1

I am trying to implement a simple Google OAuth for my Express.js app using passport.js following this guide (just replace facebook with google) https://github.com/passport/express-4.x-facebook-example/blob/master/server.js

When I try it locally, things seem to be working well. When I deploy it to my Ubuntu production server, I get a 502 Bad Gateway error during the redirect callback from Google to the /login/google/return endpoint.

app.get('/login/google/return', 
  passport.authenticate('google', { failureRedirect: '/login' }),
  function(req, res) {
    res.redirect('/');
  });

If I comment out the the line passport.authenticate('google', {..}), then the error goes away. Upon inspecting nginx error log, I see this error

upstream sent too big header while reading response header from upstream

Here's the server configuration block for nginx:

location /auth/ {
   proxy_pass http://0.0.0.0:3000/;
}

Which means that I would log in to google by going to https://example.com/auth/login/google, being redirected to https://example.com/auth/login/google/return?code=4/adasfdafdsfd#, and then the 502 error happens.

I have tried setting up a similar nginx environment on my OS X development machine, but the problem does not occur there.

I have also tried to add the following to the nginx block configuration, but that doesn't seem to help either

proxy_buffers 8 16k;

I am at my wit's end as to how to debug/ solve this problem. Anyone's suggestion would be greatly appreciated. Here's the link to my project so far https://github.com/tnguyen14/auth/blob/master/index.js

Tri Nguyen
  • 9,950
  • 8
  • 40
  • 72
  • Just to make sure I understand correctly, if you go to https://example.com/auth/login/google/ you get your login page, but if you go to https://example.com/auth/login/google/return you get 502. Did you actually tried just going to https://example.com/auth/login/google/return? Just type that address in address bar and hit enter, do you get 502? – Molda Jul 20 '16 at 05:01
  • Have a look at this http://stackoverflow.com/q/23844761/3284355 – Molda Jul 20 '16 at 05:06
  • @Molda if I go to `/login/google/return` directly, it works fine as it redirects to Google for the account chooser page. it's only when Google redirects to `/login/google/return` with the code that the 502 occurs. I don't think the answer you linked is quite relevant because I'm not using fastcgi. – Tri Nguyen Jul 20 '16 at 06:36

1 Answers1

7

So I was close. proxy_buffers 8 16k; was not sufficient. Adding both of the following lines to nginx fixed it:

proxy_buffers 8 16k;
proxy_buffer_size 32k;

UPDATE: turns out, the reason why it complained about the header size is because I did not serialize the user profile sufficiently, so the object is too big for the cookie. Since I am using cookie-session, all of that data is stuffed into the cookie, making it too big.

Trimming down the things that would be serialize by passport session solves this problem without the added nginx config.

Tri Nguyen
  • 9,950
  • 8
  • 40
  • 72