If you're trying to rewrite clean URLs like <code>/results/summer-meet</code> to <code>/results/view.php?slug=summer-meet</code> in Nginx, everything might seem simple... until your <code>.php</code> files start downloading instead of executing.Here’s what’s going wrong — and how to fix it.<figure class="image"><img src="https://images.unsplash.com/photo-1613905780946-26b73b6f6e11?crop=entropy&amp;cs=tinysrgb&amp;fit=max&amp;fm=jpg&amp;ixid=M3wxNTQwMTB8MHwxfHNlYXJjaHwxfHxzdHVwaWR8ZW58MHx8fHwxNzQ3MjczMDY0fDA&amp;ixlib=rb-4.1.0&amp;q=80&amp;w=1080"><figcaption>Photo by <a target="_blank" rel="noopener noreferrer" href="https://unsplash.com/@elimendeinagella?utm_source=DNX&amp;utm_medium=referral">Elimende Inagella</a> on <a target="_blank" rel="noopener noreferrer" href="https://unsplash.com/?utm_source=DNX&amp;utm_medium=referral">Unsplash</a></figcaption></figure><h2>❌ The Common (Broken) Approach Using Regex</h2><pre><code class="language-plaintext">location ~ ^/(results|standards|meet|heat-sheets|psych-sheets)/ {
 try_files $uri $uri/ @rewrite_view;
}

location @rewrite_view {
 rewrite ^/(results|standards|meet|heat-sheets|psych-sheets)/([a-z0-9\-]+)$ /$1/view.php?slug=$2 last;
}
</code></pre>Why it fails:The <code>location ~</code> block is a regex match.Nginx gives regex blocks higher priority, and once it matches this block, it does not fallback to your global <code>.php</code>handler like:<pre><code class="language-plaintext">location ~ \.php$ { ... }
</code></pre>Result: <code>/results/view.php</code> gets matched by the regex block, and since there's no <code>.php</code> handler inside, Nginx serves it as a static file — or downloads it.<h2>✅ Working Alternative (Split Routers, No Regex)</h2>The safest way is to avoid regex and use one <code>location</code> per folder:<pre><code class="language-plaintext">location /results/ {
 try_files $uri $uri/ @rewrite_results;
}

location @rewrite_results {
 rewrite ^/results/([^/]+)$ /results/view.php?slug=$1 last;
 return 404;
}
</code></pre>Repeat for each folder (<code>/standards/</code>, <code>/meet/</code>, etc.).This works because:<code>location /results/</code> is a prefix match, not regexIf the file exists (like <code>view.php</code>), it falls through to the global <code>.php$</code> handler correctlyNo more downloads. Clean, clear routing.<h2>✅ Advanced Fix: Keep Regex Router + Add Folder-Specific <code>.php</code> Handler</h2>If you really want to keep the compact regex style, you must re-define <code>.php</code> handling for those folders:<pre><code class="language-plaintext">location ~ ^/(results|standards|meet|heat-sheets|psych-sheets)/ {
 try_files $uri $uri/ @rewrite_view;
}

location ~ ^/(results|standards|meet|heat-sheets|psych-sheets)/.*\.php$ {
 include snippets/fastcgi-php.conf;
 fastcgi_pass unix:/run/php/php8.2-fpm-swimsnap.sock;
 fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
 include fastcgi_params;
}
</code></pre>This ensures PHP files inside those folders (like <code>view.php</code>) still get routed through PHP-FPM correctly.<h2>🧠 Final Advice</h2>Prefer prefix-based blocks (<code>location /results/</code>) unless you have a strong reason for regexIf you use <code>location ~</code>, you must handle <code>.php</code> within the same scope or via more specific regexAlways verify with <code>nginx -t</code> and test <code>.php</code> execution directly to avoid silent errorsIf you're seeing downloads or blank responses, chances are it's not your rewrite — it's Nginx falling into the wrong block.

This post explains why Nginx PHP rewrites using regex-based location ~ blocks often fail — causing .php files to download instead of execute. It walks through a reliable no-regex solution using prefix-based locations and shows how to fix the regex approach by adding folder-specific .php handlers. Ideal for anyone implementing clean URLs in PHP with Nginx.

Why Your Nginx PHP Rewrites Might Fail — and How to Fix Them

Today I learned something important about how Apache and Nginx handle WebSocket upgrades.In Apache, it’s straightforward: you can use <code>RewriteCond %{HTTP:Upgrade} =websocket</code> to detect when a client is actually requesting a WebSocket. Only then do you forward with the <code>ws://</code> protocol and set the <code>Connection/Upgrade</code> headers. If the request is just plain HTTP, you skip all that and proxy normally. Clean separation.<figure class="image"><img src="https://images.unsplash.com/photo-1508920291026-c344bbfca1ab?crop=entropy&amp;cs=tinysrgb&amp;fit=max&amp;fm=jpg&amp;ixid=M3wxNTQwMTB8MHwxfHNlYXJjaHwxfHxzb2NrZXR8ZW58MHx8fHwxNzU1NzIyNTY3fDA&amp;ixlib=rb-4.1.0&amp;q=80&amp;w=1080"><figcaption>Photo by <a target="_blank" rel="noopener noreferrer" href="https://unsplash.com/@nevenkrcmarek?utm_source=DNX&amp;utm_medium=referral">Neven Krcmarek</a> on <a target="_blank" rel="noopener noreferrer" href="https://unsplash.com/?utm_source=DNX&amp;utm_medium=referral">Unsplash</a></figcaption></figure>In Nginx, things work differently. If you follow common examples online, you’ll often see this in every location block:<pre><code class="language-plaintext">proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
</code></pre>The problem? That sends <code>Connection: upgrade</code> even for normal HTTP requests. If your upstream isn’t expecting it, you can end up with weird parsing issues. It’s like telling your backend “this is a WebSocket” when it really isn’t.The better approach in Nginx depends on your situation:If you don’t use WebSockets at all: Don’t set <code>Upgrade</code> or <code>Connection</code> headers anywhere. Just keep the proxy clean.If you use WebSockets only on a certain path: Put the <code>Upgrade/Connection</code> headers in a dedicated <code>location /ws/</code> block, and leave normal <code>location /</code> untouched.If you want to emulate Apache’s conditional logic everywhere: Use a <code>map</code> in <code>nginx.conf</code> to set <code>Connection</code> to <code>"upgrade"</code> only when <code>$http_upgrade</code> is present, otherwise <code>"close"</code>.Example:<pre><code class="language-plaintext">map $http_upgrade $connection_upgrade {
 default upgrade;
 '' close;
}

location / {
 proxy_http_version 1.1;
 proxy_set_header Host $host;
 proxy_set_header X-Forwarded-Proto $scheme;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_set_header Upgrade $http_upgrade;
 proxy_set_header Connection $connection_upgrade;
 proxy_pass http://127.0.0.1:8082;
}
</code></pre><h3>Takeaway</h3>Apache makes it easy to branch on WebSocket vs. HTTP with <code>RewriteCond</code>. In Nginx, you either separate into different <code>location</code> blocks or use a <code>map</code>. And if you don’t need WebSockets at all, the cleanest solution is to drop the <code>Upgrade/Connection</code> headers entirely.Want me to also make a short one-paragraph version of this (like you did for the header-size blog)?

When handling WebSocket upgrades, Apache and Nginx take different approaches: Apache uses conditional rewrite rules to only send the Upgrade and Connection: upgrade headers when the client actually requests a WebSocket connection, keeping normal HTTP traffic clean and efficient. Nginx, on the other hand, often relies on always setting these headers in proxy configs, which can cause unnecessary overhead or even break normal requests if left unguarded. The key lesson is to handle upgrades conditionally—just like Apache does—so that WebSocket traffic is supported without polluting or disrupting standard HTTP traffic.

WebSocket Upgrade Handling: Apache vs. Nginx

When you start adding SSO providers, JWTs, or large cookies to your web stack, you’ll eventually hit a frustrating error:<pre><code class="language-plaintext">400 Bad Request – Request Header Or Cookie Too Large
431 Request Header Fields Too Large
502 Bad Gateway – upstream sent too big header</code></pre>These errors are not random—they happen because web servers like Apache and Nginx enforce limits on HTTP header size. Let’s break down the defaults, how to tune them, and why you should resist the temptation to set them “infinitely large.”<figure class="image"><img src="https://images.unsplash.com/photo-1472289065668-ce650ac443d2?crop=entropy&amp;cs=tinysrgb&amp;fit=max&amp;fm=jpg&amp;ixid=M3wxNTQwMTB8MHwxfHNlYXJjaHwxfHxoZWFkZXJ8ZW58MHx8fHwxNzU3NzczODc5fDA&amp;ixlib=rb-4.1.0&amp;q=80&amp;w=1080"><figcaption>Photo by <a target="_blank" rel="noopener noreferrer" href="https://unsplash.com/@joannakosinska?utm_source=DNX&amp;utm_medium=referral">Joanna Kosinska</a> on <a target="_blank" rel="noopener noreferrer" href="https://unsplash.com/?utm_source=DNX&amp;utm_medium=referral">Unsplash</a></figcaption></figure><h2>Why header size matters</h2>Cookies: Each cookie can be up to ~4 KB. Multiply that by multiple cookies and you can easily exceed 8 KB.JWTs / OAuth tokens: A single token can be &gt;10 KB.Reverse proxies: You not only care about incoming request headers (from browsers) but also response headers (from your app), especially if your app sets big <code>Set-Cookie</code> values.If the server’s buffer is too small, it rejects the request/response with 400/431/502 errors.<h2>Nginx defaults vs tuning</h2>Defaults (64-bit builds):<pre><code class="language-plaintext">client_header_buffer_size 1k;
large_client_header_buffers 4 16k;
proxy_buffer_size 8k;
proxy_buffers 8 8k;
proxy_busy_buffers_size 16k;
http2_max_field_size 16k;
http2_max_header_size 64k;</code></pre>Request side: A single header line can only be 1k, and the total request headers 64 KB.Response side: A single upstream response header can’t exceed 8 KB.Common tuning (for Auth0, SSO, large cookies):<pre><code class="language-plaintext"># Requests (client → Nginx)
client_header_buffer_size 64k;
large_client_header_buffers 16 64k;

# Responses (upstream → Nginx)
proxy_buffer_size 16k;
proxy_buffers 8 16k;
proxy_busy_buffers_size 32k;

# HTTP/2 (mod_http2 in Nginx)
http2_max_field_size 32k;
http2_max_header_size 128k;
</code></pre>This raises both sides to handle bigger cookies and longer auth headers.<h2>Apache 2.4 defaults vs tuning</h2>HTTP/1.x defaults:<pre><code class="language-plaintext">LimitRequestFieldSize 8190 # ≈ 8 KB per header
LimitRequestLine 8190 # ≈ 8 KB for entire request line
LimitRequestFields 100 # max number of headers
</code></pre>HTTP/2 defaults (mod_http2):<pre><code class="language-plaintext">H2MaxHeaderListSize 65536 # 64 KB total headers</code></pre>Safe tuning for larger headers:<pre><code class="language-plaintext"># HTTP/1.x
LimitRequestFieldSize 16384
LimitRequestLine 16384

# HTTP/2
H2MaxHeaderListSize 131072 # 128 KB
</code></pre><h2>Why not set these “too large”?</h2>It might be tempting to set everything to 512 KB or 1 MB “just in case.” But that creates problems:Memory pressure: Apache and Nginx allocate buffers per connection. Large settings × many concurrent connections = wasted RAM.DoS surface: Attackers can exploit large headers to tie up server resources.Real-world limits: Browsers themselves rarely send &gt;16 KB per cookie header. Most apps don’t need more than ~128 KB total.The sweet spot is 16 KB per header and 128 KB total for HTTP/2—large enough for SSO tokens, but not so large that you waste memory.<h2>Troubleshooting checklist</h2>Seeing 400 Bad Request? → Raise <code>client_header_buffer_size</code> / <code>large_client_header_buffers</code> (Nginx) or <code>LimitRequestFieldSize</code> (Apache).Seeing 431 Request Header Fields Too Large (HTTP/2)? → Raise <code>http2_max_header_size</code> (Nginx) or <code>H2MaxHeaderListSize</code> (Apache).Seeing 502 upstream sent too big header? → Raise <code>proxy_buffer_size</code> (Nginx). Apache rarely needs this because it streams headers.<h2>TL;DR</h2>Nginx defaults are strict (1k per header line, 8k per response header). Tune both request and proxy buffers.Apache defaults are looser for HTTP/2 (64 KB), but still only 8 KB per header for HTTP/1.Don’t overshoot—large buffers eat memory and open DoS risks.Recommended safe values:16 KB per header128 KB total for HTTP/2That’s enough for real-world cookies, JWTs, and SSO without bloating your servers.

Both Apache and Nginx enforce limits on HTTP header sizes to prevent abuse, which can trigger confusing 400/431/502 errors when apps use large cookies or JWTs; by default, Apache allows ~8 KB per header in HTTP/1.x and 64 KB total in HTTP/2, while Nginx defaults are even tighter (1 KB per header line, 8 KB response headers), so tuning directives like LimitRequestFieldSize, H2MaxHeaderListSize, client_header_buffer_size, and proxy_buffer_size is often necessary—but keep values reasonable (≈16 KB per header, 128 KB total) to balance real-world needs with memory efficiency and DoS protection.

All Posts In Nginx