Super Admin - 502 Bad Gateway error

johnberman44 · January 3, 2026, 11:59am

Hi

Using V2026.4

If I use the super admin (hard coded name and password) I get 502 Bad Gateway error

I’m in Debug Dev mode

If I deliberately use the wrong password it comes back and tells me I have an incorrect username or password

Pointers appreciated

Kind Regards

John

arbei · January 4, 2026, 2:05am

You may post the log file (the part after login attempt) for discussion.

johnberman44 · January 4, 2026, 10:15am

Hi

the access log says this

3688580#0: *17318004 upstream sent too big header while reading response header from upstream

Kind Regards

John B

arbei · January 4, 2026, 11:55pm

You may check HTTP response and see why the response header is too big.
Your log doesn't look like the PHPMaker log, where is it from? The PHPMaker (v2026) log file should be under var/log/dev-yyyy-mm-dd.log (assume "dev" environment).
If you have enabled Log AJAX requests to browser, read Web Server Header Size Limit.

johnberman44 · January 5, 2026, 8:54am

Here is the log

[2026-01-05T08:50:15.818537+00:00] deprecation.INFO: User Deprecated: Class "Doctrine\ORM\Proxy\Autoloader" is deprecated. Use native lazy objects instead.
(Autoloader.php:74 called by DoctrineBundle.php:136, https://github.com/doctrine/orm/pull/12005, package doctrine/orm)
{"exception":"[object] (ErrorException(code: 0): User Deprecated: Class \"Doctrine\\ORM\\Proxy\\Autoloader\" is deprecated. Use native lazy objects instead. (Autoloader.php:74 called by DoctrineBundle.php:136, https://github.com/doctrine/orm/pull/12005, package doctrine/orm) at /var/www/vhosts/xxx.org/VLF.xxx.org/vendor/doctrine/deprecations/src/Deprecation.php:208)"} []

[2026-01-05T08:50:15.822902+00:00] request.INFO: Matched route "login".
{"route":"login","route_parameters":{"_route":"login","_controller":"PHPMaker2026\\Vlf\\AppController::login"},"request_uri":"https://vlf.xxx.org/login","method":"POST"} []

[2026-01-05T08:50:15.825115+00:00] security.DEBUG: Checking for authenticator support.
{"firewall_name":"main","authenticators":1} []

[2026-01-05T08:50:15.825149+00:00] security.DEBUG: Checking support on authenticator.
{"firewall_name":"main","authenticator":"Symfony\\Component\\Security\\Http\\Authenticator\\FormLoginAuthenticator"} []

[2026-01-05T08:50:15.825175+00:00] app.DEBUG: Authenticator will be executed for this request
{"authenticator_class":"Symfony\\Component\\Security\\Http\\Authenticator\\FormLoginAuthenticator","request_path":"/login"} []

[2026-01-05T08:50:15.825691+00:00] request.DEBUG: CSRF validation accepted using origin info. [] []

[2026-01-05T08:50:15.827664+00:00] deprecation.INFO: User Deprecated: Support for MariaDB < 10.6.0 is deprecated and will be removed in DBAL 5.
(AbstractMySQLDriver.php:54 called by AbstractDriverMiddleware.php:32, https://github.com/doctrine/dbal/pull/6343, package doctrine/dbal)
{"exception":"[object] (ErrorException(code: 0): User Deprecated: Support for MariaDB < 10.6.0 is deprecated and will be removed in DBAL 5 (AbstractMySQLDriver.php:54 called by AbstractDriverMiddleware.php:32, https://github.com/doctrine/dbal/pull/6343, package doctrine/dbal) at /var/www/vhosts/xxx.org/VLF.xxx.org/vendor/doctrine/deprecations/src/Deprecation.php:208)"} []

[2026-01-05T08:50:17.275643+00:00] security.INFO: Authenticator successful!
{"token":{"Symfony\\Component\\Security\\Core\\Authentication\\Token\\UsernamePasswordToken":"UsernamePasswordToken(user=\"jberman\", roles=\"ROLE_SUPER_ADMIN\")"},"authenticator":"Symfony\\Component\\Security\\Http\\Authenticator\\FormLoginAuthenticator"} []

[2026-01-05T08:50:17.276509+00:00] cache.INFO: Lock acquired, now computing item "user_level.data"
{"key":"user_level.data"} []

[2026-01-05T08:50:17.276708+00:00] security.DEBUG: The authenticator set the response. Any later authenticator will not be called
{"authenticator":"Symfony\\Component\\Security\\Http\\Authenticator\\FormLoginAuthenticator"} []

[2026-01-05T08:50:17.276783+00:00] security.DEBUG: Stored the security token in the session.
{"key":"_security_main"} []

[2026-01-05T08:50:17.320439+00:00] deprecation.INFO: User Deprecated: Class "Doctrine\ORM\Proxy\Autoloader" is deprecated. Use native lazy objects instead.
{"exception":"[object] (ErrorException(code: 0): User Deprecated: Class \"Doctrine\\ORM\\Proxy\\Autoloader\" is deprecated. Use native lazy objects instead. at /var/www/vhosts/xxx.org/VLF.xxx.org/vendor/doctrine/deprecations/src/Deprecation.php:208)"} []

[2026-01-05T08:50:17.322524+00:00] request.INFO: Matched route "login".
{"route":"login","route_parameters":{"_route":"login","_controller":"PHPMaker2026\\Vlf\\AppController::login"},"request_uri":"https://vlf.xxx.org/login","method":"GET"} []

[2026-01-05T08:50:17.323716+00:00] security.DEBUG: Read existing security token from the session.
{"key":"_security_main","token_class":"Symfony\\Component\\Security\\Core\\Authentication\\Token\\UsernamePasswordToken"} []

[2026-01-05T08:50:17.323812+00:00] security.DEBUG: User was reloaded from a user provider.
{"provider":"Symfony\\Component\\Security\\Core\\User\\InMemoryUserProvider","username":"jberman"} []

[2026-01-05T08:50:17.324035+00:00] app.DEBUG: Authenticator skipped for this request
{"authenticator_class":"Symfony\\Component\\Security\\Http\\Authenticator\\FormLoginAuthenticator","request_path":"/login"} []

[2026-01-05T08:50:17.370447+00:00] request.INFO: Matched route "index".
{"route":"index","route_parameters":{"_route":"index","_controller":"PHPMaker2026\\Vlf\\AppController::index"},"request_uri":"https://vlf.xxx.org/","method":"GET"} []

[2026-01-05T08:50:17.414163+00:00] request.INFO: Matched route "custom.welcome".
{"route":"custom.welcome","route_parameters":{"_route":"custom.welcome","params":null,"_controller":"PHPMaker2026\\Vlf\\WelcomeController"},"request_uri":"https://vlf.xxx.org/welcome","method":"GET"} []

Kind Regards

John B

arbei · January 5, 2026, 9:42am

As you can see, the authentication was successful and the user is redirected to your custom file (welcome) correctly.

However, the response header was too long so you got the error.

As suggested, you should check the HTTP response and check why the header was so long.

johnberman44 · January 5, 2026, 11:15am

Hi

This is what i see

arbei · January 5, 2026, 12:21pm

You may want to google "Steps to View Response Headers in Browser" and follow the steps.

johnberman44 · January 5, 2026, 1:42pm

I think this is whats needed

Kind Regards

John B

arbei · January 7, 2026, 1:25am

As you can see from the response header, the cookies are just a few hundred bytes, well below normal web server limit, which should be at least 4KB. It should not be due to the cookies.

However, v2026 uses Link headers to preload JavaScripts and stylesheet for better performance. That may cause the issue. You can test by disabling the headers by:

Open vendor\symfony\web-link\EventListener\AddLinkHeaderListener.php, comment out this line:

$event->getResponse()->headers->set('Link', $this->serializer->serialize($links), false);

Note that this will degrade performance, if your hosting provider does not allow adjusting header size, you may want to consider another.

johnberman · January 7, 2026, 9:33am

Hi

thanks, disabling the headers as a test works. My provider will allow me to adjust header size by adding additional directives and they say I should use fastcgi buffers

fastcgi_buffer_size 256k;
fastcgi_buffers 8 256k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;

I have no idea what to increase to ?

Kind Regards

John B

arbei · January 7, 2026, 9:48am

You may try double them first.

johnberman · January 7, 2026, 1:46pm

thanks for your patience - Solved