading response
+    # header from upstream" or a 502 on `/` or `/login`, you may need to
+    # increase FastCGI response buffers for your setup:
+    #fastcgi_buffer_size 64k;
+    #fastcgi_busy_buffers_size 64k;

[kesselb]

HTTP/2 302 
server: nginx/1.29.7
date: Tue, 05 May 2026 15:19:02 GMT
content-type: text/html; charset=UTF-8
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-robots-tag: noindex, nofollow
referrer-policy: no-referrer
x-powered-by: PHP/8.4.11
set-cookie: ocq5akioejum=818078270994ede16873516d12771a9c; path=/; secure; HttpOnly; SameSite=Lax
set-cookie: oc_sessionPassphrase=Nu1R5ReL3PObSCw4F2X8uCPrN2uH5zC9kKZIc1DFfxt3NTYVjyCe2Ql4Nn%2FVwcICDa%2BUmj5%2BeJ5oMa6KZ3Qk5ovlMTSpUFRDm8U%2BbrBtVcxwIEAvyVEC0F881NsnVsBV; path=/; secure; HttpOnly; SameSite=Lax
set-cookie: ocq5akioejum=818078270994ede16873516d12771a9c; path=/; secure; HttpOnly; SameSite=Lax
content-security-policy: default-src 'self'; script-src 'self' 'nonce-B6Zhecnb7Lr+gb7dG+wnydQLbyPy35VWdD+SACYJkPA='; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *; object-src 'none'; base-uri 'self';
set-cookie: __Host-nc_sameSiteCookielax=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
set-cookie: __Host-nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
set-cookie: ocq5akioejum=818078270994ede16873516d12771a9c; path=/; secure; HttpOnly; SameSite=Lax
location: https://server99.internal/index.php/login

• Sample response headers from my dev instance
• ~1400 bytes when written to disk
• Nginx default is 4k
• Even additional domains in csp (not the case in Marcel's response), I don't really see how that goes beyond 4k

fastcgi_buffer_size 64k;

Could also do 8k or 16k to have smaller default.