esadc

I’ve added the following to my wordpress server block and it fixed my issue

proxy_buffers 8 16k;
proxy_buffer_size 16k;

Thank you for your help!

okay that’s good to know, I’ll play around with my Nginx config and see if it fixes the issue (Don’t have time atm).

I don’t think I can do anything in the PHP code to deal with this issue

Not sure I entirely understand this. when I removed the PHP code snippets I listed in my previous post that fixed the 502 errors, or is it that somehow the code snippets listed above adds additional JS/CSS that need hashes (I don’t see how that could happen) that then leads to the response header being too big?

I think it is better to use nonce for external content

The primary reason why I want to use hashes instead of nonces is because I want to staticly cache pages, this means that nonces will never change (Until cache is cleared) for each page which opens up a CSP bypass.

Ok I’ve found the issue, there is something with wp-code and certain php code that are causing a 502 error.

Hide WP Version

<?php
add_filter('the_generator', '__return_empty_string');
remove_action('wp_head', 'wp_generator');
function remove_wpversion_cssjs( $src ) {

    if ( strpos( $src, 'ver=' ) )

        $src = remove_query_arg( 'ver', $src );

    return $src;

}
add_filter( 'style_loader_src', 'remove_wpversion_cssjs');
add_filter( 'script_loader_src', 'remove_wpversion_cssjs');

Remove Rest API from headers

<?php 
remove_action('xmlrpc_rsd_apis', 'rest_output_rsd');
remove_action('wp_head', 'rest_output_link_wp_head');
remove_action('template_redirect', 'rest_output_link_header', 11, 0);

There is nothing inside of php logs, timestamps do not match up.

[19-Mar-2023 00:00:09] NOTICE: error log file re-opened
[20-Mar-2023 07:25:11] NOTICE: Terminating ...
[20-Mar-2023 07:25:11] NOTICE: exiting, bye-bye!
[20-Mar-2023 07:25:59] NOTICE: fpm is running, pid 160
[20-Mar-2023 07:25:59] NOTICE: ready to handle connections
[20-Mar-2023 07:25:59] NOTICE: systemd monitor interval set to 10000ms
[20-Mar-2023 13:32:18] NOTICE: Terminating ...
[20-Mar-2023 13:32:18] NOTICE: exiting, bye-bye!
[20-Mar-2023 13:32:18] NOTICE: fpm is running, pid 2454
[20-Mar-2023 13:32:18] NOTICE: ready to handle connections
[20-Mar-2023 13:32:18] NOTICE: systemd monitor interval set to 10000ms
[20-Mar-2023 13:43:20] NOTICE: Terminating ...
[20-Mar-2023 13:43:20] NOTICE: exiting, bye-bye!
[20-Mar-2023 13:43:20] NOTICE: fpm is running, pid 2702
[20-Mar-2023 13:43:20] NOTICE: ready to handle connections
[20-Mar-2023 13:43:20] NOTICE: systemd monitor interval set to 10000ms
[20-Mar-2023 13:44:01] NOTICE: Terminating ...
[20-Mar-2023 13:44:01] NOTICE: exiting, bye-bye!
[20-Mar-2023 13:44:01] NOTICE: fpm is running, pid 2811
[20-Mar-2023 13:44:01] NOTICE: ready to handle connections
[20-Mar-2023 13:44:01] NOTICE: systemd monitor interval set to 10000ms
[20-Mar-2023 13:44:13] NOTICE: Terminating ...
[20-Mar-2023 13:44:13] NOTICE: exiting, bye-bye!
[20-Mar-2023 13:44:13] NOTICE: fpm is running, pid 2888
[20-Mar-2023 13:44:13] NOTICE: ready to handle connections
[20-Mar-2023 13:44:13] NOTICE: systemd monitor interval set to 10000ms

I’ve bypassed by Reverse Proxy and directly connected to WordPress and the 502 errors are gone, but they do occur when I connect via Reverse Proxy.

I’ve also noticed this inside my Nginx Reverse Proxy error logs

2023/03/21 09:35:00 [error] 1550167#1550167: *32377 upstream sent too big header while reading response header from upstream, client: 0.0.0.0, server: example.com, request: "GET /wp-login.php?redirect_to=https%3A%2F%2Fexample.com%2Fwp-admin%2F&reauth=1 HTTP/2.0", upstream: "https://0.0.0.0:443/wp-login.php?redirect_to=https%3A%2F%2Fexample.com%2Fwp-admin%2F&reauth=1", host: "example.com"

• This reply was modified 1 year, 8 months ago by esadc.

I’ve set logging level to debug and the only thing that shows up is this, timestamps do not match up to when the issue occurs.
2023-03-17 08:40:36 | WARNING | CSP headers not sent because headers were sent by at line 0

I modified the file at/wp-content/plugins/no-unsafe-inline/public/class-no-unsafe-inline-public.php and set max_response_header_size to 4096 but I still got 502 errors.

I’ve also tried addinglarge_client_header_buffers 4 8k; to nginx then restarting nginx but the issue still occured.

I’m using Cloudflare Cache (standard cache level) with Nginx micro cache on my reverse proxy (pages are cached for 1 second).
I disabled both and I’m still encountering 502 errors.
Update:
After a few hours my server stopped responding, I was forced to restart nginx and php-fpm. I’ve reverted back to nonces for the time being.

• This reply was modified 1 year, 8 months ago by esadc.

I know it’s been a while but I thought I should let you know that I got the plugin working, I don’t know what I did to fix it but it works. The plugin increased my server response time a little bit but everything else is working great.

• This reply was modified 2 years, 1 month ago by esadc.

Still the same

that’s the strange part the console doesn’t show any CSP errors.