502 BAD Gateway on AWS ALB/EC2

Help!
1

Hello Team,

I am working on creating a HAPROXY configuration to connect to the backend services running on the AWS EC2 Infrastructure. We have created a frontend Service in the AWS Load balancer calling the HAPROXY Service which in turn calls the EC2 instance.

eg; Internet->AWS ALB-> HAPROXY → EC2 Backend Server

We are hitting with a 502 Bad Gateway error during the call. Could you please advise on how we can resolve the issue?

HTTP Version:
HAProxy version 2.4.24-0ubuntu0.22.04.1 2023/10/31 - https://haproxy.org/

HAPROXY Log:
Mar 15 11:49:57 ip-XXXXX haproxy[3975]: XXXX:35998 [15/Mar/2024:11:49:57.851] main main/ -1/-1/-1/-1/0 400 0 - - PR-- 1/1/0/0/0 0/0 “”

HAPROXY Config file:

oot@ip-10-69-86-228:~# cat /etc/haproxy/haproxy.cfg
global
log /dev/log local0
log /dev/log local1 notice
user haproxy
group haproxy
uid 99
gid 99
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private

See: Mozilla SSL Configuration Generator

    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384
   # ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA- AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM- SHA384
    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
    tune.ssl.default-dh-param 2048

defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

frontend main
mode http
bind *:443 ssl crt /etc/haproxy/certs/sample_certficatecrt
bind *:80
default_backend health
use_backend otcs-be if { path /otcs } || { path_beg /otcs }
use_backend otdsadmin-be if { path /otds-admin } || { path_beg /otds-admin }
use_backend otdsws-be if { path /otdsws } || { path_beg /otdsws }

backend health
mode http
http-request set-header X-Forwarded-Port 443
http-request set-header X-Forwarded-Proto https
http-request set-header X-Forwarded-Host %[req.hdr(host)]
http-request add-header X-Real-Ip %[src]
http-request replace-path /otcs/(.*) /otcs/\1
server Myserver myserver.com:443 ssl verify none

backend otcs-be
mode http
http-request set-header X-Forwarded-Port 80
http-request set-header X-Forwarded-Proto https
http-request set-header X-Forwarded-Host %[req.hdr(host)]
http-request add-header X-Real-Ip %[src]
http-request replace-path /otcs/(.*) /otcs/\1
server Myserver myserver.com:443 ssl verify none

Please have a look at the code and let us know if there are any change required

Thank you,