Policy for proxy_buffer_size and proxy_buffers

[Mile-Away]

Feature Request: Policy for proxy_buffer_size and proxy_buffers

Summary

When using NGINX Gateway Fabric as a reverse proxy, it's not currently possible to configure the proxy_buffer_size and proxy_buffers directives through a policy. This can lead to "502 Bad Gateway" errors when the upstream service sends a large response header, such as a large cookie during an authentication callback.

The Problem

We are using NGINX Gateway Fabric version 2.1.2 to proxy requests to a service that uses OAuth2 for authentication. During the authentication callback, the upstream service sets a cookie that is larger than the default NGINX proxy buffer size. This results in the following error in the NGINX Gateway Fabric logs:

2025/10/09 09:57:43 [error] 188483#188483: *96524 upstream sent too big header while reading response header from upstream, client: 192.168.1.103, server: sciol.ac.cn, request: "GET /api/auth/callback/casdoor?... HTTP/2.0", upstream: "http://172.26.242.86:48197/api/auth/callback/casdoor?...", host: "sciol.ac.cn", referrer: "https://auth.sciol.ac.cn/"

This leads to a "502 Bad Gateway" error for the client.

Troubleshooting

We were able to identify the root cause by inspecting the logs of both the upstream service and the NGINX Gateway Fabric pod. The upstream service logs showed a successful authentication and a redirect, while the NGINX Gateway Fabric logs showed the "upstream sent too big header" error.

Temporary Workaround

We were able to work around this issue by creating a new configuration file in the /etc/nginx/conf.d/ directory of the NGINX Gateway Fabric pod. This directory is a writable EmptyDir volume, so the changes are not persistent and will be lost if the pod is restarted.

Here is the content of the configuration file (proxy-buffers.conf):

proxy_buffer_size   128k;
proxy_buffers   4 256k;
proxy_busy_buffers_size   256k;

We then copied this file to the pod and reloaded the NGINX configuration. This resolved the issue.

Here is a script that automates the workaround:

#!/bin/bash

# The name of the NGINX Gateway Fabric pod
POD_NAME="gateway-nginx-79fbbc6f9d-h2dp9"

# The namespace of the NGINX Gateway Fabric pod
NAMESPACE="default"

# Create the configuration file
cat <<EOF > proxy-buffers.conf
proxy_buffer_size   128k;
proxy_buffers   4 256k;
proxy_busy_buffers_size   256k;
EOF

# Copy the configuration file to the pod
kubectl cp proxy-buffers.conf ${POD_NAME}:/etc/nginx/conf.d/proxy-buffers.conf -n ${NAMESPACE}

# Reload the NGINX configuration
kubectl exec ${POD_NAME} -n ${NAMESPACE} -- nginx -s reload

echo "Successfully applied the workaround."

Requested Feature

While the workaround is effective, it is not a permanent solution. We request that a policy be added to NGINX Gateway Fabric to allow for the configuration of proxy_buffer_size, proxy_buffers, and other related directives. This would allow us to configure these settings in a declarative and persistent manner.

Thank you for your consideration.

[nginx-bot]

Hi @Mile-Away! Welcome to the project! 🎉

Thanks for opening this issue!
Be sure to check out our Contributing Guidelines and the Issue Lifecycle while you wait for someone on the team to take a look at this.

[Mile-Away]

So sad, this is not an effective solution.

[bjee19]

Hey @Mile-Away, thanks for opening this issue. We already have an issue open for NGINX Proxy Buffer Configuration, which we may consider re-prioritizing given the amount of community want.

However, configuring these settings should be accessible through the SnippetsFilter API . Through Snippets, you'll attach a SnippetsFilter to a Route (explained in the doc I linked) and should be able to inject whatever NGINX conf you want/need, so you should be able to configure these NGINX directives.

Please let me know if you have any issues!

[Mile-Away]

Appreciate!