Hi,
I am using haproxy to forward request to backend server.
We have implemented own http backend server which runs
in embedded system. Most of the pages are working fine.
One page in which we do file transfer does not work.
We receive following response from that page,
+++++++++++++++++++++++++++++++++++++++++++++++++++
502 Bad Gateway
The server returned an invalid or incomplete response.
+++++++++++++++++++++++++++++++++++++++++++
Doing wireshark shows that, the connection between haproxy and backend
server is valid for around 10seconds. After that FIN or RST is sent by
haproxy.
I tried to play with some timeout options, but nothing helped.
Could you please tell why 502 bad gateway response is received only for
this specific page.
See below the debug output of some commands,
ilan@ilan-laptop$*echo "show errors" | sudo socat /run/haproxy/admin.sock
stdio*
*Total events captured on [19/Aug/2015:15:36:43.378] : 3*
*[19/Aug/2015:15:36:18.452] backend nodes (#4): invalid response*
* frontend localnodes (#2), server web01 (#1), event #2*
* src 127.0.0.1:40332 http://127.0.0.1:40332, session #119, session
flags 0x000000ce*
* HTTP msg state 26, msg flags 0x00000000, tx flags 0x28000000*
* HTTP chunk len 0 bytes, HTTP body len 0 bytes*
* buffer flags 0x00008002, out 0 bytes, total 1024 bytes*
* pending 1024 bytes, wrapping at 16384, error at position 0:*
Also, here is the output of /var/log.haproxy.log file,
*Aug 19 15:36:18 ilan-laptop haproxy[12760]: 127.0.0.1:40332
http://127.0.0.1:40332 [19/Aug/2015:15:36:08.349] localnodes nodes/web01
0/0/0/-1/10102 502 1229 - - PH-- 0/0/0/0/0 0/0 "POST
/iss/specific/remoterestore.html HTTP/1.1"*
Below is my haproxy configuration,
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
tune.ssl.default-dh-param 1024
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
ssl-default-bind-ciphers
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL
ssl-default-bind-options no-sslv3
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend localnodes
bind *:80
mode http
default_backend nodes
frontend https-in
#bind *:443 ssl crt /etc/ssl/certs/ssl-cert-snakeoil.pem
bind *:443 ssl crt /etc/ssl/xip.io/xip.io.pem
#reqadd X-Forwarded-Proto:\ http
default_backend nodes
backend nodes
mode http
balance roundrobin
option forwardfor
redirect scheme https if !{ ssl_fc }
#http-request set-header X-Forwarded-Port %[dst_port]
#http-request add-header X-Forwarded-Proto https if { ssl_fc }
#option httpchk HEAD / HTTP/1.1\r\nHost:localhost
server web01 192.168.1.11:8001
Regards,
Ilan
I am using haproxy to forward request to backend server.
We have implemented own http backend server which runs
in embedded system. Most of the pages are working fine.
One page in which we do file transfer does not work.
We receive following response from that page,
+++++++++++++++++++++++++++++++++++++++++++++++++++
502 Bad Gateway
The server returned an invalid or incomplete response.
+++++++++++++++++++++++++++++++++++++++++++
Doing wireshark shows that, the connection between haproxy and backend
server is valid for around 10seconds. After that FIN or RST is sent by
haproxy.
I tried to play with some timeout options, but nothing helped.
Could you please tell why 502 bad gateway response is received only for
this specific page.
See below the debug output of some commands,
ilan@ilan-laptop$*echo "show errors" | sudo socat /run/haproxy/admin.sock
stdio*
*Total events captured on [19/Aug/2015:15:36:43.378] : 3*
*[19/Aug/2015:15:36:18.452] backend nodes (#4): invalid response*
* frontend localnodes (#2), server web01 (#1), event #2*
* src 127.0.0.1:40332 http://127.0.0.1:40332, session #119, session
flags 0x000000ce*
* HTTP msg state 26, msg flags 0x00000000, tx flags 0x28000000*
* HTTP chunk len 0 bytes, HTTP body len 0 bytes*
* buffer flags 0x00008002, out 0 bytes, total 1024 bytes*
* pending 1024 bytes, wrapping at 16384, error at position 0:*
Also, here is the output of /var/log.haproxy.log file,
*Aug 19 15:36:18 ilan-laptop haproxy[12760]: 127.0.0.1:40332
http://127.0.0.1:40332 [19/Aug/2015:15:36:08.349] localnodes nodes/web01
0/0/0/-1/10102 502 1229 - - PH-- 0/0/0/0/0 0/0 "POST
/iss/specific/remoterestore.html HTTP/1.1"*
Below is my haproxy configuration,
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
tune.ssl.default-dh-param 1024
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
ssl-default-bind-ciphers
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL
ssl-default-bind-options no-sslv3
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend localnodes
bind *:80
mode http
default_backend nodes
frontend https-in
#bind *:443 ssl crt /etc/ssl/certs/ssl-cert-snakeoil.pem
bind *:443 ssl crt /etc/ssl/xip.io/xip.io.pem
#reqadd X-Forwarded-Proto:\ http
default_backend nodes
backend nodes
mode http
balance roundrobin
option forwardfor
redirect scheme https if !{ ssl_fc }
#http-request set-header X-Forwarded-Port %[dst_port]
#http-request add-header X-Forwarded-Proto https if { ssl_fc }
#option httpchk HEAD / HTTP/1.1\r\nHost:localhost
server web01 192.168.1.11:8001
Regards,
Ilan