Backend status 200 but frontend return 502

Youpi · August 7, 2022, 10:09pm

Helllo,

I’m facing a strange thing. I’ve been using HAproxy for several years and this’s the first time I’ve seen this. HAproxy 172.25.0.3 and IzPBX 172.25.0.2 are containers. When I connect to IzPBX not logged, no problem. But when I open a logued session, HAproxy return a 502.
The strange thing, when I hit izpbx from external machine, I seen a 200 response in TCPdump from HAproxy container.

global
    log 127.0.0.1:514 local0 info
    maxconn 2000
    daemon
    stats socket /var/lib/haproxy/haproxy.sock mode 660 level admin expose-fd listeners user haproxy group haproxy 
    tune.ssl.default-dh-param 2048

defaults
    mode http
    log global
    log-format "%ci - - %{+Q}[capture.req.hdr(2)] %{+Q}r %ST %B %{+Q}[capture.req.hdr(0)] %{+Q}[capture.req.hdr(1)]"
    retries 3
    timeout http-request 5s
    timeout connect 5s
    timeout server 30s
    timeout client 30s
    timeout queue 1m
    timeout http-keep-alive 10s
    timeout check 10s

frontend http
    bind :::80
    redirect scheme https code 301 if !{ ssl_fc }

frontend https
    bind :::443 v4v6 ssl crt-list /etc/ssl/crt-list alpn h2,http/1.1

    capture request header Referer len 128
    capture request header User-Agent len 128
    capture request header Host len 64

    http-request set-header X-Forwarded-For %[src]
    http-request set-header X-Forwarded-Proto https
    http-request set-header X-Forwarded-HTTPS on
    http-request set-header X-Forwarded-Host %[hdr(host)]
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request set-header X-Forwarded-dst-ip %[dst]

    ########## izpbx ##########
    acl izpbx hdr(host) izpbx
    use_backend izpbx if izpbx admin
    default_backend no-match

resolvers dockerdns
    nameserver dns 127.0.0.11:53

backend izpbx
    server izpbx izpbx:80 check init-addr last,libc,none resolvers dockerdns

backend no-match
    tcp-request content reject

0000071b:https.accept(0007)=0010 from [::ffff:172.20.10.6:2514] ALPN=h2
0000071b:https.clireq[0010:ffffffff]: GET https://izpbx/ucp/ HTTP/2.0
0000071b:https.clihdr[0010:ffffffff]: host: izpbx
0000071b:https.clihdr[0010:ffffffff]: cache-control: max-age=0
0000071b:https.clihdr[0010:ffffffff]: sec-ch-ua: "Chromium";v="104", " Not A;Brand";v="99", "Google Chrome";v="104"
0000071b:https.clihdr[0010:ffffffff]: sec-ch-ua-mobile: ?0
0000071b:https.clihdr[0010:ffffffff]: sec-ch-ua-platform: "Windows"
0000071b:https.clihdr[0010:ffffffff]: upgrade-insecure-requests: 1
0000071b:https.clihdr[0010:ffffffff]: user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36
0000071b:https.clihdr[0010:ffffffff]: accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
0000071b:https.clihdr[0010:ffffffff]: sec-fetch-site: same-origin
0000071b:https.clihdr[0010:ffffffff]: sec-fetch-mode: navigate
0000071b:https.clihdr[0010:ffffffff]: sec-fetch-user: ?1
0000071b:https.clihdr[0010:ffffffff]: sec-fetch-dest: document
0000071b:https.clihdr[0010:ffffffff]: referer: https://izpbx/ucp/
0000071b:https.clihdr[0010:ffffffff]: accept-encoding: gzip, deflate, br
0000071b:https.clihdr[0010:ffffffff]: accept-language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7
0000071b:https.clihdr[0010:ffffffff]: cookie: lang=en_US; PHPSESSID=penulrv8e1s8bnceeha0rvuqj3
0000071b:izpbx.srvcls[0010:0011]
0000071b:izpbx.clicls[0010:0011]
0000071b:izpbx.closed[0010:0011]

tcpdump -i eth0 -n -vv -A port 80 and src 172.25.0.2
21:47:55.575295 IP (tos 0x0, ttl 64, id 48467, offset 0, flags [DF], proto TCP (6), length 6309)
    172.25.0.2.80 > 172.25.0.3.56338: Flags [P.], cksum 0x70cf (incorrect -> 0xce6c), seq 1:6258, ack 945, win 502, options [nop,nop,TS val 1966938105 ecr 2560510154], length 6257: HTTP, length: 6257
        HTTP/1.1 200 OK
        Date: Sun, 07 Aug 2022 21:47:55 GMT
        Server: Apache/2.4.37 (rocky) OpenSSL/1.1.1k PHP/7.4.19
        X-Powered-By: PHP/7.4.19
        Expires: Thu, 19 Nov 1981 08:52:00 GMT
        Cache-Control: no-store, no-cache, must-revalidate
        Pragma: no-cache
        Set-Cookie: PHPSESSID=penulrv8e1s8bnceeha0rvuqj3; path=/
        Set-Cookie: lang=en_US
        Transfer-Encoding: chunked
        Content-Type: text/html; charset=UTF-8

21:47:55.575361 IP (tos 0x0, ttl 64, id 48472, offset 0, flags [DF], proto TCP (6), length 7292)
    172.25.0.2.80 > 172.25.0.3.56338: Flags [P.], cksum 0x74a6 (incorrect -> 0xe735), seq 6258:13498, ack 945, win 502, options [nop,nop,TS val 1966938105 ecr 2560510580], length 7240: HTTP
E..|.X@.@............P....Q.`sK.....t......
u=....Jt6b9c
<!DOCTYPE html>
<html>

Good version HTML

Anyone have an idea of what’s going on, why login cause a 502 in HAproxy?

Thank you

Youpi · February 11, 2023, 10:59pm

I thought it might be haproxy as I had the problem on two apps during a reinstall but the problem was with the apps. Remember to check your backends. If someone has the same problem with ucp of freepbx:

Edit /var/www/html/admin/modules/ucp/htdocs/includes/Session.class.php
in function startSession() add under session_start() :
header(‘Set-Cookie: ‘.session_id().’; path=/’, true);

Topic		Replies	Views
Troubleshooting 502 Bad Gateway Help!	3	1740	November 9, 2018
Issues with 502 Gateway Help!	0	153	May 3, 2024
HAProxy 504 responses when backends sent 200 responses Help!	0	146	May 20, 2024
HTTP 503: haproxy is logging destination IP same as frontend IP Help!	1	23	July 30, 2024
Haproxy showing 502 for backend but can get to the backend directly? Help!	1	207	January 24, 2024

Backend status 200 but frontend return 502

Related topics